What is Risk Management?

**Mohamed** · 03-23-2012, 11:01 AM

Risk Assessment – The Funnel Analogy

If an organisation was to identify and treat every possible risk it faced, no matter how insignificant, the list of risks would be enormous. In a perfect world, every risk would be documented, completely mitigated and nothing would be left to chance. But in reality, resources are scarce, and many risks will inevitably be left alone without any action being taken.
The risk assessment process is the way to identify, analyse and evaluate risks to determine which risks need attention.
The diagram below illustrates how the risk assessment process can be likened to a funnelling process.
Essentially, a “box” is filled up with all identified risks, and tipped into a funnel (a risk analysis). Some risks are so small that they fall through the bottom of the funnel and accepted for what they are. To formally document treatments for such small risks does not represent good value for the effort required.
Other risks may be slightly larger, and get stuck along the way. Still larger risks will barely move down the funnel at all. Depending upon the organisation’s tolerance for risk, the funnel’s filters will allow different sized risks to fall through the gaps, or remain at the top. The way risks are prioritised depends on where they sit in the funnel; the higher they sit, the greater the priority they represent.

[link Point to another website Only the registered members can access]

Risk Treatment
Once all risks have been analysed the challenge is to develop a way to “draw the lines in the funnel”; that is, how you evaluate risks to determine which risks fall through to the bottom (tolerate), which ones get stuck halfway (treat / transfer) and which sit at the top (terminate / transfer).
It is sensible to classify all risks as low, medium, high or extreme. In this way, the decision about what type of action to take is more obvious. A risk that is high or extreme has, by definition, a higher level of urgency and level of unacceptability.
How Much Can You Tolerate?
Levels of risk tolerance may differ between assessments, or across organisations, because of the contexts within which they operate: a risk-averse company may evaluate a particular risk as high and unacceptable whereas a less cautious one may define the same risk lower and tolerable. Similarly, a well-resourced company may classify many risks as lower, whereas a poorly-resourced one may consider it high (because it cannot take risks for its own survival).
By understanding and applying this process and the context within which the analysis is being applied, organisations can apply risk management principles to help deal with future uncertainty, to spend less time on small priority risks, and spend more time on the things that are important (i.e. big risks).

**cybermoj** · 04-01-2012, 09:27 AM

Awsome tut...thanks man!

So, how is the size of the risk determined? Is that where softwares like Crystal Ball come in? If not, What is the function that crystal ball performs?

**panglimamerah** · 04-20-2012, 11:38 AM

Good analogy but i must address that when we are talking about risk management, it encompasses a very big scope. There are a lot of things that we might need to consider and put it into perspective. And to answer cybermoj questions, we need to look at proper "risk description". There are many standards for risk management which focused into same area of study but with different terminology. The first thing that we need to know is the description of the risk itself.

Risk can be categorized into three which known as hazard risks, control risks and opportunity risks. Hazard risks or pure risks are certain risk event that can only result in negative outcomes whether it is an operational risks or insurable risks. Notably, risk management discipline has strong origins in the management and control of hazard risks.

Risk Description is important as it will includes statement of the risk, including scope of risk & detail of possible event and dependencies. it will also covers the nature of the risk including details of the risk classification and timescale of potential impact. Risk impact in risk management is often describes into likelihood and magnitude.

From risk description we will determine the magnitude of the risk meaning how big is the risk impact to the organization. We are using risk assessment to determine the risk likelihood and magnitude. There are many risk assessment tools in the world which enable us assessing the risk thoroughly and subsequently providing a good information in dealing with the risk suitable to organization needs.