Without going into details regarding the theory of project risk management we present still, the definition of this concept as it is proposed by the Project Management Institute professionals who, in The Project Management Body of Knowledge Guide, [Duncan, W. , R. , 1996] define risk management as a systematic process of identification, analysis and response to the project risks, process comprising the risk identification, risk quantification, risk response plan, risk response control sub processes.
A closer look to the literature or project risk management standards will make the reader understand that depending on the author of the methodology, the name or the order of these sub-processes is different. Thus, risk identification and risk quantification are sometimes taken together and are called risk assessment or risk analysis; the risk response plan is sometimes met under the name of risk mitigation plan; the risk response plan and the risk control plan are sometimes taken together under the name of risk management plan. Inside Risk Assessment All the elements of the risk management cycle are important but risk assessment is the headstone for all the other elements. The problem of risk assessment is an extremely complex one. When a risk assessment process is started, this process has to analyze several aspects in parallel.
First, we can talk about the stake at risk and how important vulnerabilities are in the disaster scenarios taken into account, the outcome being a way to reduce the resulting risks. Second, we must understand that the probability of an event depends on a series of external factors as well as on internal factors of the entity (business/process/project) for which the risk assessment is made. It is essential to know and control as many of these factors as possible.
Risk management and analysis: risk assessment (qualitative and quantitative) The internal factors include historical data from within the entity, collected in time, as it is necessary to keep a record of all processed data, no matter if for the moment it is thought that the data will not be useful in the future (see business intelligence and data warehouse concepts for understanding how to implement such a data collection system).
And when we talk about external factors, it is about those factors undergoing STEEP analyses (Social, Technological, Economic, Environmental, Political), factors that cannot be controlled but that could be anticipated. Here are also included the events from the company’s activity, such as natural disasters or terrorist attacks, attacks against information systems (information viruses, spam, DoS type attacks etc. ).
Third, if we come closer to the electronic / mobile business environment and the fact that one of the elements of this environment is the information system, we must not ignore the software risk, which represents the combination between the probabilities of occurrence and the loss caused by an unwanted result which affects the project, the process or the software product. Fourth, the moment suitable to launch a risk assessment process must be identified. We thus differentiate between a corrective action and a preventive action.
Risk assessment is a preventive action, so it is necessary to take place before the unfortunate event. The corrective action: in this situation is the disaster recovery plan, a component of the business continuity plan. This process is necessary to be applied in the first moments after the unfortunate event took place. (Observation: the opinions differ at this level, some authors regarding the business continuity plan as part of the risk management plan, others, as an independent entity). Fifth, it also takes an approach on the border of philosophy and mathematics.
That is: we have three domains the real, the possible, the impossible. The problem of risk management is in the realm of the possible. The possible is what can be but is not. The main characteristic of the possible is defined through relation to the human being. This characteristic is called probability. It gives the chance of a scientific approach to a border domain between real and impossible. The probability reported to man has two manifestations: chance and risk. Chance is favorable to man, risk is unfavorable.
Scientifically, the approach of this matter can only be a calculation of the probability of an event or of its passing from the possible to the real. So we could assume that it is useless to approach the matter as a risk of something occurring, but only as probability. As a result a formula to determine the probability for an unfortunate event to occur is necessary. 3 Qualitative vs. Quantitative When risk assessment is discussed, it can be approached from two directions, two assessment models: the qualitative model and the quantitative model. The ualitative risk analysis is a process of assessment of the impact of the identified risk factors. Through this process the priorities are determined to solve the potential risk factors, depending on the impact they could have. The definite characteristic of the qualitative model is the use of subjective indexes, such as ordinal hierarchy: low-medium high, vital-critical-important, bench mark etc. Through the quantitative risk analysis it is sought to obtain some numerical results that express the probability of each risk factor and its consequences on the objectives of the project, but also the risk on the entire project level.