Geekly Articles each Day
📜 ⬆️ ⬇️

Management of risks. Part 2


The first part can be found here: Risk Management. Part 1

“We have to sacrifice a lot to save everything” Tadeusz Kosciuszko

After the crucial first two steps: identifying the risks and assessing them for the first time, it's time you start doing something with them.
')
Here are the following possible strategies:

• Adoption
• transmission
• decrease

What does taking risk mean? This means that you tell yourself: yes, I see this risk, yes I see its consequences, I accept this risk. The reason for this may be a low probability, low cost impact, or your strategic decision. If you took a risk, be sure to include it in the budget. You take the risk that the new warehouse will steal and estimate it at about a thousand money per month. Include it in the budget. Do you take the risk that your best engineer will leave after changing the structure of the enterprise? Include the cost of finding and learning new in the budget for next year. Do you take the risk that your wife will not approve your plan to go fishing? Include the cost of flowers and candy in the budget of fishing. No matter why you decide to take this risk, it’s important not to forget to include its cost.

A risk transfer strategy means that you do not want to bear this risk yourself, but instead pass it on to third parties. For example, insure your warehouse against fire. Or give the calculation of taxes and accounting at outsourcing. Or pictures for your application draws you a design office. It is important to understand first of all how much this program will cost you: how much does an insurance policy cost? How much does the design bureau cost? And secondly: do you pass your risk along with the task? If you hire a design office, then what is written in the contract of their responsibility? If an accounting company makes a mistake in calculating property tax - will they pay a fine? Because if not, it is not a risk transfer. If the responsibility for correcting the consequences of risk remains with you when you transfer something to an external company for execution, it means that the risk remains.

Once again: the transfer of risk is possible only if together with the execution of the work you transfer responsibility in full. Only in this case, you can eliminate the risk from your list and consider it transferred.

If an unfamiliar uncle Vasya is engaged in electrician for your object, he will simply disappear from the horizon when something goes wrong - then the risk that something goes wrong with the electrician is not only not transferred to Uncle Vasya, but can grow at all as a result of this decision to outsource electrics.

Risk reduction is the implementation of measures to reduce either the probability of its occurrence or the cost of its consequences. For example, to reduce the risk of delaying the release of an application, you take another developer. To reduce the risk of scree, you make more expensive fortifications. To reduce the risk of your son not coming to the university, you take additional lessons from a tutor. To reduce the risk of loss on delivery, you order forwarding services.

When you reduce the risk, it is worthwhile to correlate the cost of reducing it with the final expression of reducing risk.

Example : so that the case does not break, you can make it out of better (but also more expensive) plastic, but if the cost of a new plastic is higher than the cost of a guarantee for replacing breakages of old plastic cases, this is an impractical measure. But! Business decisions should not be based only on risk management. Attempting to look at a business only as a set of risks is too narrow and short-sighted. If your expensive housing will allow you to expand the target audience of buyers, increase the price / margin, take a different position in the market - then consider further. Do not stay only under consideration "the cost of warranty cases" vs "the cost of another plastic." For such decisions risks are only part of the picture.

But in general, measures are worth implementing if they are cheaper than risk. Perhaps, having estimated the cost of implementing measures, you decide to accept the risk. This is also normal. You know what to do: include it in the budget.

Once you have decided on measures that either reduce the amount of losses or the likelihood of risk occurring, it is time for a final assessment.

Net Assessment = New Probability * New Risk Volume + Cost of Measures

It is often forgotten about this: that the cost of measures should be part of the final cost of risk. This is the only way you can reduce your risk.

In essence, you need your gross assessment as an input for making a decision on risk response, but a net assessment is already the numbers with which you will continue to live.

So, here is a list of your risks with a final assessment. Now it's time to make decisions about these risks.

“A weak person doubts before making a decision; strong - after "Karl Kraus


We will tell you about conditionally standard approaches to risks, but you should always take into account the specifics of your business, your project, your situation.

Standard approach:

• risks with a probability higher than 80% - to be considered almost happened and to include them in the budget in full
• risks with a probability below 20% - to be considered unlikely and to include in the budget only measures to reduce / eliminate them
• risks with a probability between 20% and 80% - include a net assessment in the budget, that is, a residual risk assessment and cost of measures.

