10.38.1 Purpose
Risk analysis and management identifies areas of uncertainty that could negatively affect value, analyzes and evaluates those uncertainties, and develops and manages ways of dealing with the risks.
10.38.2 Description
Failure to identify and manage risks may negatively affect the value of the solution. Risk analysis and management involves identifying, analyzing, and evaluating risks. Where sufficient controls are not already in place, business analysts develop plans for avoiding, reducing, or modifying the risks, and when necessary, implementing these plans.
Risk management is an ongoing activity. Continuous consultation and communication with stakeholders helps to both identify new risks and to monitor identified risks.
10.38.3 Elements
.1 Risk Identification
Risks are discovered and identified through a combination of expert judgment, stakeholder input, experimentation, past experiences, and historical analysis of similar initiatives and situations. The goal is to identify a comprehensive set of relevant risks and to minimize the unknowns. Risk identification is an ongoing activity
A risk event could be one occurrence, several occurrences, or even a nonoccurrence. A risk condition could be one condition or a combination of conditions. One event or condition may have several consequences, and one consequence may be caused by several different events or conditions.
Each risk can be described in a risk register that supports the analysis of those risks and plans for addressing them.
.2 Analysis
Analysis of a risk involves understanding the risk, and estimating the level of a risk. Sometimes controls may already be in place to deal with some risks, and these should be taken into account when analyzing the risk.
The likelihood of occurrence could be expressed either as a probability on a numerical scale or with values such as Low, Medium, and High.
The consequences of a risk are described in terms of their impact on the potential value. The impact of any risk can be described in terms of cost, duration, solution scope, solution quality, or any other factor agreed to by the stakeholders such as reputation, compliance, or social responsibility.
While an enterprise may have a standard or baseline risk impact scale, the categories like cost, effort, and reputation, and the thresholds may be adjusted to consider the potential value and the level of risk that is acceptable. Typically, three to five broad categories of level are used to describe how to interpret the potential impact.
The level of a given risk may be expressed as a function of the probability of occurrence and the impact. In many cases, it is a simple multiplication of probability and impact. The risks are prioritized relative to each other according to their level. Risks which could occur in the near term may be given a higher priority than risks which are expected to occur later. Risks in some categories such as reputation or compliance may be given higher priority than others.
.3 Evaluation
The risk analysis results are compared with the potential value of the change or of the solution to determine if the level of risk is acceptable or not. An overall risk level may be determined by adding up all the individual risk levels.
.4 Treatment
Some risks may be acceptable, but for other risks it may be necessary to take measures to reduce the risk. One or more approaches for dealing with a risk may be considered, and any combination of approaches could be used to address a risk:
- Avoid: either the source of the risk is removed, or plans are adjusted to ensure that the risk does not occur.
- Transfer: the liability for dealing with the risk is moved to, or shared with, a third party.
- Mitigate: reduce the probability of the risk occurring or the possible negative consequences if the risk does occur.
- Accept: decide not to do anything about the risk. If the risk does occur, a workaround will be developed at that time.
- Increase: decide to take on more risk to pursue an opportunity.
Once the approach for dealing with a specific risk is selected, a risk response plan is developed and assigned to a risk owner with responsibility and authority for that risk. In the case of risk avoidance, the risk owner takes steps to ensure that the probability or the impact of the risk is reduced to nil. For those risks which cannot be reduced to nil, the risk owner is responsible for monitoring the risk, and for implementing a risk mitigation plan.
The risk is re-analyzed to determine the residual risk which is the new probability and new impact as a result of the measures taken to modify the risk. There could be a cost-benefit analysis done to determine if the cost and effort of the measures reduces the level of risk enough to make it worthwhile. The risks may be reevaluated in terms of the residual risk.
Stakeholders should be informed of the plans for modifying the risks.
10.38.4 Usage Considerations
.1 Strengths
- Can be applied to strategic risks which affect long-term value of the enterprise, tactical risks which affect the value of a change, and operational risks which affect the value of a solution once the change is made.
- An organization typically faces similar challenges on many of its initiatives. The successful risk responses on one initiative can be useful lessons learned for other initiatives.
- The risk level of a change or of a solution could vary over time. Ongoing risk management helps to recognize that variation, and to re-evaluate the risks and the suitability of the planned responses.
.2 Limitations
- The number of possible risks to most initiatives can easily become unmanageably large. It may only be possible to manage a subset of potential risks.
- There is the possibility that significant risks are not identified.
