Develop Controls

Risk management involves calculating the possibilities, variables and potential outcomes of a situation. It is only with these three concepts that one can calculate the plus / minus or over / under of a project. One of the most basic examples of this is how life insurance policies and prices are calculated. If someone is a former smoker he will have a slightly lower price per unit than a current smoker but neither of them will have the same as someone that has never smoked.

The CRM process steps that requires a cycle of continuous reassessment until the benefits of completing the mission outweigh the risks of not completing it include developing controls, and making risk decisions. CRM stands for Composite Risk Management.

It is called Qualitative Risk Analysis. Qualitative Risk Analysis is the process where we assess the Probability of the Risk event occurring and the Impact of the same. At the end of this process we will have a prioritized list of risks that we need to analyze further.

The step that focuses on determining the probability and severity of a hazard occurring is called the assess hazards step. Assessing hazards is done through qualitative risk analysis.

The step in the composite rash management process that is strictly focused on determining the probability of a hazard occurring is called "assess hazards."

Qualitative Risk Analysis

Purpose of Qualitative Risk Analysis:

The purpose of this process is to prioritize risks in order to determine which risks require additional analysis. This helps the risk management team to focus on the higher priority risks.

The Qualitative Risk Analysis process asks questions like:

a. What is the probability of this risk occurring?

b. What is the impact to the project objectives, if this risk occurs?

c. How much time do we have, to respond to this risk?

d. Where should we spend our effort?

e. Etc.

The Next Step is to analyze numerically the effect of identified risks on meeting the project objectives.

There are five steps total in the Composite Risk Management (CRM) process. Step 2 focuses on determining the probability and severity of a hazard occurring.

The step in composite risk management (CRM) that focuses on determining the probability of a hazard occurring is called underwriting. Underwriting also factors in the severity of a hazard occurring.

communicate, coordinate, and intergrate the controls who, what, when, where and how into directives and briefings

In addition perform, onfiguration identification, status acounting, auditing, reporting and documenting.
Communicate, coordinate, and integrate the control's who, what, when, where, and how into directives and briefings.
Communicate, coordinate, and integrate the control's who, what, when, where, and how into directives and briefings.

The risk register is a document that contains the output of the risk identification process. The risk register will be constantly updated with a lot of information from other risk management processes. To begin, you store the following information from the risk identification process in the risk register:

• List of identified risks - These are the risks that you identified in the risk identification process. These risks should be described in reasonable detail, which may include the following:

o The risks - The definition and nature of each risk and the causes that will give rise to the risk.

o List of the root causes of the risks - This is a list of events or conditions that might give rise to the identified risks.

o Updates to risk categories - Risks categories were originally identified in the risk management planning process. However, in the process of identifying risks, you might discover new categories or modify existing categories. The updated risk categories must be included in the risk register. • List of potential responses - Risk response planning is a separate process that is performed after risk analysis. However, during risk identification, you might identify potential risk responses that you must document in the risk register. These responses can be further examined and planned in the risk response planning process.

Prioritizing risks based on their probability of occurrence and their impact if they do occur is the central goal of qualitative risk analysis. Accordingly, most of the tools and techniques used involve estimating probability and impact.

Risk probability and impact assessment - Risk probability refers to the likelihood that a risk will occur, and impact refers to the effect the risk will have on a project objective if it occurs. The probability for each risk and the impact of each risk on project objectives, such as cost, quality, scope, and time, must be assessed. Note that probability and impact are assessed for each identified risk.

Methods used in making the probability and impact assessment include holding meetings, interviewing, considering expert judgment, and using an information base from previous projects.

A risk with a high probability might have a very low impact, and a risk with a low probability might have a very high impact. To prioritize the risks, you need to look at both probability and impact.

Assessment of the risk data quality - Qualitative risk analysis is performed to analyze the risk data to prioritize risks. However, before you do it, you must examine the risk data for its quality, which is crucial because the credibility of the results of qualitative risk analysis depend upon the quality of the risk data. If the quality of the risk data is found to be unacceptable, you might decide to gather better quality data. The technique to assess the risk data quality involves examining the accuracy, reliability, and integrity of the data and also examining how good that data is relevant to the specific risk and project for which it is being used.