This is again a zone of management decisions. It is you who decide what should happen to these risks and how much they should go into your budget. Mathematics, models, processes are only tools, help in decision-making, but not a substitute for strategy, vision and management. In the end, it is you who are responsible for the decisions made. And the risk management process is, in its essence, also a measure to reduce the occurrence of risks.

Example from the project :

Situation : we are writing an application for the customer, by April 1, we must deliver the product, according to the contract, for each day of delay, we are charged a penalty in the amount of 0.1% of the product price (price: 1 million money).

Risk : “we will not have time and we will have to pay, and then they will no longer be with us at all !!!!!” - ok, this is not a formal description of risk, but in fact, it is more important to identify risk and its assessment than the beauty of corporate copyright in the list of risks. Initial risk assessment : based on our history, we each time on average linger for 15 days. The project manager says that the developer has recently changed and it will take him some time to understand what to do and that the sales people again promised unrealistic deadlines and his expert evaluation, that we will be at least 30 days behind. The manager decides to use the evaluation of the Project Manager . That is, the initial loss estimate: 30 * 0.1% * 1 million money = 30 thousand money. The probability that we will be 30 days late is estimated by the project manager at 70%, that is, the initial assessment of this risk is 30 thousand penalties * 70% probability = 21 thousand money. The sales manager says that this is already the third project for this customer, which we are delaying and that if we are late again, they will not order anything from us at all, but he expected to sell them two more products: for 0.5 million money and another 1 million. And that the probability that they will not order more, if we delay this project - 30%. And the losses - these 1.5 million are underpaid, that is, an estimate of losses of 1.5 million * 30% = 450 thousand of money. Attention - these are associated risks, but these are two separate risks with a general event. It is easy to be terrified that suddenly we are already at risk of 450 + 30 = 480 thousand money and loss of a customer. These are not the risks that we can take. And to transfer them is also almost impossible. Then let's reduce it. For example, let's give these two pieces of code to the freelancers so that our developer can only check them and not write them himself. The cost of freelance work will be 20 thousand money. The project manager grumbles, but agrees that this will reduce the number of overdue days to 15. And the likelihood is that by 15 days only 40% are overdue. And in 15 days overdue, and even the sales manager agrees, the customer will not refuse our future projects. Well, or may refuse. But the probability is no more than 10%.

Thus, in the final version, we have two risks:

- risk of paying a penalty: 15 days overdue (15 * 0.01% * 1 million) 15 thousand * 40% probability + 20 thousand freelancers cost = 26 thousand money - net risk estimate

- risk of losing the customer: 1.5 million * 10% = 150 thousand money

The second risk has a 10% chance. We consider it unlikely. We continue to monitor, but do not include in the budget. And in the project budget we include 26 thousand of the first risk money. And immediately begin the search for freelancers. And here it makes sense to identify and evaluate additional risks of working with freelancers. And I remind, freelancers are not responsible for delaying the delivery of the application, so it was not the transfer of risk, but its reduction.

And do not forget about regular updates - your risks change, new ones appear, old ones fall off, legislation and market situations change.

How often to update risks depends again on the specifics of the business. In a rapidly changing world, changes can occur every day, but building all business processes only around risk management is irrational. Here it is necessary to find a balance between the costs of obtaining information (including time) and the value of the information received. But once a quarter to analyze what has changed during this time, whether the risk probabilities have increased, whether measures to reduce / eliminate risks are being met on time, whether the impact assessment has not changed - will not take long, but will give you the opportunity to keep your finger on the pulse. And once a year, especially for own business, it is worth re-analyzing the market, environment, legislation and expert discussion, whether new risks have appeared that were not previously taken into account.

We hope that our review of the risk management process will be useful to you.

This article is only an overview of the risk management process. Each of the aspects of this process deserves much more detailed attention, but to create a general impression of the process and its importance can be made on the basis of a review.

Ideas for further articles - a more detailed analysis of the following topics:

- risk assessment methods
- risk reduction measures
- practical implementation of the process

Keep your nose in the wind and your risks are under control! Good luck!

“The one who does not risk most of all is the risk” Ivan Bunin

Source: https://habr.com/ru/post/325892/

More articles:


All Articles