Risk Management

Introduction The purpose of Risk Management is to identify, assess and control risks . It is an ongoing process covering a product, service or service throughout its entire life cycle from “lust to dust”. The goal is to identify potential problems before they occur so that risk handling activities can be planned and invoked as needed across the life of the product, service or project to mitigate adverse impacts on achieving objectives.
Risk Management is a very general activity used in all industries as part of the “daily routines”, e.g. the financiel sector is using risk management when working with loan and currency exchange rates, power plant are using risk management to ensure having the right procedures in place to avoid operational interruptions in the energy supply and pharmaceutical companies are using risk management to ensure an effective quality system.
Who will participate? Quality risk management activities are usually undertaken by interdisciplinary teams, e.g.: management, legal, QA, manufacturing, procurement, development, etc.

Management Development Manufacturing QA Risk Owner
Understand A C C C C
Analyse A C C C C
Mitigate A C C C C
Respond A C C C R
Legend: R=Responsible;A=Accountable; C=Consulted; I=Informed

What is the input? The input to …
Which tasks is expected? The following four tasks are expected to be performed in an ongoing loop in order to keep risk management up-to-date:

Task Description
Understand During this initial phase of the risk management process the goal is to understand the organisation’s attitude towards risks.

Three questions should to be answered:

  • What is our risk appetite, i.e. which type of risk and how much risk is we willing to accept as part of our operation?
  • Is there concensus across the organisation about the risk appetite?
  • Are there relevant types of risks that the we are not aware of – do we have “blind spots” with regard to risk?
Analyse During the analyse phase  focus is on identifying and understanding the risk that the organisation is facing:

Three  questions should be answered:

  • How can we get usefull and good information about the risk we are facing?
  • How can we ensure that our analysis is trustworthy?
  • How can we integrate the risk into the business decision we are making?
Mitigate During the mitigation phase focus shift to primarily eliminate the cause of the risk or alternatively reduce that impact of risk when it materialises

Three questions should be answered:

  • What can we do to reduce the exposure to the risks we have identified?
  • Do we have good systems and risk owners in place to for getting timely warnings and actions?
  • How can we limit the damage when something bad happens despite our effort?
Respond During the final phase focus shift to learn and improve on the risk management by answering these three questions:

  • Do we consider learnings from near misses, i.e. risk we had not identified before it materialsed?
  • Are we able to use the mitigation plan effectively and efficient when a crisis materialised?
  • Do we have processes/methods in place to support continuous leartning?

How shall the result be controlled? The result from the four phases should be reviewed after the answers to the questions has been found as a sanity check. The review can be supported by a checklist.
What is the output? The primary output from the process is a Risk Management plan. The plan is an action plan describing triggers for each identified risk a list of actions that can eleminate or reduce the risk and the person/team responsible for executing the actions.
When can we exit? The process do not stop – risk manegement is an ongoing process.
Hints and Examples “Risk Management for Software Development”, Poul Rook, Software Engineering Project Management Consultancy and The Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB
“Tutorial on Software Risk Management”, Barry W. Boehm, IEEE Computer Society 1989.
“The Third SEI Conference on Software Risk”.
ICH QUALITY RISK MANAGEMENT Q9.
“Managing the 21st-Century Political Risk”; Condoleeza Rice and Amy Zegart, Harward Business Review, May-June 2018,