UNIT – IV

RISK MANAGEMENT
Risk categories, Identification, Assessment, Planning and management, PERT technique,
Monte Carlo approach.

RISK MANAGEMENT :
Risk Management is a systematic process of recognizing, evaluating, and handling threats
or risks that have an effect on the finances, capital, and overall operations of an
organization. These risks can come from different areas, such as financial instability, legal
issues, errors in strategic planning, accidents, and natural disasters.

What is a Risk?
A risk is a probable problem; it might happen, or it might not. There are main two
characteristics of risk :
1. Uncertainty: the risk may or may not happen which means there are no 100% risks.
2. Loss: If the risk occurs in reality, undesirable results or losses will occur.

The risk management process

Risk management is a sequence of steps that help a software team to understand, analyze,
and manage uncertainty. Risk management process consists of
 Risks Identification.
 Risk Assessment.
 Risks Planning.
 Risk Monitoring
Risk Identification
Risk identification refers to the systematic process of recognizing and evaluating potential
threats or hazards that could negatively impact an organization, its operations, or its
workforce. This involves identifying various types of risks, ranging from IT security threats
like viruses and phishing attacks to unforeseen events such as equipment failures and
extreme weather conditions.
Risk analysis
Risk analysis is the process of evaluating and understanding the potential impact and
likelihood of identified risks on an organization. It helps determine how serious a risk is
and how to best manage or mitigate it. Risk Analysis involves evaluating each risk’s
probability and potential consequences to prioritize and manage them effectively.
Risk Planning
Risk planning involves developing strategies and actions to manage and mitigate identified
risks effectively. It outlines how to respond to potential risks, including prevention,
mitigation, and contingency measures, to protect the organization’s objectives and assets.
Risk Monitoring
Risk monitoring involves continuously tracking and overseeing identified risks to assess
their status, changes, and effectiveness of mitigation strategies. It ensures that risks are
regularly reviewed and managed to maintain alignment with organizational objectives and
adapt to new developments or challenges.

Advantages of risk management

Risk management isn't just about avoiding danger, it offers a surprising range of benefits.
Here are five key advantages:

1. Better Decisions: By identifying potential threats and opportunities, risk management

gives you a clearer overall picture. This empowers leaders to make informed
decisions that minimize risks and maximize gains.
2. Reduced Losses: Proactive identification of risks allows you to take steps to avoid
them or lessen their impact. This can save your business from financial setbacks, legal
issues, or reputational damage.
3. Compliance with Rules: Many industries have regulations to follow, and failing to
comply can be costly. Risk management helps ensure you're aware of relevant
regulations and have processes in place to meet them.
4. Continuous Improvement: Risk management isn't a one-time thing. It's an ongoing
process that helps identify areas for improvement in your processes, systems, and
overall operations. This can lead to greater efficiency and a more competitive edge.
5. Stronger Business: A well-implemented risk management plan demonstrates a
commitment to stability and growth. This can boost investor confidence, improve
customer satisfaction, and make your business more attractive to talented employees.
Disadvantages of risk management

While risk management offers significant advantages, it's not without drawbacks. Here are 5
potential disadvantages to consider:

1. Increased Complexity: Risk management processes can add layers of complexity to

operations. Identifying, assessing, and planning for various risks requires time and
resources, potentially overwhelming smaller teams.
2. Time Consumption: The focus on risk mitigation can slow decision-making.
Extensive analysis and planning for every possibility can lead to missed opportunities
or delayed action in fast-paced environments.
3. Cost of Implementation: Developing and maintaining a risk management framework
requires investment in training, tools, and personnel. This can be a significant upfront
cost, especially for smaller businesses.
4. Over-reliance on Processes: A rigid adherence to risk management procedures can
stifle innovation and creativity. Overly cautious approaches might prevent teams from
taking calculated risks that could lead to breakthroughs.
5. Unpredictable Events: No risk management plan can account for every single
eventuality. The unexpected will always occur, and the effectiveness of the plan
depends on adaptability and reevaluation in the face of the unknown.

Capabilities of Risk Management

Risk management isn't just about reacting to problems, it's a proactive approach with a strong
set of capabilities. Here are 5 key strengths of risk management:

1. Risk Identification: This is the foundation. Risk management excels at

systematically uncovering potential threats and opportunities across various areas of
an organization. It goes beyond immediate dangers to consider long-term challenges
and emerging trends.
2. Risk Assessment: Once risks are identified, it's crucial to understand their likelihood
and potential impact. Risk management provides tools and frameworks to analyze
these factors, allowing for prioritization based on severity.
3. Risk Mitigation & Planning: Just identifying risks isn't enough. Risk management
helps develop strategies to address them. This could involve avoiding certain actions,
reducing the likelihood of an event, or having plans in place to minimize damage if a
risk comes to fruition.
4. Communication & Reporting: Effective risk management fosters open
communication about potential threats. It establishes clear reporting structures to keep
stakeholders informed and ensure everyone is working towards the same goals.
5. Continuous Monitoring & Improvement: The risk landscape is constantly
changing. Strong risk management capabilities allow for ongoing monitoring of
identified risks and the effectiveness of mitigation strategies. This adaptability ensures
the system remains relevant and valuable.
Limitations of Risk Management

