您目前位置:首頁 會員專區 個人 社群知識庫


2014/12/17 下午 06:23:39

© August 2014, Dr David Hillson FIRM, HonFAPM, PMI Fellow


Anyone facing a risky and important decision or project will need to answer seven basic questions. In fact we could shape the risk management process around asking and answering them. If we do then the risk process will become intuitive and natural, easy to follow, and less bureaucratic or forced. The seven basic questions are as follows, together with the related step in the risk process:

1. What are we trying to achieve? (Establish Context) We cannot start any risky venture without first clearly defining its scope and clarifying the objectives that are at risk. We also need to know how much risk key stakeholders are prepared to accept, since this gives us the target threshold for risk exposure. We must address these factors as the first step of the risk process,.

2. What could affect us achieving this? (Identify Risks) Once objectives and risk thresholds are agreed, we can start identifying risks, which are uncertainties that could affect achievement of objectives (including both threats and opportunities). There are a variety of risk identification techniques, each of which has strengths and weaknesses, so we should use more than one approach. In addition to considering individual risks, we should also address overall risk exposure.

3. Which of those things are most important? (Assess Risks) Not all risks are equally important, so we need to filter and prioritise them, to find the worst threats and the best opportunities. This will help us decide how to respond. When prioritising risks, we could use various characteristics, such as how likely they are to happen, what they might do to our objectives, how easily we can influence them, when they might happen, etc. We should also consider the effect of overall risk exposure on the final outcome.

4. What shall we do about them? (Plan Risk Responses) Now we can start to think about what actions are appropriate to deal with individual risks, as well as considering how to tackle overall risk exposure. We might consider radical action (avoid threats or exploit opportunities), or attempt to influence the level of risk exposure (reduce threats or enhance opportunities), or decide to do nothing (accept the risk). We might also involve other parties in responding appropriately to the risks (transfer threats or share opportunities).

5. Having taken action, did it work? (Implement Risk Responses) We can plan to address risks, but nothing will change unless we actually do something. Planned responses must be implemented in order to tackle individual risks and change overall risk exposure, and the results of these responses should be monitored to ensure that they are having the desired effect. Our actions may also introduce new risks for us to address.

6. What has changed? (Review Risk) The risk process cannot end at this point, because risk is dynamic and changing. So we have to look again at risk on a regular basis, to see whether existing risks have been managed as expected, and to discover new risks that now require our attention.

7. What did we learn? (Risk Lessons Learned) There is one more important step in the risk process, which is often forgotten. As responsible professionals we should take advantage of our experience with this risky situation to benefit future similar ventures. This means we will spend time thinking about what worked well and what needs improvement, and recording our conclusions in a way that can be reused by ourselves and others.

By structuring our risk process in this way, we will make it easier for people to follow the process, as they are simply addressing a set of common-sense questions. Anything that makes risk management more simple will ensure that people are more engaged, and that our risks are better managed.



1. 我們試圖成就什麼?(建立情境) 我們無法在沒有先清楚地定義範疇並釐清達成目標的風險前進行任何的冒險,我們也必須知道主要的利益關係人準備承擔多少風險,因為這些能提供我們風險暴露的目標門檻。我們必須以處理這些因素作為風險流程的第一步。

2. 是什麼影響我們取得這些成就?(辨識風險)一旦在目標與風險門檻上取得共識,我們就可以開始辨識風險,也就是找出會影響目標達成的不確定性(包括威脅與機會)。風險辨識的技術有很多種,每一種都有其優劣,所以我們應該採取一種以上的途徑。除了考慮個別的風險以外,我們也應該處理整體的風險暴露程度。

3. 以上哪些是最重要的?(評估風險) 不是所有風險都一樣重要,所以我們需要過濾並排定優先等級,以發現最差威脅與最佳機會,這將有助於我們決定如何回應。一旦排訂了風險優先等級,我們便可以運用不同的特性,如它們發生的機會有多大、它們對我們的目標有何影響、我們影響它們的難易程度、以及它們何時可能發生等等。我們也應該考慮整體風險暴露程度對最終產出的影響。

4. 我們應該對它們採取什麼行動?(規劃風險回應) 現在我們可以開始思考什麼行動適於處理個別風險,以及考慮如何對付整體的風險暴露。我們也許會考慮徹底的行動(規避威脅或開發機會)、或試圖影響風險暴露的程度(降低威脅或強化機會)、或決定什麼也不做(承擔風險),我們也可以將其他團體納入以適切地回應風險(轉移威脅或分享機會)。

5. 採取行動後、有效果嗎?(實施風險回應)我們可以規劃風險的處置作為,但除非實際採取行動否則不會有任何改變,規劃的風險回應必須被執行以對付個別風險並改變整體風險暴露程度,且這些回應的結果必需被監控以確保有達到預期的效果。我們的行動也可能導致新的風險需要被處置。

6. 改變了些什麼?(回顧風險) 風險流程不能在此結束,因為風險是動態的且在持續改變中,所以我們必須在一個常態的基礎上持續檢視風險,以瞭解現存風險是否如預期地被管控,及發現需要我們注意的新風險。

7. 我們學到些什麼?(風險教訓) 在風險流程中還有一個重要的步驟,通常會被遺忘,做為一個負責的專業人士,我們應當從我們應對風險情況的經驗中記取教訓以有利於未來類似的冒險,這意味著我們將花時間思考哪些做得好哪些需改進,並且以可以被我們自己或他人重複使用的方式記錄下我們的結論。



請與 Risk Doctor聯絡 (info@risk-doctor.com), 或 拜訪 Risk Doctor 的網站 (www.risk-doctor.com).