Risk urgency assessment - This is a risk prioritization technique based on time urgency. For example, a risk that is going to occur now is more urgent to address than a risk that might occur a few months from now.

Probability and impact matrix - Risks need to be prioritized for quantitative analysis, response planning, or both. The prioritization can be performed by using a probability and impact matrix; a lookup table that can be used to rate a risk based on where it falls both on the probability scale and on the impact scale.

Look at the table below: RXY, where X and Y are integers that represent risks in the two-dimensional (probability and impact) space.

ProbabilityImpact0.000.050.150.250.350.450.550.650.750.900.20R11R12R13R14R15R16R17R18R190.40R21R22R23R24R25R26R27R28R290.60R31R32R33R34R35R36R37R38R390.80R41R42R43R44R45R46R47R48R49

This is how you read this matrix. R21 has a 40% probability of occurring and will have a 5% impact on the project. Similarly R49 has a 80% probability and will have a 90% impact on the project.

How to calculate the numerical scales for the probability and impact matrix and what they mean depends upon the project and the organization. However, remember the relative meaning: Higher value of a risk on the probability scale means greater likelihood of risk occurrence, and higher value on the impact scale means greater effect on the project objectives.

Each risk is rated (prioritized) according to the probability and the impact value assigned to it separately for each objective. Generally, you can divide the matrix in the table above into three areas; high-priority risks represented by higher numbers, such as R49, medium-priority risks represented by moderate numbers, such as R25, and low-priority risks represented by lower numbers, such as R12. However, each organization has to design its own risk score and risk threshold to guide the risk response plan.

Note that impact can be a threat (a negative effect) or an opportunity (a positive effect). You will have separate matrices for threats and opportunities. Threats in the high-priority area might require priority actions and aggressive responses. Also, you will want to capitalize on those opportunities in the high-priority area, which you can do with relatively little effort. Risks posing threats in the low-priority area might not need any response, but they must be kept on the watch list to ensure that you don't get any unwanted or unexpected surprises towards the end of the project.

Risk categorization - You defined the risk categories during the risk management planning and risk identification processes. Now you can assign the identified risks to those categories. You can also revisit the categorization scheme, such as RBS, that you developed for your project, because now you have more information about risks for the project. Categorizing risks by their causes often helps you develop effective risk responses.

Expert judgment - You may need expert judgment to assess the probability and impact of each risk. To find an expert, look for people who've had experience with similar projects in the not too distant past. While weighing the expert judgment, look for possible biases. Often experts are biased toward their area or idea.

Shareholders are very sensitive to this and when changes take place that are negative a stock can fall in price (and keep falling for that matter). Astute investors pay attention to the details of the company seeking early clues to problems the company may acknowledge several weeks or months down the road. Investors and the market do not like unwelcome surprises.

To keep it simple, no shareholders should be indefferent to any change in a firms financial condition. A decrese in a firms credit/financial strength rating or a corporate debt downgrade is no different than a drop in your personal credit score. A drop in your credit score means you will pay a higher interest rate on all borrowing. This is the case for a firm who's increased financil risk leads to the downgrade, the firm will need to pay a higher interest rate on all borrowing. This esentially means (relitively speaking) the firm is not in the optimal position to fulfill its current debt obligations, long and or short term and as such there is a higher default risk to the debt holders who will require a higher interest rate to make the risk attractive. This impacts a shareholder because this whole process is set into motion by the weakend financil condition of the firm, credit ratings are not arbitrairily downgraded. The downgrade puts further strain on the firms financil condition due to the increased interest rate it must pay on corporate debt. For an example look at GM's stock price after the before and after the first, second downgrade.

A prudent shareholder / investor should never be uninformed and/or unconcerned when events or corporate actions or inaction effects the financial health of the

corporation.

Those who owned GM bonds might have very strong feelings on this subject.

Consider that, by definition, a bond is a promise to repay monies and bond holders

have legal rights. Or they used to.

any