Even though risk management is a powerful tool, it has some inherent limitations. Here are 5
key constraints to be aware of:

1. Incomplete Data and Information: Decisions are only as good as the information
used to make them. Risk management relies on data to assess risks, and sometimes
that data might be incomplete, outdated, or inaccurate. This can lead to misjudgments
about the true likelihood or impact of a risk.
2. Uncertainty and Complexity: The world is full of unknowns. Some risks are
inherently difficult to predict because they involve complex systems or human
behavior. Risk management can't eliminate all uncertainty, but it helps you navigate it
more effectively.
3. Assumption of Normal Distribution: Many risk management frameworks rely on
statistical models that assume a normal distribution of events (think bell curve). This
might not always be the case. Certain events, like major economic downturns, might
follow a different pattern, making them harder to predict and plan for.
4. Behavioral Biases: Human decision-making can be influenced by biases like
overconfidence or optimism. These biases can creep into risk assessments, leading to
underestimation of threats or overestimation of our ability to handle them.
5. Lack of Integration: For optimal effectiveness, risk management needs to be
ingrained in the organization's culture. If it's seen as a separate function rather than an
integrated process, its impact can be diminished.

Levels of risk management

 Identify the Risk.

 Analyze the Risk.
 Evaluate or Rank the Risk.
 Treat the Risk.
 Monitor and Review the Risk.
1.Identify the Risk

The initial step in the risk management process is to identify the risks that the business is
exposed to in its operating environment.

There are many different types of risks:

 Legal risks
 Environmental risks
 Market risks
 Regulatory risks etc.

It is important to identify as many of these risk factors as possible. In a manual environment,

these risks are noted down manually. If the organization has a risk management solution
employed all this information is inserted directly into the system.

2.Analyze the Risk

Once a risk has been identified it needs to be analyzed. The scope of the risk must be
determined. It is also important to understand the link between the risk and different factors
within the organization. To determine the severity and seriousness of the risk it is necessary
to see how many business functions the risk affects. There are risks that can bring the whole
business to a standstill if actualized, while there are risks that will only be minor
inconveniences in the analysis.

3.Evaluate the Risk or Risk Assessment

Risks need to be ranked and prioritized. Most risk management solutions have different
categories of risks, depending on the severity of the risk. A risk that may cause some
inconvenience is rated lowly, risks that can result in catastrophic loss are rated the highest. It
is important to rank risks because it allows the organization to gain a holistic view of the risk
exposure of the whole organization. The business may be vulnerable to several low-level
risks, but it may not require upper management intervention. On the other hand, just one of
the highest-rated risks is enough to require immediate intervention.

There are two types of risk assessments:

 Qualitative Risk Assessment

 Quantitative Risk Assessment.

4.Treat the Risk

Every risk needs to be eliminated or contained as much as possible. This is done by

connecting with the experts of the field to which the risk belongs.

5.Monitor and Review the Risk

Not all risks can be eliminated – some risks are always present. Market risks and
environmental risks are just two examples of risks that always need to be monitored. Under
manual systems monitoring happens through diligent employees. These professionals must
make sure that they keep a close watch on all risk factors. Under a digital environment, the
risk management system monitors the entire risk framework of the organization. If any factor
or risk changes, it is immediately visible to everyone. Computers are also much better at
continuously monitoring risks than people. Monitoring risks also allows your business to
ensure continuity.

Risk categories

Risk categories are groupings of risks that share common characteristics, sources, or impacts.
They help organizations understand and organize the different types of risks they face. Here's
a breakdown of some common risk categories:

1. Strategic Risks:

 achieving an organization's goals and objectives.

  Examples: Entering a new market, launching a new product, changes in technology or
customer preferences.

2. Operational Risks:

 Associated with day-to-day operations and processes.

 Examples: Technology failures, human errors, supply chain disruptions, project
management issues.

3. Financial Risks:

 Related to the financial performance and stability of an organization.

 Examples: Credit risk (risk of borrowers defaulting on loans), market risk
(fluctuations in stock prices or exchange rates), liquidity risk (difficulty meeting
short-term financial obligations).

4. Compliance Risks:

 Stem from failing to comply with laws, regulations, or industry standards.

 Examples: Environmental regulations, data privacy regulations, employment laws,
health and safety regulations.

5. Reputational Risks:

 Associated with damage to an organization's reputation, image, or brand.

