Risk Classification PDF
Document Details

Uploaded by CushyInspiration3721
Tags
Summary
This document provides a detailed classification of risks, categorizing them as known-known, known-unknown, unknown-known, and unknown-unknown. It also offers a glossary of terms specific to, and sometimes different in meaning relating to, risk management. The document explores these different risk types, and how to manage them effectively in a project setting or for an organization.
Full Transcript
Risk Classification Potential risks can be classified into one of four quadrants based on the degree of available information, ambiguity, and variability. Organizations work to reduce the degree of unknown factors so they can be progressively converted to known-knowns or, at least, kno...
Risk Classification Potential risks can be classified into one of four quadrants based on the degree of available information, ambiguity, and variability. Organizations work to reduce the degree of unknown factors so they can be progressively converted to known-knowns or, at least, known-unknowns. This appendix details this concept, which was introduced in Section 3 of this standard. Known-known. A known-known is a fact, not a risk. These facts are typically identified as part of the requirements and scope. The entity working on the endeavor is aware of these facts, which are incorporated into the portfolio, program, or project scope. Known-unknown. A known-unknown is an identified risk. The entity working on the endeavor is aware of the uncertain event and the potential consequences. Known-unknown risks are identified and proactively managed. Unknown-known. An unknown-known is a hidden fact. Knowledge about the fact may exist; however, the entity may not be aware of it at the time of the endeavor. An example of an unknown-known is a hidden or ignored assumption. The identification, assessment, and development of a strong understanding of unknown-known risks occurs over time. For complex and innovative activities, there is a high degree of guesswork in which risks can be identified, but with limited visibility. Unknown-knowns are typically addressed through progressive risk elaboration integrated with execution of the endeavor. Unknown-unknown. Unknown-unknown risks may be emergent risks that are essentially unknowable within the context of portfolio, program, and project management. That lack of knowledge makes any type of evaluation or exploration impossible. Unknown-unknowns can be managed through organizational resilience. Due to unpredictability, resilient organizations promote research, raise awareness, encourage teams to question the status quo, and increase the flow of information. These actions stretch the boundaries of influence and prepare organizations to better respond to and recover from such events. Glossary Inclusions and Exclusions This glossary includes terms that are: Unique to risk management (e.g., risk appetite), and Not unique to risk management but used differently or with a narrower meaning in risk management than in general everyday use (e.g., threat, cause). This glossary generally does not include: Application- or industry-area-specific terms, or Terms used in risk management that do not differ in any material way from everyday use (e.g., business). Definitions Many of the words defined in this glossary may have broader and, in some cases, different dictionary definitions to accommodate the context of risk management. Assumption. A factor in the planning process considered to be true, real, or certain, without proof or demonstration. Cause. Events or circumstances that currently exist or are certain to exist in the future, which might give rise to risks. Component. A predetermined element of a portfolio, program, or project that is work related to the achievement of the strategic objectives of the portfolio, program, or project. Constraint. A limiting factor that affects the execution of a portfolio, program, project, or process. Contingency Plan. A document that describes actions to take if predetermined trigger conditions occur. Contingency Reserve. Time or money allocated in the schedule or cost baseline for known risks with active response strategies. See also management reserve. Emergent Risk. A risk that arises that could not have been identified earlier. Enterprise Risk Management. An approach to managing risk that reflects the organization’s culture, capability, and strategy to create and sustain value. Identify Risks. The process of determining and documenting the risks that might affect the intended outcomes. Impact. A measure of the effect of a risk on one or more objectives if it occurs. Issue. A current condition or situation that may have an impact on one or more objectives. See also opportunity, risk, and threat. Management Reserve. Time or money that management sets aside in addition to the schedule or cost baseline and releases for unforeseen work that is within the scope of the portfolio, program, or project. See also contingency reserve. Opportunity. A risk that would have a positive effect on one or more portfolio, program, or project objectives. See also issue, risk, and threat. Organizational Project Management. A framework in which portfolio, program, and project management are integrated with organizational enablers in order to achieve strategic objectives. Overall Risk. The effect of uncertainty on the portfolio, program, or project as a whole. Portfolio. Projects, programs, subsidiary portfolios, and operations managed as a group to achieve strategic objectives. See also program and project. Portfolio Management. The centralized management of one or more portfolios to achieve strategic objectives. See also program management and project