Qualitative analysis risks are carried out at the pre-investment stage of the investment project. Its main idea is to identify and determine possible project risks, assess and describe the sources and factors that affect each type of risk. In addition, the purpose of this analysis is to describe possible losses, assess them and identify strategies that could reduce them.
Qualitative risk analysis assumes that the likelihood and consequences of risks are assessed using established qualitative analysis methods and tools. Using this method it is necessary to understand the goals of the project, its scope, as well as the objectives of the state and the private sector. In addition, this method of risk assessment does not allow calculating the numerical value of the risk, but it is the basis for further analysis using quantitative assessment methods that are based on mathematical tools.
Identifying potential project risks includes identifying which risks may affect the project and establishing their characteristics. Typically, several groups of experts are involved in identifying project risks: the project team, the risk management team, customers, partnerships, and external experts.
As mentioned earlier, in order to identify the risks of a project, it is necessary to know and understand in what area the project is being implemented, project costs, resource plan, procurement plan. It also needs to be categorized. In addition, information about previous similar projects will also be useful. Historical information can be taken from project files upon request or from public information.
There are certain risk identification tools. These include techniques such as peer review, cost relevance analysis, and analogy. Now let's take a closer look at these approaches.
Expert assessment method.
This approach allows you to systematize the opinions of experts involved in assessing project risks. The expert opinions in this case are based on the experience of working on similar projects, as well as the logic and knowledge in this area.
The essence of the method of expert assessments is that expert analysts are offered a complete list of possible project risks, after which they must assess the likelihood of the risk, as well as the scale of the expected damage. There are several different approaches to the peer review method, namely: ranking, pairwise comparison, Delphi method, score method, and so on. Let us briefly analyze the listed approaches.
Delphi method.
This is an approach that excludes any communication between the members of the expert group. An independent questioning of the assessment participants is carried out regarding the possible risks of the project. After the survey, the opinions obtained are analyzed, the reliability of which is assessed using the concordance coefficient. The problem of the method of expert assessments is the subjectivity of the opinions of experts, as well as the quality of the selection of expert groups. What can affect the reliability of value judgments.
Risk scoring method.
It is an assessment method that results in an aggregate score resulting from a combination of separately assessed risk factors. This method consists of several steps:
- 1. The factors that influence the degree of risk are determined.
- 2. Variables are selected that characterize the identified factors, a generalizing criterion is determined.
- 3. Assessment of the aggregate risk indicator of the project.
- 4. Development of recommendations regarding risk management.
Ranking and pairwise comparison
Qualitative risk assessment is implemented in most cases using ranking. This method involves assigning a rank to each declared risk in descending or ascending order of magnitude. Pairwise comparison is a more complex form of ranking. In this case, experts compare different risks in pairs and identify the strongest or weakest ones. In this case, experts use the law of transitivity. In addition, if the final set of risks has not been established, then this method cannot be applied.
Ranking on the basis of a score is another ranking method that has gained particular popularity in Russia. The assessment process for this method can be presented in the form of three tables. The first is a list of the identified project risks, as well as a determination of the probability with which this or that risk may arise. The second table includes a scale for the consequences of a risk event. Table 3 below is a combination of those described above.
Table 3. Assessment of the magnitude of the risk factor
|
Very tall |
Very tall |
||||
|
Very tall |
|||||
|
Consequences / Probability of occurrence |
Accordingly, the intersection of cells is the product of the "values" of the probability of occurrence and the consequences in terms of risk. A value of 1-5 \u003d low, 6-10 \u003d medium risk, 12-16 \u003d high, 20-25 \u003d very high.
After a detailed consideration of each risk, it becomes realistic to determine the relative cost of the consequences of their occurrence and adequately relate to their distribution. Each possible distribution of risks affects the final cost of the project as a whole.
Cost Relevance Analysis
The method is based on the hypothesis that the cost overrun caused by the implementation of a risk event reacts to one or more of the following factors:
- 1) The initial assessment of the project as a whole or its individual components is incorrect (the project is underestimated);
- 2) Change of design parameters under unforeseen circumstances;
- 3) The discrepancy between the planned and actual performance indicators;
- 4) Impact of inflation and changes in tax legislation on the cost of the project compared to the original cost.
