Risk management facts for kids

Example of risk assessment: A NASA model showing areas at high risk from impact for the International Space Station

Risk management is all about finding, understanding, and dealing with risks. A risk is anything that could affect your goals, whether in a good way or a bad way. It's like planning ahead to make sure bad things don't happen, or if they do, that they don't cause too much trouble. It also means looking for chances to make good things happen!

Risks can come from many places. For example, they could be about money in global markets, problems with a project (like building something new), legal issues, accidents, natural disasters like floods, or even attacks from others.

There are two main types of events:

Negative events are called risks (or threats). These are things that could cause problems.
Positive events are called opportunities. These are chances for good things to happen.

Many groups, like the Project Management Institute, have created rules and guidelines for managing risks. How you manage risk can change a lot depending on what you're doing. For example, managing risk for a big building project is different from managing risk for your personal finances.

When dealing with threats, people usually have a few strategies:

Avoiding the threat completely.
Reducing how bad the threat could be or how likely it is to happen.
Sharing the threat with someone else, like an insurance company.
Keeping some or all of the risk yourself.

For opportunities, you do the opposite: you try to make them happen!

A risk manager is a professional who helps organizations figure out what risks they face. They look at things that could hurt the organization's reputation, safety, or money. Then, they create plans to lower or prevent these negative outcomes. Risk analysts help by looking at data and sharing what they find with managers.

What is Risk Management?

Risk management has been talked about in science and business since the 1920s. It became a more official field in the 1950s. At first, most of the research was about money and insurance.

A common set of words for risk management comes from something called ISO Guide 73:2009.

In good risk management, you deal with the biggest risks first. These are the risks that could cause the most harm and are most likely to happen. Risks that are less likely or cause less harm are handled later. It can be tricky to decide how to spend resources. Should you focus on a small problem that happens often, or a huge problem that almost never happens?

Sometimes, there are risks that are always there but people don't notice them. For example, if people don't know enough about something, it can cause problems. If people don't work together well, that's another risk. These hidden risks can lower how much work gets done and how well a company performs.

It's also hard to decide when to spend time and money on managing risks and when to use those resources for other things. The best risk management tries to spend as little as possible while still keeping risks low.

Risk is basically the chance that something will happen that makes it harder to reach your goals. So, uncertainty is a big part of risk.

Risks vs. Opportunities

The idea of "opportunities" in risk management became popular in the 1990s. At first, project management books didn't even mention them.

Today, modern project management understands that opportunities are important. They are now a key part of how projects are managed.

Modern risk management looks at all kinds of outside events, both good and bad. Good events are called opportunities. Just like with risks, there are ways to deal with opportunities:

Exploit them: Make sure they happen.
Share them: Work with others to make them happen.
Enhance them: Make them even better.
Ignore them: Decide not to pursue them.

Even though opportunities are important, people often focus more on threats. This can sometimes make people too focused on avoiding bad things, and they might miss out on good chances.

How Risk Management Works

Most risk management methods follow these steps:

Find the threats: What could go wrong?
Check how weak you are: How easily could these threats hurt important things?
Figure out the risk: How likely is a threat to happen, and how bad would it be?
Find ways to lower risks: What can you do to make things safer?
Decide which risks to fix first: Deal with the biggest problems first.

The Project Management Body of Knowledge (PMBoK) describes these steps for projects:

Plan Risk Management: Decide how you will manage risks for your project.
Identify Risks: Find all the possible risks and where they come from.
Perform Qualitative Risk Analysis: Decide which risks are most important by looking at how likely they are and how big their impact would be.
Perform Quantitative Risk Analysis: Use numbers to understand the effects of risks more deeply.
Plan Risk Responses: Come up with ideas and plans for how to deal with each risk.
Implement Risk Responses: Put those plans into action.
Monitor Risks: Keep an eye on risks and how your plans are working.

