Slide 1

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 2

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 3

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 4

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 5

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 6

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 7

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 8

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 9

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 10

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 11

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 12

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 13

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 14

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 15

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 16

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 17

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 18

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 19

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 20

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 21

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 22

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 23

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 24

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 25

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 26

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 27

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 28

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 29

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 30

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 31

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 32

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 33

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 34

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 35

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 36

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 37

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 38

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 39

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 40

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 41

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 42

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 43

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 44

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 45

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 46

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 47

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 48

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 49

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 50

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 51

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 52

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 53

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 54

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 55

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 56

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 57

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 58

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 59

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 60

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 61

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 62

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 63

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 64

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 65

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 66

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 67

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 68

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 69

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 70

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 71

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 72

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 73

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 74

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 75

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 76

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 77

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 78

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 79

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 80

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 81

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 82

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 83

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 84

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 85

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 86

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 87

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 88

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89


Slide 89

(Four Case)
Risk Management Analysis
James August, CQA
[email protected]
ASQ South Jersey Section
Jan. 21, 2009
James August, CQA 01/21/09

1

(Four Case)
Risk Management Analysis
• Value-at-risk (VaR) is a category of risk
metrics that describe probabilistically the
market risk of a trading portfolio. Value-atrisk is widely used by banks, securities firms,
commodity merchants, energy merchants, and
other trading organizations.
•

from the Risk Glossary at http://www.riskglossary.com/link/value_at_risk.htm

James August, CQA 01/21/09

2

(Four Case)
Risk Management Analysis
Example: A one-day 90% USD VaR is illustrated
for a hypothetical portfolio. Shown is the
probability density function for the portfolio's
value 1P one trading day from now. The
portfolio's current value 0p is known.
Value-at-risk equals
the amount of money
such that there is a
90% probability of the
portfolio losing less
than that amount over
the next trading day.
James August, CQA 01/21/09

3

COSO and SOx
• According to the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO), internal financial control consists of:
• (1) the control environment that sets the tone of the
organization,
• (2) risk assessment, or the identification and analysis
of relevant risks,
• (3) the policies and procedures or control activities that
help ensure management directives are carried out,
• (4) the identification and communication of pertinent
information, and
• (5) a monitoring process that assesses the quality of
the internal control system’s performance.
James August, CQA 01/21/09

4

(Four Case)
Risk Management Analysis
• But the location and management of risk
are not restricted to stock portfolios or
business fortunes. Risks appear in
operating functions every day. The
management of these risks is the
responsibility of every entrepreneur,
CEO, department head, project leader
and change agent.
James August, CQA 01/21/09

5

(Four Case)
Risk Management Analysis
• Risk definition - what constitutes a business
risk?
• Risk identification - where are my risks
hiding?
• Risk evaluation - how important is each risk?
• Risk mitigation - what do I do about it?
• Effectiveness evaluation - how do I know
that my actions were effective?
James August, CQA 01/21/09

6

(Four Case)
Risk Management Analysis

• Risk management is a
process
• The process has parallels
with DMAIC and PDCA

James August, CQA 01/21/09

7

Definition

James August, CQA 01/21/09

8

Risk definition
• “Exposure to a chance of loss or damage…”
• “The difference between your current level of
protection and the level of protection you
should be at.”
• “An assumption that you cannot verify is a
risk.” Adolfo Ferreira

James August, CQA 01/21/09

9

Risk definition
• A comparator accruing from the
likelihood of specific endeavor
outcomes, its magnitude being a
function of the possible consequences
of the endeavor and the probabilities
associated with those consequences.

James August, CQA 01/21/09

10

Risk definition
• Risk = f(magnitude) x f(likelihood) =
severity x frequency of occurrence
• high risk outcome = fruits of opportunity
or devastating result
• compare with FMEA: RPN = severity x
occurrence x detectability

James August, CQA 01/21/09

11

Risk definition
• Two occasions for which risk should be
calculated: RTP and ITP
– RTP (run the process): core processes
which must be maintained to keep the
current business performance level
– ITP (improve the process): processes
which may be improved increasing the
performance level
James August, CQA 01/21/09

12

Risk definition
• Risk appetite: the amount of risk
that you are willing to accept
• Risk tolerance: the limits of
outcomes that you are willing to
accept
James August, CQA 01/21/09

13

Risk definition
• There are two sides to every risk
calculation - the positive potential
and the negative potential.
• Both must be calculated.
• Costs can be small or large

James August, CQA 01/21/09

14

Risk definition
• process improvement (ITP) risk factors:
– cost of improvement = $
– value of improved output = $
– value of reduced output = $

James August, CQA 01/21/09

15

Risk definition
• process maintenance (RTP) risk factors:
– cost of doing nothing = 0
• or cost of doing nearly nothing = $

– value of continued output
– value of lost output

James August, CQA 01/21/09

16

Risk definition
• These are the four cases that should
be considered as part of a risk
management methodology.

