1. Developing a Risk Architecture Framework that fits into your
risk management strategy
Carlos Villasmil
KPOC Interface Engineer
2. Risk Mind-set
and Culture
Identify and
assess your
major risks
Decide which
risks are
natural
Determines
your capacity
and appetite
for risk
Embed risk in
all decisions
and processes
Align governance
and organization
around risk
1. Determining your project risk appetite by analyzing your risk exposure
3. 1. Determining your project risk appetite by analyzing your risk exposure
Definition:
“Risk appetite is the level of risk that management is willing to accept while
attempting to create value for the organization.”
Risk Exposure is also define as the “amount of risk you simply can’t avoid”.
Exposure may also be referred to as Threat
That means that the Risk management process should be able to determine
the risk exposure, which is the final outcome of the application of Contingency
and mitigation plans.
A good strategy to determine the risk exposure:
• focus on a few Top risks that can affect negatively the cash flow or the
completion date of your project.
• The residual risks after mitigation and the low probability – low impact risks
will be much likely the ones that will satisfy the risk appetite of the Project
management.
4. 1. Determining your project risk appetite by analyzing your risk exposure
Project or companyThreats
Threats
Threats
Threats Threats
Threats Threats
Threats
Threats
RMS
Top Risks
Acceptable level of
risks exposure
Management
attention and
focus
5. 2. Keeping an acceptable level of your risk exposure within your
project risk appetite
An acceptable level of the risk exposure will depend on issues as diverse
as size of the company, financial health, Management “risk” perception
( conservative or optimist).
A way to do this is select which ranks of risks can be acceptable for the
company using a proper top-down, holistic view of risk exposures that
will not affect the organization’s ability to achieve strategic, operation,
reporting, and compliance objectives.
6. Always have in mind that:
“Risk is dynamic and subject to constant change therefore required of
constant monitoring and communication among the project team
members”.
A healthy practice to “sense” the status of a risk is an open conversation
between the discipline leaders in the project team. This can be done
weekly or monthly as required. The open conversation helps to:
1. discuss the nature of a risk identified.
2. Determine if the risk is properly stated then understand by all team
members.
3. Evaluate the evolution of a risk and their mitigation or contingency plan
4. Evaluate the assessment and therefore the effectiveness of the action plan
5. Check for inconsistencies or changes in the circumstances or specific
situations of the project
7. 3. Designing contingency plan to treat your project risks
• Contingency plans are only drawn upon when a risk occurs
• The Contingency plan should limit the damage to the project.
•You should normally prepare contingency plans for any risk which
cannot be mitigated immediately -
in particular high probability, high impact risks, i.e. those of
high severity.
• Contingency plans should be ready before the risk occurs so that
you have resources agreed and are prepare to take action
quickly.
• In preparing contingency plans some mitigation actions may be
generated.
• Identify the trigger point at which the contingency plan needs to be
implemented.
• Quantify the cost and time estimates for the contingency plan.
Evaluate benefits for the project of implement this contingency plan.
8. 4. Measuring the effectiveness and accuracy of your planning assumptions
• This is difficult since Risk planning is dealing with the
intrinsically uncertain.
• One way to measure the effectiveness of a risk planning
assumption is with the prioritization of all the risks and then the
reassessment of the risk.
• Assign numeric values to the probability ( % of occurrence) and the
impact.( level of impact in cost, time, production) be as specific as
possible in the consequence description (i.e. Project will be delayed
by 13 days) in that case you can set a numeric value to a pre
established range of impacts.
• Once you determine your mitigation plan ( reduce the probability of
occurrence) or the contingency plan ( to reduce the impact once the
risk occurs) then you can check how this plan assumptions works
and then you can determine the risk reduction. This can be done
using a Risk Assessment Matrix.
• A Quantitative Risk Analysis (QRA) is also a good technique to
measure how effective have been your planning assumptions and
also to make the proper adjustment to this assumptions.
9. 5. Exploring the impact and consequences of risks for your risk planning
Select and implement a Risk response strategy. (Treat, Take, Transfer or
Terminate), this will allow to select those risks that can be influenced or not
by the project organization therefore helps the management to select
where to direct their effort.
• Risks once identified, require to be prioritized assessing their probability
of occurrence and the impact on the project objectives.
• Investigate the nature of a risk. What are their cause, then you can
determine the immediate consequence if the risk occurred and the
consequence derives of the initial ones.
• You can make your risk response plan based on this and of course
combining it with the risk response strategy. This will help to select those
risks that can really affect the project objectives.
•Remember, risk is dynamic therefore their consequence and impact also
can change with time.
• Good conversation between team members is a good way to check the
validity of the impact and also to make the proper adjustments to your risk
planning.
10. 6. Re-evaluating your risk management plan after you complete each phase
of your project
•Brainstorming sessions or periodic team meetings to openly discuss the
actual risks and to identify new is also required right after the completion of
each phase.
• The change of stage in a project brings more definition. The risk
management plan document needs to be adapted to this higher level of
definition.