Risk management is used to spot areas of uncertainty that could affect value. Risk management analyzes and assesses those uncertainties, and develops and manages the associated risks.
If risks are not identified and managed effectively they could adversely affect the value of the solution.
If adequate controls have not been put in place, the business analyst should create plans for avoiding, reducing, or modifying the risks, and if necessary, implement these plans.
Risk management is a recurring activity that should happen throughout the lifecycle of the initiative. The business analyst should work with the stakeholders to help identify new risks and to monitor identified risks.
Risk management has some components, which include:
1. Risk Identification: Risks are identified through expert judgment, stakeholder input, experimentation, past experiences, and historical analysis of similar initiatives.
The objective is to identify a complete set of applicable risks. Each risk should be described in a risk register that helps with the analysis and management of those risks.
2. Analysis: Analysis of a risk involves understanding and assessing the risk level. The likelihood of occurrence can be expressed as low, medium, and high.
The outcome of a risk is it’s impact on the potential solution value. The risk impact can be described in terms of cost, duration, solution
scope, solution quality, reputation, compliance, or social responsibility.
The level of a given risk is expressed as a combination of occurrence and the impact. Usually, it is a simple multiplication of probability and impact. The risks levels are used to prioritize the risks.
3. Evaluation: to assess the risk, the risk analysis results are compared to the solution to decide if the risk level is acceptable or not. Overall risk level may be calculated by adding up all the individual risk levels.
4. Treatment: based on the risk assessment level the following approaches may be considered:
- Avoid: either the source of the risk is removed or plans are amended to ensure that the risk does not occur.
- Transfer: the culpability for dealing with the risk is moved to, or shared with, a third party.
- Mitigate: the probability of the risk occurring is reduced.
- Accept: the risk is accepted and might be mitigated if it does occur.
- Increase: the organization might decide to take on more risk in order to go after an opportunity.
Once the approach for managing a specific risk is selected, a risk response plan is developed and given to a risk owner with the responsibility and authority for managing the risk.
If the risk avoidance approach is selected, the risk owner should ensure that
the probability or the impact of the risk is removed.
But if the risk cannot be totally removed then a risk mitigation plan should be created and the risk should be continuously monitored.
Risk management has its strengths and limitations, which include:
Strengths
• Risk management can be used to manage the strategic, tactical and operational risks of the solution.
• The successful risk responses on one initiative can be used for similar initiatives.
• Recurring risk management helps to assess the risks and the appropriateness of the planned responses.
Limitations
• Managing all the solution risks might be improbable so identifying the most important ones might be the only feasible solution.
• There is the possibility that important risks are not identified.