James August, CQA 01/21/09

17

Risk definition
V a lu e a ccru e d (+ /-)
b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
b ig cost,
b ig losses

James August, CQA 01/21/09

18

Risk definition examples
• Buy a 50-50 ticket: high chance of winning
(only a few dozen sold) at a low cost of
entry but low return.
• Buy a lottery ticket: low chance of winning
but if you hit … it’s millions of dollars!
• Buy a second house for investment: high
chance of eventually getting a good return
but with a high cost of entry.
James August, CQA 01/21/09

19

Risk definition
• Your tolerable loss limit (risk
tolerance) is an estimate of the
maximum you can afford to lose in
the worst case scenario
• It is a number (generally expressed
in dollars) and could be based on an
organization's expected profits or
revenues
James August, CQA 01/21/09

20

Risk definition
V a lu e a ccru e d (+ /-)

small cost,
big gains
“no brainer”

b ig cost,
b ig gain s

sm a ll cost,
sm a ll gain s
C o st o f a ctio n
sm a ll cost,
sm a ll lo sse s
tolerable loss limit

James August, CQA 01/21/09

“not a good idea”
b ig cost,
b ig losses
21

Risk management definition
A formal process used for identifying
hazards associated with a product/service,
estimating and evaluating the associated
risks, controlling those risks, and
monitoring the effectiveness of the
control.

RM provides a rational foundation for
decisions concerning risk.
ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09

22

Risk management definition
• Risk assessment, as defined by the IIA Standards
for the Professional Practice of Internal Auditing,
is a systematic process, for assessing and
integrating professional judgments about probable
adverse conditions or events. Risk impacts an
organization’s ability to compete and to maintain
its financial strength and the quality of its products
and services. It’s the internal auditor’s job to
identify all auditable activities and relevant risk
factors and to assess their significance.
James August, CQA 01/21/09

23

Risk management system
• Risk management is another management
system to be fused into your organization.
It has structure:
– Objectives and goals
– Policies
– Procedures

James August, CQA 01/21/09

24

Risk management policy
• Risk mitigation (intervention) is deciding
what to do about each of the risks assessed
as important to your (management or
project) objectives, implementing the
changes and documenting the planned
response.

James August, CQA 01/21/09

25

Risk management
• Procedures
– Risk definition and identification
– Risk evaluation and assessment
• application of valuation and diagnostic tools

– Risk mitigation or reduction
• treatment selection
• application of remedy tools

– Risk control at the new level
James August, CQA 01/21/09

26

Identification

James August, CQA 01/21/09

27

Risk identification
• Where are my risks?
• Which are “run the process” risks and
which are “improve the process” risks?
• RTP risks tend to have little upside but
huge downside.
• ITP risks tend to have large upside and
measurable downside.
James August, CQA 01/21/09

28

Risk identification
What is at risk?

James August, CQA 01/21/09

29

Risk identification
What is at risk?
Achieving your objectives!

James August, CQA 01/21/09

30

Risk identification
• Areas of business risk
– Strategic
• (Economy, Technology, Politics, Competition, ...)
– Organizational
• (Financial, Legal, Disaster, Personnel, ...)
– Operational
• (Labor, Materials, Quality, …)
– Compliance
• (Environmental, Safety, Security, …)
from “Risk Management - Essential in Today’s Economy”,
Sandford Liebesman, PhD, NEQC 57th Conference, Marlborough, MA, Oct. 14 2008
James August, CQA 01/21/09

31

Risk identification
• core business op’ns & processes
–
–
–
–
–
–

acquire new customers
take orders
procure materials
create products, manage inventories
deliver products
collect payments

James August, CQA 01/21/09

32

Risk identification
• core sales sub-processes
–
–
–
–
–

market research
pricing
promotion and advertising
order taking (order entry)
warranty management

James August, CQA 01/21/09

33

Risk identification
• core R&D sub-processes
– new product introduction
– product cost modeling
– patent protection

James August, CQA 01/21/09

34

Risk identification
• core operations sub-processes
–
–
–
–
–
–

materials sourcing (availability)
quality control (product & process)
plant & workplace safety
environmental concerns
inventory
logistics and transport