Important Ideas in Risk Management

The International Organization for Standardization (ISO) lists these important ideas for risk management:

Risk management should:

Create value: The effort you put into managing risk should be less than the problems you avoid.
Be a part of everything: It should be built into how an organization works.
Help with decisions: It should be part of how choices are made.
Deal with uncertainty: It should openly address things you don't know for sure.
Be organized: It should follow a clear, step-by-step process.
Use the best information: Base decisions on what you know.
Be flexible: You should be able to change it to fit different situations.
Think about people: Remember that human actions play a role.
Be open: Everyone should understand what's happening and be involved.
Keep changing: It should adapt to new situations and keep getting better.
Be checked regularly: Review and update it often.

The Risk Management Process

According to the standard ISO 31000, the process of managing risk has several steps:

Setting the Scene

This step means understanding the situation you are in. It involves:

Looking at the overall situation where risk management will happen.
Knowing who is involved and what their goals are.
Deciding how risks will be judged and what limits you have.
Creating a plan for finding and dealing with risks.
Figuring out how to use technology, people, and other resources to handle risks.

Finding Risks

After you understand the situation, the next step is to find possible risks. Risks are about events that, when they happen, cause problems or benefits. You can start by thinking about where problems might come from, or what good things your competitors are doing.

Looking at sources: Risks can come from inside or outside your system. For example, people working on a project, employees of a company, or even the weather can be sources of risk.
Looking at problems: Risks are also linked to threats. For example, the threat of losing money, or the threat of mistakes.

Some common ways to find risks are:

Goal-based: If an event might stop you from reaching a goal, it's a risk.
Scenario-based: Imagine different future situations. Any event that leads to a bad situation is a risk.
Checklists: Use lists of known risks from your industry to see if they apply to you.
Risk charting: List what's at risk, the threats to it, things that change the risk, and bad outcomes you want to avoid. This helps you see connections.

Judging Risks

Once you've found the risks, you need to judge them. How bad would the impact be, and how likely is it to happen? Sometimes these are easy to measure, like the cost of a damaged building. Other times, it's hard to know for sure, especially for rare events. So, you have to make the best guesses you can to decide which risks to deal with first.

It's hard to know how often rare, big events will happen because there isn't much past information. Also, it's tough to judge the impact on things you can't touch, like a company's good name. You use the best guesses and available information. The goal is to make it easy for leaders to understand the main risks and make smart decisions. A common way to think about risk is: "How likely it is to happen multiplied by how bad it would be equals the size of the risk."

Ways to Handle Risks

Once risks are identified and judged, there are four main ways to handle them:

Avoidance: Don't do the activity that causes the risk.
Reduction: Make the risk less likely or less severe.
Sharing: Get someone else to take on part of the risk.
Retention: Accept the risk and deal with it if it happens.

Risk Avoidance

This means choosing not to do something that could cause a risk. For example, not buying a property to avoid legal problems. While avoiding risks seems good, it also means you miss out on any good things that might have come from taking that risk. If you avoid starting a business to avoid losing money, you also miss the chance to make a profit.

Risk Reduction

This means making the risk less severe or less likely to happen. For example, installing sprinklers to put out a fire quickly reduces the risk of major fire damage. You might also use special fire systems that don't cause water damage, but they can be very expensive.

When we talk about reducing risks, we're looking for a balance. You want to reduce the negative risk, but also get the benefits of the activity. It's about finding the right amount of effort to put into reducing risk.

Modern ways of developing software reduce risk by building and delivering small parts of the software at a time. This way, if there's a problem, it only affects a small part, not the whole project.

Sometimes, a company might outsource (pay another company to do) things like software development or customer support. This can be a way of sharing risk if the other company is better at managing those risks.

Risk Sharing

This means sharing the burden of a loss, or the benefit of a gain, from a risk with another party. It also includes sharing the effort to reduce a risk.

Often, people talk about "transferring risk" when they buy insurance. But technically, you still have the main responsibility. Insurance just means that if something bad happens, the insurance company pays you money to help with the damage. For example, car insurance doesn't stop you from having an accident; it just helps pay for the costs if you do.

Risk Retention

This means accepting the loss (or gain) from a risk if it happens. If you decide not to avoid or share a risk, you are keeping it. This is often done for small risks where the cost of insurance would be more than the potential loss. It's also used for very big or rare risks that can't be insured, like War. Any part of a loss that isn't covered by insurance is also a retained risk.

