Davion - risk, issue and decision analysis and management software and services

Q. What is risk management?
A. Risk management is a structured approach to achieving your goals in situations which are dominated by unknowns and uncertainties. If you are building yet one more identical house in a row, the level of uncertainty is going to be quite low and risk management is probably not necessary. But if you are developing a software package for clients who aren’t quite sure what they want, except that they want it yesterday and for a fixed price, then risk management is definitely called for.
Q. Can I use risk management to do things in a risk-free manner?
A. Afraid not. Everything we do involves some measure of risk, and that includes getting out of bed in the morning (you might slip and hurt yourself). Risk management means literally that - managing risks so that you don’t take any more risk than is justified by the rewards you are trying to achieve. Think of crossing a busy road. If you are just out for a lunchtime stroll you will probably wait for the traffic to stop before crossing, but if you are late for an important meeting you might take a chance and run across the road.
Q. Do I need to be an expert to use risk management?
A. Not at all. Risk management is something we all do, all day, every day, without even thinking about it. Every time you cross a busy road you use risk management (wait for the lights or run and chance it?). Risk management is just a matter of balancing the level of risk you are prepared to accept against the rewards you get by taking that risk. Of course, when you get to complex professional decisions you may need to think things through very carefully. That’s when risk management tools come in useful.
Q. What do I need to do to manage risk?
A. The three most important things in risk management are communication, communication and communication. In order to manage a risk you need to know as much as possible about it. Sometimes this information is at your fingertips, but often it is spread in little bits and pieces all over your organization. The first priority in risk management is to set up a communication system to capture this data. You can use RIMS to capture general information about ongoing issues or initiatives, and RIAS to capture detailed information about identified risks.
Q. What is risk analysis?
A. Risk analysis aims to answer just one question - how big a risk is it? Any risk can be defined by its impact (the effects the risk will have if it occurs) and its likelihood (the extent to which a risk is likely to occur). Risk analysis is largely a process of attaching objective values to impact and likelihood. Of course, in order to do this we often have to look at risks under a microscope, because the effects that a risk can have if it occurs are not always immediately obvious, nor are the factors which affect its likelihood.
Q. I know what most risks are, so why do I need risk analysis?
A. The problem with this is that our perception of risk is usually colored by our past experiences and preconceptions. Past experience may be out of date and preconceptions can be misleading. If you are really nervous about flying you would probably say that flying is the most dangerous form of transport. In fact you would be quite wrong. By any statistical measure, flying is about the safest form of transport there is. You are far more likely to be involved in a serious accident or be killed if you drive a car than if you fly.
Q. What is a risk response?
A. A risk response is the action or actions we take in order to deal with a risk. A risk response could simply be the insertion of an allowance or contingency in the budget, or it could be a complex and coordinated series of actions designed to head off an undesirable situation. Whatever the response, there are two pre-conditions. First, you must know what the risk is (risk identification), and second, you must have some idea of how big a risk it is (risk analysis). There is no point in spending a lot of time and money dealing with what may only be a very minor risk. At the same time, if your risk identification and risk analysis has not been thorough, you may find that you have neglected a very large risk. Risk response is a bit like buying insurance - you need to do it before something bad happens, not after.