Its approach consists in describing an uncertain event or occurrence that may have an effect on the ability to achieve an objective; it can be positive or negative. It involves understanding the risk tolerance levels of the organization, assessing risks and identifying responses.
Risk Tolerance: It determines the response that will be selected regarding a risk, there is no correct or ideal response, but a general strategy must be adapted to each particular circumstance (different risk tolerances may be present at different stages). The general categories are:
1.Risk-Aversion: will seek to reduce risks (particularly negative), prefers to approach as close to certainty as possible. A reduction in potential benefits in return for a more certain outcome is seen as an acceptable tradeoff.
2.Neutrality: the probable benefits gained from the risk response must equal or outweigh the costs in order to justify action.
3.Risk-Seeking: will to accept relatively high risks in order to maximize the potential benefit. Risk-seekers may accept low chances of success if the benefits of success are higher.
Assessment: It needs to determine the probability that the risk will occur and the impact if it does occur. Each of these factors is assessed on a common scale (High, Medium and Low, a number from 1–5, and so forth). This enables analysis to focus on the most important risks.
Response: Determine how the organization will deal with a risk.
Acceptance: No effort to deal with the risk is made. The organization accepts the possibility that the risk will occur.
Transfer: The responsibility for dealing with the risk and the possible effects of the risk are moved over to a third party.
Avoidance: The organization takes measures to ensure that the risk cannot occur.
Mitigation: Take steps to reduce the probability of the risk occurring or the possible negative consequences of the risk occurring.
For positive risks, acceptance is also a viable strategy. Others include:
Share: Work with a third party to increase the probably the positive outcome will occur and agree to share in the benefits.
Enhance: Take steps to increase probability of the risk occurring and the potential benefit if the risk occurs.
Exploit: The organization works to ensure that the event does occur.
For negative risks, strategies include:
Risk analysis enables an organization to prepare for the likelihood that at least some things will not go as planned.
The number of possible risks to most initiatives can easily become unmanageably large.
It may only be possible to manage a subset of potential risks.
As risks are inherently uncertain, it may prove difficult to usefully estimate the impact of the risks.