James August, CQA 01/21/09

35

Risk identification
• core finance sub-processes
–
–
–
–
–

budgeting
accounts receivable and payable
banking
currency exchange
MIS and IT processes

James August, CQA 01/21/09

36

Risk identification
• support business processes
–
–
–
–
–
–

strategic planning,
brand management
facilities and infrastructure management
process Engineering
capital investment
asset management

James August, CQA 01/21/09

37

Risk identification
• support business sub-processes
– communications
– knowledge management: training and
education
– materials management and logistics
– legal/ regulatory reporting (FDA, Sox, ...)
– supplier evaluation, management
James August, CQA 01/21/09

38

Risk identification
• support business sub-processes
–
–
–
–
–
–

quality assurance
predictive/ preventive maintenance
recruitment, compensation
employee relations (work stoppages)
employee performance mgt
payroll, benefits, ...

James August, CQA 01/21/09

39

Risk identification
• other business areas
–
–
–
–
–

outplacement
employee well-being
insurance
mergers & acquisitions
construction / expansion

James August, CQA 01/21/09

40

Risk identification
• SWOT analysis is a sorting method
for identifying and prioritizing risks.
–
–
–
–

James August, CQA 01/21/09

Strengths
Weaknesses
Opportunities
Threats

41

Risk identification
• other techniques for risk identification
– Working groups and brainstorming
– Surveys and interviews
– Experiential or documented knowledge
– Outputs from "what if" scenario analyses

– Historical information - lessons learned
– Templates: critical path, engineering, ...
James August, CQA 01/21/09

42

Evaluation

James August, CQA 01/21/09

43

Risk evaluation
• How risky is my risk?
• Does "risk" = "cost"?

James August, CQA 01/21/09

44

Risk evaluation
Frequency

Severity
Negligibl
e

Minor

Major

Severe

Frequent

L

I

H

H

Probable

L

I

H

H

Occasional

T

I

I

H

Remote

T

L

I

I

James August, CQA 01/21/09

45

Risk evaluation

James August, CQA 01/21/09

46

Risk evaluation

James August, CQA 01/21/09

47

Risk evaluation
• Non-financial measures
• Risk matrices
• Failure Mode and Effects Analysis
– FMEA
– Criteria: RPN < > 100 where
– RPN = Severity x Frequency x Detectability

James August, CQA 01/21/09

48

Risk evaluation
• Typical approaches for quantification
–
–
–
–
–
–
–
–

Weighted probabilities
Extended cost
Future Value or Net Present Value
Capability analysis
Value stream mapping
Cost of poor quality
Discounted Cash Flow
Internal Rate of Return

James August, CQA 01/21/09

49

Risk evaluation
• Project justification
– Develop meaningful (financial?)
performance measures
– common in Engineering and R&D projects
– usually a statement of expected payoff from
time and material invested
– may be based on estimates of increased sales
or improved process efficiency

James August, CQA 01/21/09

50

Risk evaluation
Financial measures of c/b

• Return on Investment (ROI)
•

Net B/C ratio = (PV of benefits – PV of operating
costs)/PV of capital costs

James August, CQA 01/21/09

51

Risk evaluation
Financial measures of c/b
• Net Present Value (NPV)
The NPV represents total cash flow across the analysis
period, adjusted to reflect the time value of money. Other
things being equal, the action or investment with the larger
NPV is the better option. NPV uses the Present
Value concept, the idea that money you have now is worth
more than an identical amount received in the future.
James August, CQA 01/21/09

52

Risk evaluation

• NPV = a0 + a1/(1+i) + a2/(1+i)2 + a3/(1+i)3 + ...

• Where
“a” is the return for each period at rate “i”

James August, CQA 01/21/09

53

Risk evaluation
Financial measures of c/b
• Discounted cash flow rate (DCF)
The discounted cash flow approach describes a
method to value a project, company, or financial asset
using the concepts of the time value of money. All
future cash flows are estimated and discounted to
give them a present value. The discount rate used is
generally the appropriate cost of capital, and
incorporates judgments of the uncertainty (riskiness)
of the future cash flows.
54

James August, CQA 01/21/09

Risk evaluation
Financial measures of c/b
• Internal Rate of Return (IRR)

IRR (like NPV) is a financial metric that reflects the time
value of money. The meaning of IRR is less obvious to
most people, but IRR is nevertheless often used as a
central decision criterion among financial specialists. As
the word "Return" implies, the IRR view of the cash flow
stream is essentially an investment view: money will be
paid out and compared to returns.
James August, CQA 01/21/09

