Risk management Study Guide

📖 Core Concepts Risk Management – Systematic identification, evaluation, prioritization, and treatment of risks (both negative risks and positive opportunities). Risk Magnitude – Product of Probability × Impact ( $$\text{Risk} = P \times I$$ ). Mild vs. Wild Risk – Mild: follows normal‑ish distributions, predictable. Wild: fat‑tailed (Pareto/power‑law), hard to predict; mis‑classifying leads to under‑estimation. ISO 31000 Process – Context → Identification → Assessment → Response Planning → Implementation → Monitoring & Review. Risk Treatment Options – Avoidance, Reduction (optimization), Sharing/Transfer, Retention (acceptance). Enterprise Risk Management (ERM) – Organization‑wide, strategic view of risks affecting existence, reputation, and long‑term value. 📌 Must Remember Risk magnitude formula: $$\text{Risk} = \text{Probability of occurrence} \times \text{Impact of the event}$$. Four treatment strategies: Avoid, Reduce, Share, Retain. ISO Core Principles: create value, integrate, address uncertainty, systematic, best information, human factors & transparency, dynamic/iterative improvement. Mild risk → normal distribution; Wild risk → fat‑tailed distribution. RASM model (Wilderness): same formula as above, but “Severity of Consequences” replaces “Impact”. 🔄 Key Processes Establish Context Scan internal/external environment, identify stakeholder objectives, set risk‑evaluation criteria. Risk Identification Use methods: objectives‑based, scenario‑based, taxonomy, common‑risk checklists, risk charting. Risk Assessment Estimate Probability (e.g., low/medium/high or numeric %) and Impact (financial, safety, reputation). Compute risk magnitude; rank for prioritization. Risk Response Planning Choose one or more treatment options (avoid, reduce, share, retain). Define specific actions, owners, timelines, resources. Implementation Deploy controls (e.g., insurance, engineering safeguards, process changes). Monitoring & Review Track control effectiveness, update probabilities/impacts, revise treatment plans regularly. 🔍 Key Comparisons Avoidance vs. Reduction – Avoidance eliminates the activity; Reduction lowers probability or impact while keeping the activity. Sharing (Transfer) vs. Retention – Transfer shifts risk to another party (insurance, outsourcing); Retention means the organization lives with the risk and budgets for loss. Mild Risk vs. Wild Risk – Mild: predictable, normal distribution; Wild: unpredictable, fat‑tailed, can cause extreme outcomes. Risk Communication vs. Crisis Communication – Risk: long‑term awareness, behavior change; Crisis: immediate threat, specific protective actions. ⚠️ Common Misunderstandings “All risks are bad.” – Positive risks (opportunities) can be exploited. Treating wild risk as mild. Leads to severe under‑estimation and insufficient controls. Assuming risk magnitude alone decides action. Context, stakeholder tolerance, and strategic value also matter. Thinking “risk = probability” – Impact is equally critical; a rare event with catastrophic impact may outweigh a frequent low‑impact event. 🧠 Mental Models / Intuition Risk = Likelihood × Consequence – Visualize a two‑axis matrix (probability vs. impact); high‑risk items sit in the upper‑right quadrant. “Butterfly Effect” for Wild Risk – Small changes can trigger outsized outcomes; always question normal‑distribution assumptions. “Insurance as Risk Transfer” – Treat transfer like buying a safety net: you pay a premium to cap potential loss. 🚩 Exceptions & Edge Cases Low‑probability, high‑impact wild events may be ignored in quantitative models but require qualitative treatment (e.g., scenario planning). Regulatory‑driven risks (e.g., FDA cybersecurity for medical devices) may mandate treatment regardless of calculated magnitude. Retention is acceptable only for small or uninsurable risks; not for strategic, reputation‑critical exposures. 📍 When to Use Which Avoidance – When risk exceeds risk appetite and an alternative activity exists (e.g., entering a high‑risk market). Reduction – For risks where engineering, process, or training controls can meaningfully lower probability/impact (e.g., fire sprinklers). Sharing/Transfer – When a third party can assume the risk more efficiently (insurance, outsourcing). Retention – For low‑impact, low‑cost risks or when transfer is impossible/unaffordable. 👀 Patterns to Recognize Risk Matrix Pattern – Look for “high‑probability & high‑impact” items; prioritize them. Fat‑Tail Indicators – Skewed loss data, outlier events, “Black Swan” language in scenario descriptions. Stakeholder‑Driven Triggers – New regulations, market entry, technology adoption → spike in identified risks. Recurring Treatment Types – Projects often pair reduction (controls) with transfer (insurance) for the same risk. 🗂️ Exam Traps Choosing “Retention” for a high‑impact risk – tempting because it’s simple; wrong if risk exceeds tolerance. Confusing “Probability” with “Frequency” – exams may present a frequency rate; you must convert to probability for the formula. Assuming all wild risks are “unmanageable.” – they require qualitative methods, not dismissal. Mixing up “Opportunities” with “Risks.” – remember opportunities are positive risks and have their own exploit strategies. Over‑relying on quantitative scores – missing the ISO principle of “explicitly address uncertainty and assumptions.” --- If a heading appears empty because the source outline lacked detail, the placeholder is shown: Not enough information in source outline. (This line does not appear above because all headings were populated.)