Risk Management Plan

After you've identified and judged risks, you need to choose ways to control or counter them. These plans need to be approved by the right people in charge. For example, a risk to a company's reputation would need approval from top leaders, while a computer virus risk might be handled by the IT manager.

A good risk management plan should suggest useful ways to manage risks. For example, if there's a high risk of computer viruses, the plan might suggest getting and using antivirus software. The plan should also say when these actions will happen and who is responsible for them.

Putting the Plan into Action

This step involves doing all the things you planned to reduce the effects of risks. This might mean buying insurance, avoiding certain activities, reducing other risks, and accepting the rest.

Reviewing the Plan

Your first risk management plan won't be perfect. As you gain experience and see what actually happens, you'll need to make changes to the plan.

You should regularly update your risk analysis and management plans. This is important for two reasons:

To check if your chosen ways of controlling risks are still working well.
To see if the level of risk in your environment has changed. For example, risks related to technology can change very quickly.

Where Risk Management is Used

In Businesses

Enterprise risk management looks at all the possible events that could negatively affect a business. This includes impacts on its existence, its people and money, its products, its customers, and even wider impacts on society or the environment. For example, in a bank, this would include risks related to loans, interest rates, or how the market changes.

For every likely risk, a business can have a plan ready to deal with what might happen. This is like having a backup plan.

In Information Technology

In information technology, risk management includes "Incident Handling." This is a plan for dealing with things like computer hacks, cyber theft, or even physical problems like fires or floods. It's about preparing, finding, stopping, fixing, recovering, and learning from these events.

IT risk is a newer term that covers all risks related to information technology. It's not just about security, but also about how IT supports real-world processes. As technology keeps changing, so do cybersecurity risks.

In Medical Devices

For medical devices, risk management is a process for finding, judging, and reducing risks that could harm people or damage property. It's a key part of designing, making, and checking medical devices. Organizations like the US FDA require proof that this process is used. The standard for this is ISO 14971:2019.

In Projects

Project risk management is important at every stage of a project. At the start, you might look at new technologies or what competitors are doing. Once a project begins, you can use more specific tools:

Planning: Decide how risks will be managed in this specific project, including tasks, who is responsible, and the budget.
Assigning a risk officer: This is a team member, not the project manager, who looks for potential problems.
Keeping a risk database: A list of all risks with details like when they were found, a description, how likely they are, and how important they are.
Allowing anonymous reporting: Let team members report risks they see without fear.
Making mitigation plans: For risks you decide to deal with, describe how they will be handled to avoid them or lessen their impact.
Summarizing: Keep track of planned and actual risks, how well your plans worked, and the effort spent on risk management.

For Big Projects (Megaprojects)

Megaprojects are huge investment projects, often costing more than $1 billion. Examples include major bridges, railways, airports, and power plants. These projects are known to be very risky in terms of money, safety, and their impact on society and the environment. Because of this, special methods and training have been developed for managing risks in megaprojects.

For Natural Disasters

It's very important to assess risks from natural disasters like floods and earthquakes. Knowing these risks helps estimate future repair costs, business losses, environmental effects, and insurance costs. The Sendai Framework for Disaster Risk Reduction is an international agreement from 2015 that sets goals for reducing disaster risks.

Tools like computer modeling can help assess these risks. This involves understanding where people live and how likely a natural disaster is to happen.

In Wilderness Areas

Managing risks in wilderness and natural areas has become more important as more people enjoy outdoor activities. Organizations that offer commercial wilderness trips follow national and international safety standards for training and equipment.

One popular way to assess risk in the outdoors is the Risk Assessment and Safety Management (RASM) Model. It says: Risk = How Likely an Accident Is × How Bad the Consequences Would Be. This model helps balance the potential for bad things happening with the potential for good experiences and growth.

Talking About Risks

Risk communication is about sharing information about risks. This means telling people about potential dangers, what might happen, and what can be done about them. It's important to communicate clearly so everyone understands the risks and how to deal with them.