During the analysis, an accurate list of the likely increase in project costs is compiled. The project is financed in stages, correlated with the phases of project implementation, which greatly eases the consequences of an increase in investment risk - the investor stops allocating funds, and work begins to search for cost reduction measures.
Analogy method
This method is also quite used. The main idea of \u200b\u200bthis method is that in order to identify the risks of a target project, experts analyze similar projects. The risks that were identified for these projects, the consequences of the risks and operations to prevent and / or minimize them are considered. The main difficulty of this method is that the selection of a project that would be as similar to a new project as possible is a rather difficult procedure. The reason is that the implementation scenario for each project is individual and different, the problems that arise often affect each other, so it is extremely difficult to determine whether the situation for a new project will be similar to the one that has already happened. It is also difficult to determine how much the risk of a new project coincides with the risk of similar ones. Therefore, in order to use this method of risk assessment, a detailed analysis of such an assessment operation is required.
It should be noted that the above methods are rather suitable for identifying and describing risk situations, as well as preliminary project assessment.
Risk assessment is a set of analytical measures that make it possible to predict the possibility of obtaining additional business income or a certain amount of damage from a risky situation and untimely taking measures to prevent risk.
The degree of risk is the probability of a loss event occurring, as well as the amount of possible damage from it. may be:
- acceptable - there is a threat of complete loss of profit from the implementation of the planned project;
- critical - it is possible that not only profit will not be received, but also revenue and coverage of losses at the expense of the entrepreneur;
- catastrophic - loss of capital, property and bankruptcy of an entrepreneur are possible.
Quantitative analysis is the determination of the specific amount of monetary damage of individual subspecies of financial risk and financial risk in the aggregate.
Sometimes a qualitative and quantitative analysis is carried out on the basis of an assessment of the influence of internal and external factors: an element-by-element assessment of the specific weight of their influence on the operation of a given enterprise and its monetary value is carried out. This method of analysis is rather laborious from the point of view of quantitative analysis, but it bears its undoubted results in qualitative analysis. In this regard, more attention should be paid to describing the methods of quantitative analysis of financial risk, since there are many of them and some skill is required for their competent application.
In absolute terms, the risk can be determined by the amount of possible losses in material (physical) or value (monetary) terms.
In relative terms, risk is defined as the amount of possible losses referred to a certain base, in the form of which it is most convenient to take either the property state of the enterprise, or the total cost of resources for a given type of entrepreneurial activity, or the expected income (profit). Then we will consider a loss as a random deviation of profit, income, revenue downward. compared to expected values. Entrepreneurial losses are primarily an accidental decrease in entrepreneurial income. It is the magnitude of such losses that characterizes the degree of risk. Hence, risk analysis is primarily associated with the study of losses.
Depending on the magnitude of the probable losses, it is advisable to divide them into three groups:
- losses, the amount of which does not exceed the estimated profit, can be called acceptable;
- losses, the amount of which is greater than the estimated profit, are classified as critical - such losses will have to be compensated from the pocket of the entrepreneur;
- even more dangerous is the catastrophic risk, in which the entrepreneur risks incurring losses in excess of all his property.
If it is possible to predict in one way or another, to estimate the possible losses for this operation, then a quantitative assessment of the risk that the entrepreneur is taking has been obtained. Dividing the absolute value of possible losses by the estimated cost or profit, we obtain a quantitative assessment of the risk in relative terms, in percent.
Saying that the risk is measured by the magnitude of the possible. probable losses, the random nature of such losses should be taken into account. The probability of the occurrence of an event can be determined by an objective method and subjective. The objective method is used to determine the probability of an event occurring on the basis of calculating the frequency with which the event occurs.
The subjective method is based on the use of subjective criteria, which are based on various assumptions. These assumptions may include the evaluator's judgment, his personal experience, the assessment of the rating expert, the opinion of the auditor-consultant, etc.
Thus, the assessment of financial risks is based on finding the relationship between certain amounts of enterprise losses and the probability of their occurrence. This dependence is expressed in the constructed curve of the probabilities of a certain level of losses.
Plotting a curve is an extremely complex task that requires employees dealing with financial risk with a sufficient knowledge of the experience. To plot the probability curve of a certain level of losses (risk curve), various methods are used: statistical; cost-benefit analysis; method of expert assessments; analytical method; method of analogies. Among them, three should be highlighted: the statistical method, the method of expert assessments, the analytical method.
