Risk management is something we do every day. Whether we do it consciously or instinctively depends on a series of factors, but the truth is that risk is a constant part of our lives.
There are many misconceptions about this subject, so I thought it would be a good idea to review some basic concepts of risk management. I'm not an expert, but as a Project Manager with over 10 years of experience, I've picked up a thing or two.
Basic principles of risk management
Let's start with the definition of risk. It may sound very basic, but 90% of the people, if not more, don't know the exact meaning of it. There are different ways to define risk, but, as a project manager, my favourite is the one used by the Project Management Institute (PMI)
In project management, the risk is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives."
Note that this definition includes the word "positive." That may sound unusual to some because, usually, risk is associated with negative outcomes, but we, project managers, see risk merely as uncertainty, regardless of the outcome.
That means if you play the lottery, there is a risk you will become a millionaire!
By that definition, we can classify risk into two groups: threats, if they are associated with a negative outcome, and opportunities, if they are associated with a positive one.
However, since risk is more commonly associated with negative outcomes, it's often used interchangeably with threats.
Risk assessment
Now that we know the definition of risk let's take a look at risk assessment.
During this stage, we are usually looking at two attributes: impact and probability. In fact, there are many more risk aspects we could evaluate but some of them are very industry-specific and, since we are sticking to the basics today, let's focus on these two.
To put it simply, impact details what would happen should the risk materialize, and probability is the likelihood of the risk materializing.
Understanding these two attributes is an important step in managing risk because it allows us to rate risks, prioritize accordingly and develop strategies to address each one.
However, to accomplish that, one more step is still needed, which is risk analysis. It's a vast topic that deserves one or several dedicated posts; therefore, we will briefly go over the basics.
Qualitative and Quantitative analysis
Qualitative analysis is a subjective strategy to estimate risk severity and likelihood. It relies mainly on the experience of those involved in the estimation process.
Quantitative analysis is an objective approach that relies on verifiable data to analyze the impact and probability of risk.
Contrary to what many sources say, one method is not better than the other. They are, in fact, complementary.
Quantitative analysis quantifies probability and impact represented by numbers and qualitative analysis helps a person, team or company to gauge and classify risk, making it easier to manage.
The problem with quantitative analysis is that it's not always easy to do, as you need trustworthy data, statistical knowledge, and specific tools, which are not available in many cases.
In fact, in entire career that spans for over 10 years I can count in one hand the situations I witnessed qualitative analysis being performed correctly.
That's why qualitative analysis is a lot more common. It's not as efficient by itself but it's better than nothing.
One thing to keep in mind, however, is that, due to its subjective nature, qualitative analysis often says more about the person or team performing the analysis than about the risk itself.
That means when someone tells you something like "I would avoid that investment because it's too risky" the best thing you can do is to ignore it and do your own research because your definition of risky can be widely different from that person's. And the opposite is also true, obviously, so don't just follow others blindly into any kind of venture without conducting your own risk assessment first.
Final thoughts
Risk means uncertainty and it can have both positive and negative outcomes, even though it's more associated with negative results.
The most common aspects to look at when performing risk assessment are impact, meaning what could happen if risk materializes, and probability, which represents the likelihood of risk to materialize.
There are two types of analysis when managing risk: quantitative and qualitative. Quantitative analysis is objective and relies on data and statistics, while qualitative analysis is subjective and relies on experience and feeling.
I believe this was a good primer on risk and risk management, but risk management is a vast subject, so I will expand on it in further articles.
Posted Using InLeo Alpha