management. Probability. A measure of how likely an individual risk is to occur. Program. Related projects, subsidiary programs, and program activities managed in a coordinated manner to obtain benefits not available from managing them individually. See also portfolio and project. Program Management. The application of knowledge, skills, and principles to a program to achieve the program objectives and to obtain benefits and control not available by managing program components individually. See also portfolio management and project management. Project. A temporary endeavor undertaken to create a unique product, service, or result. See also portfolio and program. Project Management. The application of knowledge, skills, tools, and techniques to project activities to meet the project requirements. See also portfolio management and program management. Qualitative Risk Analysis. The consideration of a range of characteristics such as probability of occurrence, degree of impact on the objectives, manageability, timing of possible impacts, relationships with other risks, and common causes or effects. Quantitative Risk Analysis. The combined effect of identified risks on the desired outcome. Residual Risk. The risk that remains after risk responses have been implemented. See also secondary risk. Response Strategy. A high-level approach to address an individual risk or overall risk, broken down into a set of risk actions. Risk. An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more portfolio, program, or project objectives. See also issue, opportunity, and threat. Risk Acceptance. A risk response strategy that involves acknowledging the risk and taking no action unless it occurs. Acceptance of the risk’s implication(s) usually means using schedule and/or cost reserves and accepting scope and/or quality reduction(s). See also risk avoidance, risk enhancement, risk mitigation, risk sharing, and risk transference. Risk Analysis. The activities related to defining the characteristics of a risk and the degree to which it can impact objectives. Risk Appetite. The degree of uncertainty an organization or individual is willing to accept in anticipation of a reward. See also risk threshold. Risk Assessment. The process of identifying, analyzing, and determining the probability of occurrence of a risk and its impacts if it does occur. Risk Attitude. A disposition toward uncertainty, adopted explicitly or implicitly by individuals and groups, driven by perception, and evidenced by observable behavior. Risk Avoidance. A risk response strategy that involves eliminating the threat or protecting the portfolio, program, or project from its impact. See also risk acceptance, risk enhancement, risk mitigation, risk sharing, and risk transference. Risk Enhancement. A risk response strategy that involves increasing the probability of occurrence or impact of an opportunity. Risk Escalation. A risk response strategy that involves transferring the ownership of the risk to a relevant party in the organization because the risk is outside of scope or the team does not have sufficient authority to address it. Risk Exposure. An aggregate measure of the potential impact of all risks at any given point in time in a portfolio, program, or project. Risk Identification. The process of locating and profiling the characteristics of risks related to work objectives. Risk Management. Activities used to identify, analyze, respond to, and monitor risks at the enterprise, portfolio, program, or project level. Risk Management Framework. A structure that organizes the process and activities of managing risks in an iterative fashion. Risk Management Life Cycle. A structured approach for undertaking a comprehensive view of risk throughout the enterprise, portfolio, program, and project domains. Risk Management Plan. A component of the portfolio, program, or project management plan that describes how risk management activities will be structured and performed. Risk Mitigation. A risk response strategy that involves decreasing the probability of occurrence or impact of a threat. See also risk acceptance, risk avoidance, risk enhancement, risk sharing, and risk transference. Risk Owner. The person responsible for monitoring the risk and for selecting and implementing an appropriate risk response strategy. Risk Register. A repository in which outputs of risk management processes are recorded. Risk Response. An action, planned or implemented, to address particular threats and opportunities. Risk Sharing. A risk response strategy that involves allocating ownership of an opportunity to a third party that is best able to capture the opportunity or absorb the impact of the threat. See also risk acceptance, risk avoidance, risk enhancement, risk mitigation, and risk transference. Risk Threshold. The measure of acceptable variation around an objective that reflects the risk appetite of the organization and stakeholders. See also risk appetite. Risk Transference. A risk response strategy that involves shifting the impact of a threat to a third party, together with ownership of the response. See also risk acceptance, risk avoidance, risk enhancement, risk mitigation, and risk sharing. Secondary Risk. A risk that arises as a direct result of implementing a risk response. See also residual risk. Stakeholder. An individual, group, or organization that may affect, be affected by, or perceive itself to be affected by a decision, activity, or outcome of a portfolio, program, or project. Threat. A risk that would have a negative effect on one or more portfolio, program, or project objectives. See also issue, opportunity, and risk. Trigger Condition. An event or situation that indicates that a risk is about to occur.