The essence of the statistical method is that the statistics of losses and profits that have taken place in a given or similar production are studied, the magnitude and frequency of obtaining a particular economic return are established, the most probable forecast for the future is made.
Undoubtedly, risk is a probabilistic category, and in this sense it is most scientifically justified to characterize and measure it as the probability of a certain level of losses occurring. Probability means the possibility of getting a certain result.
Financial risk, like any other, has a mathematically expressed probability of a loss, which is based on statistical data and can be calculated with a sufficiently high accuracy. To quantify the amount of financial risk, you need to know all the possible consequences of any particular action and the likelihood of the consequences themselves.
With regard to economic problems, the methods of probability theory are reduced to determining the values \u200b\u200bof the probability of occurrence of events and to choosing the most preferable from possible events based on the largest value of the mathematical expectation, which is equal to the absolute value of this event, multiplied by the probability of its occurrence.
The main tools of the statistical method for calculating financial risk are: variation, variance, and standard (root-mean-square) deviation.
Variation is a change in quantitative indicators when moving from one outcome option to another. Dispersion is a measure of the deviation of actual knowledge from its mean.
The degree of risk is measured by two indicators: the average expected value and the variability (variability) of the possible outcome.
The average expected value is associated with the uncertainty of the situation, it is expressed as a weighted average of all possible outcomes E (x), where the probability of each outcome (A) is used as the frequency or weight of the corresponding value (x). In general, it can be written like this:
E (x) \u003d A1X1 + A2X2 + + AnXn.
The average expected value is that value of the magnitude of an event that is associated with an uncertain situation. It is a weighted average of all possible outcomes, where the probability of each outcome is used as the frequency, or weight, of the corresponding value. This calculates the expected result.
The cost-benefit analysis is focused on identifying potential risk areas based on the firm's financial soundness indicators. In this case, you can just get by with the standard methods of financial analysis of the results of the main enterprise and the activities of its counterparties (bank, investment fund, client enterprise, issuing enterprise, investor, buyer, seller, etc.).
The peer review method is usually implemented by processing the opinions of experienced entrepreneurs and specialists. It differs from statistical only in the method of collecting information to build a risk curve.
This method involves the collection and study of estimates made by various specialists (a given enterprise or external experts) of the probabilities of occurrence of different levels of losses. These estimates are based on taking into account all financial risk factors, as well as statistical data. The implementation of the method of expert assessments is significantly complicated if the number of assessment indicators is small.
The analytical method of constructing a risk curve is the most difficult, since the underlying elements of game theory are available only to very narrow specialists. A subspecies of the analytical method is more often used - model sensitivity analysis.
The sensitivity analysis of the model consists of the following steps: selection of a key indicator, against which the sensitivity is assessed (internal rate of return, net present value, etc.); choice of factors (inflation rate, degree of state of the economy, etc.); calculation of the values \u200b\u200bof the key indicator at various stages of the project (purchase of raw materials, production, sale, transportation, capital construction, etc.).
The sequences of costs and receipts of financial resources formed in this way make it possible to determine the flows of funds of funds for each moment (or period of time), i.e. define performance indicators. Diagrams are built, reflecting the dependence of the selected resulting indicators on the value of the initial parameters. By comparing the resulting diagrams with each other, it is possible to determine the so-called key indicators that most affect the assessment of the project's profitability.
Sensitivity analysis also has serious drawbacks: it is not comprehensive and does not specify the likelihood of alternative projects.
The method of analogies in analyzing the risk of a new project is very useful, since in this case the data on the consequences of the impact of unfavorable factors of financial risk on other similar projects of other competing enterprises are examined.
Indexation is a way to preserve the real value of monetary resources (capital) and profitability in the face of inflation. It is based on the use of various indices.
For example, when analyzing and forecasting financial resources, it is necessary to take into account price changes, for which price indices are used. Price index is an indicator that characterizes the change in prices over a certain period of time.
Thus, the existing methods of constructing the probability curve of a certain level of losses are not entirely equivalent, but one way or another allow us to make an approximate estimate of the total amount of financial risk.
Source - O.A. Firsova - METHODS FOR ASSESSING THE DEGREE OF RISK, FGBOU VPO "State University - UNPK", 2000.