55

Risk evaluation
• The internal rate of return (IRR) is the interest
rate such that the discounted sum of net cash
flows is zero. If the interest rate were equal to the
IRR, the net present value would be exactly zero.
The IRR cannot be determined by an algebraic
formula, but rather has to be approximated by
trial and error methods.
James August, CQA 01/21/09

56

Risk evaluation
Financial measures of c/b
• IRR
p

•

The value of "i" such that  at / (1+i) t = 0
t=1

James August, CQA 01/21/09

57

Risk evaluation
• Three IRR definitions:
• 1. "The IRR for an investment is the discount rate for which
the total present value of future cash flows equals the cost of
the investment."
• 2. "The IRR for an investment is the discount rate that
produces a 0 NPV for the projected cash flow stream."
• 3. "IRR answers this question: How high do interest rates
have to climb (the discount rate for NPV calculations) in order
for the PV of gains to just cover the PV of costs?
• The answer in each case is an interest rate; the higher the
interest rate (that is, the higher the IRR), the more robust the
investment and the better the returns compare to the costs.
James August, CQA 01/21/09

58

Risk evaluation

• Excel spreadsheets can do
PV, NPV, IRR and other
financial value calculations.

James August, CQA 01/21/09

59

Risk evaluation
• Four cases for risk evaluation:

James August, CQA 01/21/09

60

Risk evaluation
• Four cases for risk evaluation:
– implement the change and perform primary c/b
analyses assuming the results are achieved
– implement the change resulting in adverse
(unplanned) results
– do nothing (ongoing costs only) and see
learning curve improvement
– do nothing and get adverse results
James August, CQA 01/21/09

61

Risk evaluation
V a lu e a ccru e d (+ /-)

N o ch an ge
P ositive ou tcom e

C h an ge
P ositive ou tcom e

C h a n g e im p le m e n ta tio n

N o ch an ge
N egative ou tcom e

James August, CQA 01/21/09

C h an ge
N egative ou tcom e

62

Risk evaluation
• Use the risk valuation method
preferred by your organization
(ROI, NPV, DCF, IRR, etc.).
• Compare the results of the four
risk cases.
• Keep in mind the organization's
risk tolerance loss limit.
James August, CQA 01/21/09

63

Mitigation

James August, CQA 01/21/09

64

Risk mitigation
Risk mitigation (handling) is deciding
what to do about each of the risks
assessed as important to your project,
implementing the changes and
documenting the (planned) response.

James August, CQA 01/21/09

65

Risk mitigation
• How do I reduce my risk?

• Risk is a function of probability of
success (or lack) and value of success
(or cost)
• Either reduce the chance of failure or
reduce the cost of failure
James August, CQA 01/21/09

66

Risk mitigation treatments
•
•
•
•

James August, CQA 01/21/09

Risk avoidance
Risk reduction
Risk retention
Risk transfer

67

Risk mitigation treatments
Risk avoidance
Includes not performing an activity that could carry risk. An
example would be not buying a property or business in order
to not take on the liability that comes with it. Another would
be not flying in order to not take the risk that the airplane
were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the
potential gain that accepting (retaining) the risk may have
allowed. Not entering a business to avoid the risk of loss also
avoids the possibility of earning profits.
from Wikipedia
James August, CQA 01/21/09

68

Risk mitigation treatments
• Risk reduction
• Involves methods that reduce the severity of the loss. Examples
include sprinklers designed to put out a fire to reduce the risk of
loss by fire.
• Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems
encountered in earlier phases meant costly rework and often
jeopardized the whole project.

from Wikipedia
James August, CQA 01/21/09

69

Risk mitigation treatments
• Risk retention
• Involves accepting the loss when it occurs. True self
insurance falls in this category. Risk retention is a viable
strategy for small risks where the cost of insuring against
the risk would be greater over time than the total losses
sustained. All risks that are not avoided or transferred are
retained by default. This includes risks that are so large or
catastrophic that they either cannot be insured against or
the premiums would be infeasible.
• Also any amounts of potential loss (risk) over the amount
insured is retained risk.
from Wikipedia
James August, CQA 01/21/09

70

Risk mitigation treatments
• Risk transfer
• Means causing another party to accept the risk, typically
by contract or by hedging. Insurance is one type of risk
transfer that uses contracts.
• Some ways of managing risk fall into multiple categories.
Risk retention pools are technically retaining the risk for
the group, but spreading it over the whole group involves
transfer among individual members of the group. This is
different from traditional insurance, in that no premium is
exchanged between members of the group up front, but
instead losses are assessed to all members of the group.
from Wikipedia
James August, CQA 01/21/09