 Examples: Product recalls, data breaches, negative publicity, safety incidents.

These are just some of the most common risk categories. Depending on the specific
organization and industry, there might be additional categories like legal risks, security risks,
or project risks.

Risk Identification

Risk identification is the critical first step of the risk management process. The objective of
risk identification is the early and continuous identification of events that, if they occur, will
have negative impacts on the project's ability to achieve performance or capability outcome
goals.

Risk identification is the foundation of any strong risk management strategy. It's the detective
work phase where you uncover potential threats and opportunities that could impact your
project, organization, or even personal endeavors. Here's a closer look at what it entails:
What it involves:

 Systematic examination: It's not about random guesswork. Risk identification

involves a systematic process of exploring all the potential areas where things could
go wrong or right.
 Brainstorming: This is a great way to get a broad range of ideas flowing. Involve a
diverse group of people to get different perspectives and experiences on the table.
 Considering various sources: Internal factors like project weaknesses or employee
errors, external factors like market fluctuations or competitor actions – all need to be
considered.
 Looking beyond the immediate: Don't just focus on short-term risks. Think about
long-term challenges and emerging trends that could disrupt your plans.

Common Techniques:

There are various tools and techniques to aid risk identification. Here are a few popular ones:

 SWOT Analysis: This stands for Strengths, Weaknesses, Opportunities, and Threats.
It helps analyze internal strengths and weaknesses to identify vulnerabilities, while
also exploring external opportunities and potential threats.
 FMEA (Failure Mode and Effect Analysis): This method focuses on pinpointing
potential failures within a process or system, analyzing their consequences, and taking
steps to mitigate them.
 Delphi Technique: This approach involves gathering expert opinions through
anonymous surveys or questionnaires. It allows for a structured way to get insights
from a panel of specialists.
 Scenario Planning: This involves brainstorming different possible future situations
(both positive and negative) to think about how your project or organization might
respond.

Risk Assessment

Performing a risk assessment is an important step in being prepared for potential problems
that can occur within any software project. During the risk assessment, if a potential risk is
identified, a solution or plan of action should be developed. (A problem analyzed and planned
early is a known quantity.

Risk assessment is the next crucial step after identifying potential risks. It's like taking a
magnifying glass to those potential threats and opportunities you've uncovered. Here's a
breakdown of what risk assessment entails:
What it involves:

 Analysis of Likelihood & Impact: It goes beyond just listing risks. You need to
analyze how probable each risk is to occur (likelihood) and how severe the
consequences would be if it did occur (impact).
 Prioritization: Not all risks are created equal. Risk assessment helps prioritize risks
based on their severity, allowing you to focus on the ones that pose the biggest threat.
 Data Gathering: This might involve collecting historical data on past incidents,
industry benchmarks, or expert opinions.

Common Techniques for Risk Assessment:

There are various frameworks and tools used for risk assessment. Here are two common
approaches:

 Qualitative Risk Assessment: This method uses descriptive terms to assess

likelihood (e.g., rare, possible, likely) and impact (e.g., minor, major, severe). It's a
good starting point, especially for identifying a broad range of risks.
 Quantitative Risk Assessment: This method assigns numerical values to likelihood
and impact, allowing for more precise calculations of overall risk scores. It's data-
driven and often used for high-stakes projects.

Risk Planning and management

Risk planning is the process of identifying, prioritizing, and managing risk. Every project or
initiative has objectives, that is, goals that it seeks to accomplish. These are often called
Critical Success Factors (CSF).

Risk management in software engineering aims to: Identify the potential risks that could
affect the software project, such as technical, project, or business risks. Assess the likelihood
and impact of each risk on the project's objectives, schedule, budget, quality, or safety.

Risk Planning:

 The Roadmap: This is the blueprint stage where you define the overall approach to
risk management. It involves establishing clear objectives, outlining roles and
responsibilities, and selecting the appropriate tools and techniques.
 Risk Management Framework: This framework outlines the specific processes for
identifying, assessing, mitigating, monitoring, and communicating risks. Common
frameworks include ISO 31000 and COSO Enterprise Risk Management.
 Communication Strategy: A crucial element for ensuring everyone is on the same
page. The plan should outline how risks will be communicated to stakeholders at
different levels.
Risk Management:

 Taking Action: This is the implementation phase where you put the risk plan into
motion. It involves:
o Risk Mitigation: Developing strategies to reduce the likelihood or impact of
risks. This could involve avoidance, reduction, transfer, or acceptance of risks.
o Contingency Planning: Creating backup plans to address unexpected events
or situations where mitigation strategies fail.
o Monitoring & Control: Continuously monitoring identified risks, tracking
their status, and making adjustments to the plan as needed.
o Reporting & Communication: Regularly reporting on risk management
activities to stakeholders, keeping everyone informed about progress and
potential issues.

