In the widest sense, risk management has been defined by Meier1 as “the practice used to prevent as many losses as possible, and arranging methods of payment for the rest”. As he points out, this is not just buying insurance for a company, but also involves dealing with uninsurable risks.
A subset of project management, risk management often gets separate treatment, and has even developed into a specialist activity, particularly for managing health and safety risks and risks in the financial sector, especially those associated with investment.
The aim of all risk management processes is to reduce the cost associated with the risk. Note that this doesn’t mean eliminating risks, as this is impossible. Cynics would argue that the move toward lead-free is itself the result of an attempt to minimise risk to the environment and to people. Here the potential ‘costs’ to be minimised are the adverse impact on the environment and the potential for litigation from those who might perceive themselves as having been damaged by lead in electronics. Less cynically, risk management is an important component of most major projects, and has become embedded in company cultures as a means of controlling uncertainty.
Insurance is just one of several approaches for minimising risk, and would be a valid strategy that the company as a whole might employ to cover issues such as “product liability”. This is liability that results from product that is defective in design, manufacturing, instructions or advertising. Insurance may also be appropriate for dealing with environmental problems caused by the company or from “regulatory risks”, should a product not comply with regulations. Unfortunately, being insured doesn’t mean that one can ignore the lead-free regulations, because insurers take a dim view of companies that deliberately flout the rules! You also have to be aware that the total cost of a court action is not just the sum of legal expenses plus the fine; it is also very expensive to the company in terms of management effort – ask anyone who has been involved in a tribunal – and has an adverse effect on the company’s marketing efforts.
In managing risk, we need to understand the kinds of risk involved, because risks come in two different categories:
Risks of which there is some information that we can use to calculate probabilities. For example, we know from our experience that a manufacturing batch will take of the order of n days to process, and the evaluation by our customer will take m days, so that the risk that the times will actually be 2n and 2m can be estimated. [Note that m will have more uncertainty and variability associated with it than n, because we don’t have the ability to allocate additional resource and assign priorities in the way that we do within our own company.]
Uncertainties, for which there is no way to predict a potential loss. These can only be managed by maintaining some reserve assets, whether physical resources or time. For example, despite our best efforts, the operator may use an incorrect process setting and ruin a batch, samples can get lost in the post, and test equipment can fail unexpectedly.
Having identified the risks and uncertainties, we need to manage them. The Project Management Institute defines four phases of risk management: identification; quantification; response development and response control. [Pritchard replaces the first two by risk planning and risk assessment, but the sequence is similar.]
Identifying the risks and uncertainties associated with the project.
Making an assessment of the magnitude and severity of each risk. How likely is it to happen? How big is the risk? [Alternatively: How large is the likely loss?]
To show graphically which risks were the most important, Coppendale2 plotted risks on a scatter diagram of impact against likelihood. He used scales of 0 to 10, where 0 likelihood is a probability of occurrence of <5%, 5 a probability of 50% and 10 a probability of >95%, and 0 impact represents no increase in cost or timescale, and 10 represents a significant impact (say ×2 in cost or more than a year late).
What can we do to manage the risk, by avoiding it, or by reducing the likelihood that it will happen? Note that we also have to be prepared to deal with the results of the problem should we happen to ‘get unlucky’. In today’s violent world, where terrorist incidents are always a possibility, risk response will involve trying to stop terrorists getting at the target, whilst also having a plan to deal with an incident if it happens, without the incident going out of control and harming innocent people.
Finally, we need to control our response, both to get feedback to improve our performance and to make sure that the cure isn’t worse than the disease. As part of this, we also have to ask the question: How much will it cost to manage the risk?
Note that minimising risk has to be balanced against the resources expended. For example, the very small risks that we described above under the category of uncertainties do not warrant making two or three batches of products just in case one goes missing.