“Risk management is a non-intuitive field of study, where the simplest of models consist of a probability multiplied by an impact.”
Understanding individual risks may be difficult because multiple probabilities can contribute to total probability of Risk. Impacts may be measured in “units” of cost, time, events, market states, reputation, and other dimensions. This is further complicated by there being no straightforward approach to consider how multiple risks, and their responses, will influence one another or increasing the overall risk of the subject of analysis. Risk identification itself is a very difficult process, but if subdivided into simpler processes it can add a lot of value to the whole risk management process.
What can be considered as an impact?
This definition is very important for the risk management process as the definition of Impact and risk varies according to the environment of business.But in general impact can be defined as the effect or consequence of a risk on a system.
So how can we understand the risks involved in the processes of an organization?
In my opinion, it can be done only through a thorough inspection of the process and getting the feedback from the persons involved in it, which can be called as a preliminary risk assessment. Then these should be categorized according to the probability of occurrence as well as the effect or impact it can have on the management system. This lengthy process ensures that every kind of risk can be inspected and identified, though there will be some exceptions which can only be found out from experience only.
This was the first step of the risk management i.e. Identification of the risk through risk assessment. Next step is how to manage these risks in such a manner that the impact is nullified and the probability of occurrence is reduced to a very small percentage as both of these can never be zero (Ideal or perfect condition; probably doesn’t exist).
Based on the risk assessment which has already been done, we can manage the risk by using different methods, some of them are avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk, accepting or increasing the risk in order to pursue an opportunity, removing the risk source (one of the best methods), changing the likelihood, changing the consequences, sharing the risk with another party or parties (including contracts and risk ﬁnancing),or retaining the risk by informed decision.
These are some of the risk management methods explained in the ISO 31000:2009 standard.