PERT technique

The Program Evaluation and Review Technique (PERT) is a project management tool
used to estimate the time needed to complete a project and identify the critical path. It helps
visualize project tasks, dependencies between them, and potential schedule risks.

The PERT Formula:

PERT uses these time estimates to calculate a weighted average time for each activity, often
referred to as the expected time (te). Here's the formula:

te = (t_o + 4 * t_m + t_p) / 6

Time Estimates (te) : For each activity, PERT involves estimating three time durations:

 Optimistic Time (t_o): The shortest possible time an activity could take under ideal
conditions (e.g., everything goes perfectly).
 Most Likely Time (t_m): The most realistic estimate of how long the activity will
take, considering normal circumstances.
 Pessimistic Time (t_p): The longest possible time an activity could take, considering
potential delays or problems.

Standard Deviation (SD) = (t_p - t_o)/6.

 Pessimistic Time (t_p)

 Optimistic Time (t_o)

Variance (σ²) = ((t_p) - (t_o) / 6)2

 Pessimistic Time (t_p) Optimistic Time (t_o)

  Pert Chart

In this technique, a PERT Chart is made which represent a schedule for all the specified
tasks in the project. The reporting levels of the tasks or events in the PERT Charts is
somewhat same as defined in the work breakdown structure (WBS).

Example :

Let us consider a problem using pert technique ( pert formula ) we need to generate the
pert chart and the time estimation.

Problem :

A small Project is composed of 7 activities whose time estimates are given as below:

Event t_o t_m t_p

1-2 6 6 24

1-3 6 12 18

1-4 12 12 30

2-5 6 6 6

3-5 12 30 48

4-6 12 30 42

5-6 18 30 54
Now we are calculating time estimate by using pert formula as below:

te = (t_o + 4 * t_m + t_p) / 6

now take event 1-2, te = (6+4(6)+24)/6 = 9

event 1-3, te = (6+4(12)+18)/6 = 12

event 1-4, te = (12+4(12)+30)/6 = 15

event 2-5, te = (6+4(6)+6)/6 = 6

event 3-5, te = (12+4(30)+48)/6 = 30

event 4-6, te = (12+4(30)+42)/6 = 29

event 5-6, te = (18+4(30)+54)/6 = 32

so,

Event t_o t_m t_p te

1-2 6 6 24 9

1-3 6 12 18 12

1-4 12 12 30 15

2-5 6 6 6 6

3-5 12 30 48 30

4-6 12 30 42 29

5-6 18 30 54 32

2
Now we are calculating , Variance (σ²) = ((t_p) - (t_o) / 6)

2
now take event 1-2, (σ²) = (24 - 6 / 6) = 9

event 1-3, (σ²) = (18 - 6 / 6)2 = 4

event 1-4, (σ²) = (30 - 12 / 6)2 = 9

event 2-5, (σ²) = (6 - 6 / 6)2 = 0

 event 3-5, (σ²) = (48 - 12 / 6)2 = 36

event 4-5, (σ²) = (42 - 12 / 6)2 = 25

event 5-6, (σ²) = (54 - 18/ 6)2 = 36

so,

Event t_o t_m t_p te (σ²)

1-2 6 6 24 9 9

1-3 6 12 18 12 4

1-4 12 12 30 15 9

2-5 6 6 6 6 0

3-5 12 30 48 30 36

4-6 12 30 42 29 25

5-6 18 30 54 32 36

Now pert chart will be,

Rough work
Monte Carlo approach
The Monte Carlo method is a computerized mathematical technique that allows
people to quantitatively account for risk in forecasting and decision-making. At its
core, the Monte Carlo method is a way to use repeating random samples of
parameters to explore the behavior of a complex system.

Imagine a complex problem with many variables that can influence the outcome. By using
randomness, the Monte Carlo approach simulates possible scenarios and calculates the results
for each one. This allows you to analyze the probability of different outcomes and gain
insights into the overall behavior of the system.

Steps Involved:

1. Define the Problem: Clearly identify the problem you're trying to solve and the
variables involved.
2. Develop a Model: Create a mathematical model that represents the system or process
you're analyzing. This model should account for the relationships between the
variables.
3. Assign Probability Distributions: For each variable in your model, define a
probability distribution that reflects the possible values it can take and how likely
 each value is to occur. This might involve using historical data, expert judgment, or
educated guesses.
4. Simulate the Process: Use a computer program to randomly sample values for each
variable based on their assigned probability distributions. Run the simulation multiple
times (thousands or even millions) to generate a large set of possible scenarios.
5. Analyze the Results: For each simulated scenario, calculate the outcome based on
your model. Analyze the distribution of these outcomes to understand the likelihood
of different results and the overall behavior of the system.