Risk Management Methods and Frameworks Part II (continued)
The steps involved in managing risk are:
1. Establish Goals and Context
As outlined in the Risk Management process, the risk assessment is undertaken within the context of your goals. The identification / validation of your goals is therefore a critical first step in the risk management process.
Effective risk management requires a thorough understanding of the context in which your company, department or Agency operates. The analysis of this operating environment enables you to define the parameters within which the risks to your outputs need to be managed.
The context sets the scope for the risk management process. The context includes strategic, organizational and risk management considerations. According to the international Standards and best practices strategic context defines the relationship between the organizations and its environment. Factors that influence the relationship include financial, operational, competitive, political (public perceptions / image), social, client, cultural and legal. The definition of the relationships is usually communicated through frameworks such as the SWOT (Organizational strengths, weaknesses, opportunities and threats) and PEST (Political, Economic, Societal, and Technological).
The organizational context provides an understanding of the organization, its capability and goals, objectives and strategies. According to International Standards and best practices, organizational context is important because:
a) risk management occurs within the context of endeavoring to achieve the goals and objectives,
b) failure to achieve the objectives is one set of risks that need to be managed, and
c) the goals and strategies assist to define whether a risk is acceptable or unacceptable.
The risk management context defines that part of the organization (goals, objectives, or project) to which the risk management process is to be applied.
2. Identify Risks
Identify the risks most likely to impact on your outputs, together with their sources and impacts. It is important to be rigorous in the identification of sources and impacts as the risk treatment strategies will be directed to sources (preventive) and impacts (reactive).
Business risks directly threaten one or more of a customer's business goals. The identification of such risks helps to clarify and quantify the possibility that certain events will directly impact business goals. Business risks have impacts that include direct financial loss, damage to brand or reputation, violation of customer or regulatory constraints, exposure to liability, and increase in development costs. The severity of a business risk should be expressed in terms of financial or project management metrics. These include, but are not limited to, market share (%), direct cost, level of productivity, and cost of rework.
Business risk identification helps to define and steer use of particular technical methods for extracting, measuring, and mitigating software risk given various software artifacts. The identification of business risks provides a necessary foundation that allows software risk (especially impact) to be quantified and described in business terms.
The key to making risk management work for business lies in tying technical risks to business context in a meaningful way. The ability to identify and deeply understand risks is thus essential. Uncovering and recognizing technical risks is a high-expertise undertaking that usually requires years of experience.