71

Risk mitigation
• Distribute your risk – don’t put all
your eggs in one basket!
• Some common risk mitigation tools
–
–
–
–

Design for Six Sigma
Investment hedging
Concurrent Engineering
Employee education & training

James August, CQA 01/21/09

72

Risk mitigation
• Some mitigation approaches for core
processes
–
–
–
–

Published financial documents – open review
Probability weighted Sales forecasts
Raw material cost projections
FTA and FMEA for design and process
• simulations and prototyping

– Inventory ABC analysis
James August, CQA 01/21/09

73

Risk mitigation
• and
–
–
–
–
–
–

Freight carrier performance statistics
Statistical Process Control
Electronic surveillance
Hedging
Invoice aging analysis and variance
Process check lists

James August, CQA 01/21/09

74

Risk mitigation
• Checklists –
Sample Risk Checklist for Pricing
Management maintains an accurate awareness of market
trends, competitor prices, etc. as determinants of pricing
policy.
Steps are taken to protect commercially sensitive pricing
information from unauthorized access and leakage.
from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

75

Risk mitigation
• Checklists –
Sample R&D Risk Checklist
Determine whether product development has realistic
costs and timeframes.
Check that a detailed budget has been established for
product development.
from the Wired for GrowthTM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N
James August, CQA 01/21/09

76

Risk mitigation
• Checklists –
Sample Materials Management Risk Checklist
Ensure prompt action is taken to reject substandard
supplies and arrange replacement stock.
Verify that measures are in place to assess potential
suppliers for their competence and commitment to quality.
Make sure quality specifications have been defined,
authorized and formally documented.
James August, CQA 01/21/09

from the Wired for Growth TM web site
http://www.wiredforgrowth.com/index.jsp?cprofile=N

77

Evaluation
(re-evaluation after control)

James August, CQA 01/21/09

78

Risk evaluation revisited
• Re-evaluate costs and benefits
– estimate annual losses associated with
each risk
– determine frequencies of occurrence
– multiply together to calculate the raw
Annual Loss Exposure (raw ALE) and
sum over all risks

James August, CQA 01/21/09

79

Risk evaluation revisited
• Re-evaluate costs and benefits
– use the valuation calculation that is
meaningful to your organization
(ROI, NPV, DCF, IRR, etc)

James August, CQA 01/21/09

80

Risk evaluation revisited
• Re-evaluate costs and benefit
– Determine effectiveness of mitigation by
recalculating Annual Loss Exposure assuming
all controls are working
– Determine cost of risk-mitigating controls
– Determine improvement in ALE to to
controlled recovery

James August, CQA 01/21/09

81

Conclusions

James August, CQA 01/21/09

82

Risk management conclusions
• Every process has risk, even when just
maintaining performance (RTP and ITP)
• Assessment of new or changed processes can be
done by combined cost/ benefit comparisons
• Assessment of ongoing processes must be
expressed in comparison with expected costs
and results
• There is no simple single calculation for risk
assessment (FMEA, ROI, …)
James August, CQA 01/21/09

83

Risk management conclusions
After you identify a potential risk, take
the five steps to risk management:

Control
Mitigate
Evaluate
Identify
Define
James August, CQA 01/21/09

84

Risk management conclusions
• Consider the potential risks of every decision
• Include the RTP decisions as they can hide
substantial risk
• Consider all four risk cases
• When appropriate support your assessment
with recognized c/b calculations

James August, CQA 01/21/09

85

Risk management conclusions
• Process control - the mitigation tool for the
risk management process
– Check lists
–
–
–
–

Non-financial indexes (FMEA, cp, etc)
Financial calculations (ROI, etc)
SPC
...

James August, CQA 01/21/09

86

Risk management conclusions
• Personal areas
– Employment
– Health care
– Insurance
• Retirement funding

– Investments
• Home
• Car
James August, CQA 01/21/09

87

Risk management conclusions
“... the greatest risks are never the ones you
can see and measure, but the ones you can’t
see and therefore can never measure.”

from J Nocera (on N Taleb) in “Risk Mismanagement”
New York Times Sunday Times Magazine pg 28, Jan 4 2009

James August, CQA 01/21/09

88

(Four Case)
Risk Management Analysis
Thank you
Questions?

James August, CQA 01/21/09

89