1 Risk
1.1 History
The word risk, risk in the past
The word risk could come from the Latin word resecum “that which cuts, reef” hence the maritime origin “steep rock” or could derive from the ancient Italian risicare, which means “to dare.”
Opportunities and threats are two sides of the same coin called risk. When the outcome is favorable we speak of an opportunity, when the outcome is unfavorable we speak of a threat.
About 5,200 years ago in the Euphrates region, a group called Asipu were consultants in risk analysis for making risky or uncertain decisions.
Every decision involves risk. Peter Barge
In Mesopotamia, around 3,900 years ago insurance began as one of the oldest risk management strategies. The risk premium for ship and cargo losses in basic contracts was formalized in the Hamurabi Code.
More than 2,400 years ago Pericles spoke about taking risks and evaluating them before carrying out an action. His compatriot Socrates defines eikos (possible, probable) as “likelihood of truth”.
Blaise Pascal and Pierre de Fermat laid the foundations of probability theory in the 1650s, which opened the door to quantitative risk assessment.
Pierre Simon de Laplace developed a risk analysis in 1792 with his calculations of the probability of death with and without smallpox vaccination.
Risk management is relatively recent. For example, the Basel II agreement on risk management requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) in the banking sector dates from 2004. Some prescriptive (non-certifiable) standards on risk appeared at the beginning of the 21st century (see § 2.2).
The 2008 global financial crisis called into question the contribution of risk management. Some have said that risk management methods have failed to avert this crisis. But the analysis reveals that this failure is mainly due to:
- the lack of a balanced analysis of the high benefits and the risks involved
- poor judgment of the improbability of certain events (poorly quantified level of risk) based on imprudent financial models
- poor monitoring of key parameters
- the divergent understanding of different stakeholders on risk appetite and attitude towards risk
- the collapse of wholesale money markets not anticipated by the credit models used by certain banks
The future cannot be predicted
But the risk that results from uncertainty can be managed. The ability to identify risk, analyze it, evaluate it, and then act accordingly is the basis of risk management.
A difficulty in risk management arises from the fact that the event concerned (the damage) takes place in the future. You have to imagine an event that may never take place.
Zero risk does not exist
For several decades, the majority of companies have become aware that the costs of implementing risk management are insignificant compared to the unfavorable consequences or even the insurance to take out.
The main objective of risk management is to ensure the survival of the company in all circumstances.
Risk management has been considered in the past by some managers as something superfluous. These people believed that the main goal was to avoid risk. Since then, many have understood that risk is inevitable and intrinsic to any activity but must be reduced to an acceptable level.
Risk cannot be eliminated
Risk management has become a necessity; even the ISO 9001 standard (quality management systemsset of processes allowing the achievement of the quality objectives (see also ISO 9000, 3.2.3) – requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2)) since the 2015 version has included the risk-based approach (risk-based thinking).
1.2 Scope
Principles, framework, process, tools
The scope of this module applies to risk management in business. This concern:
- the principles (see chapter 4)
- the framework (see chapter 5)
- the process (see chapter 6)
- tools (see chapter 7)
The risk area includes:
- the structure of the company
- the management system
- the department
- the process
- the product
- the service
- the project
- the performance
- reliability
- costs, cf. annex 01
- the calendar
- the methods
- technology
- requirements
- specifications including acceptance criteria
- functionalities
- the tools
- external providers
- the tests
This module does not specifically include accounting risks and extreme risks related to:
- financial crises
- insurance
- natural disasters
- pandemics
- occupational diseases
- environmental protection
- food crises
- terrorist acts
- tax fraud
- counterfeit parts
- corruption
For a circus, the risks likely to cause problems during a performance include a power outage, a storm, the absence of several actors or technicians (illness or social conflict) or major transport problems for the public.
After identifying, analyzing and evaluating the risks that could disrupt the performance, top management must decide what actions to take to reduce the chances of cancellation.
Risk management is used in many areas:
- insurance
- the bank
- the army
- energy
- aerospace
- projects
- medical devices
- medicine
- the company
- construction
- the market
1.3 Benefits
Risk management benefits, root causes of failures, cost
Expected benefits of risk management:
- improved stakeholder confidence
- improved overall performance of the company
- improved company reputation
- improved business resilience
- improved appreciation of opportunities and threats
- increased likelihood of achieving objectives
- increase in opportunities to be seized
- creation of value for the company
- reduction in losses
- establishment of an adequate framework for the implementation in a controlled manner of any activity
- establishment of a reliable basis for decision-making
- identification of gaps
- less work to redo
- obtaining a competitive advantage
- optimization of resource use
- protection of company assets
- effective response to changes
- reduction of costs and deadlines
- reduction of operational surprises
- scrupulous compliance with legal requirements
- increased visibility of the responsibilities of each staff member
The biggest risk is not taking any!
Root causes of failures:
- unplanned activities
- priority change
- irregular communication of results
- excessive self-confidence
- poorly defined acceptance criteria
- poorly understood requirements
- lack of resources
- poor estimation of effort
- poor distribution of work
- unplanned product modification
- new methods and technologies misunderstood
- unrealistic goals
- industrialization problems
- design issues
- unforeseen technical problems
- sporadic and inaccurate progress reports
- unidentified risks
- insufficient support from top management
- conflicting or inconsistent specifications
Applying risk management upstream costs 10 times less than managing a crisis
The cost of managing risk over the life of a product is shown in figure 1-1.
Figure 1-1. The cost and product cycle life
He who excuses himself, accuses himself
Common excuses for failure:
- it was the responsibility of top management
- this was not an explicit requirement in the contract
- how can we have an effective plan in the face of so many potential problems
- give me enough time and everything will be sorted
- in the event of a serious emergency situation, the implication will be completely different
- there was not enough time
- there was no staff available
- there are more important things to do
- I was sure we could cope
- I didn't realize it was so serious
- I didn’t think it was a key process
- I didn't think this would happen
- insurance had to take care of this situation
- the contract was already signed
- you cannot plan for the unexpected
A list of risk management successes and failures can be found in annex 02.