YOU WILL LEARN:
- why you need to manage risks;
- what five steps are needed to manage risk;
- how to learn to manage risks.
Risk management is necessary when we need to make complex decisions: at the stages of product development, when studying the feasibility of making changes, investigating deviations, for organizing a workspace or deciding on the possibility of combining production schemes for different drugs, etc., - in fact, where there is a problem of choosing from several options, and where there are no clear, unambiguous requirements. Risk management technology is necessary in a situation where there is uncertainty and uncertainty.
In no case should risk management be opposed to current regulatory requirements. It is impossible to justify the non-binding nature of the implementation of legislative norms through risk assessment. The risk management process is the source of requirements. History knows many examples when it would be possible to avoid dangerous situations if we were better with them. managed... There are also many developments in pharmaceutical practice from which lessons have been learned.
This is how GMP 1 rules came into being. These rules are only a program to minimize the known risks associated with the production of medicines. Preventing cross-contamination, confusion or substitution, hygiene and self-employment, choosing a quality control strategy and maintaining a quality system are just a few of the classic examples of risk management.
Many managers believe that they can see the full picture of their processes even without additional technologies and intuitively feel the risks to the quality of their products. Indeed, professional, talented managers have tremendous intuition. Only it is hardly congenital. It can be developed using a risk management methodology. After all, intuition is a subconscious analysis of various options for the development of certain events. Including dangerous ones. This is the answer to three key questions: what can happen; if this happens, what will be the consequencesand because of what can this happen?Good intuition is a "spontaneous" assessment of risks by an individual person. And the conscious application of the risk management process is an objective corporate culture that is weakly dependent on subjective factors. Moreover, it is a replicable and easily distributed technology.
Identifying and assessing quality risks does not work by itself. The result of risk management is the selection and implementation of a strategy for controlling significant risks. The task is not to endlessly play various scenarios, not to avoid responsibility, but to make correct, balanced, sometimes even risky, but consciously risky decisions.
Risks to product quality are risks to the consumer. The manufacturer of a medicinal product, the holder of the marketing authorization and government agencies regulating the circulation of medicinal products are responsible to the patient for the efficacy and safety of products placed on the market.
Security is based on modern approaches to risk management. Risk management is the line of defense. It turns out that the only way to ensure patient safety is to implement an effective quality risk management system. This is an element of our responsibility to society. The patient needs guarantees of the effectiveness and safety of the products he takes.
Security does not mean there is no danger. A safe state is when we know what, from our point of view, dangerous events can occur and what impact they will have on the quality of our work and products and, as a result, on our consumer. Safety should be ensured without resorting to prohibitions, but by developing effective procedures. Even if we do not have the opportunity to prevent the occurrence of a dangerous situation, we, at least, will be able to prepare for it, we will think over measures to prevent and overcome the consequences in advance, we will warn everyone about the presence of a serious danger, for example, by describing it in the instructions.
Hazard is measured by risks, which vary in importance. In order to understand what risks require our special attention, we need to adequately assess them. If you do not study the nature of possible risks and hide behind the slogan: "NO risk is acceptable!" - we will not be able to understand why this or that risk can be realized, and, accordingly, we are unlikely to be able to reduce the likelihood of its occurrence. All that remains is to say: "Sorry, it happened!" Risks need to be managed systematically and professionally. This is an essential and essential competence of any manager of any level at any enterprise.
Sometimes you can hear the opinion that risk management is just a catchy name and incredibly harmful technology, applicable only to armchair people. It's not like that at all. The personnel of any department can be conditionally divided into two categories: managers and performers.
The contractors perform work based on the established requirements. Managers, however, establish requirements for the performance of such work, taking into account legislative norms, prescribe algorithms and create conditions, and then control the quality of their performance. In most cases, the contractor does not need a risk assessment. Leaders need it. It is needed when they are forced to make important and difficult decisions in conditions of uncertainty. For example, there are no legal requirements or these requirements are stated without specific algorithms for their implementation, or there are several implementation options, but there is no certainty which option to choose. Leaders are responsible for the results not only of their work, but also of the work of the performer. And the higher the uncertainty caused by uncertainty, the greater the responsibility for the consequences of the implementation of the decision. Based on how the manager manages risks, one can draw a conclusion about his professionalism. If a leader skillfully applies this methodology, he will come across as an astute person with clear logic and remarkable intuition.
These are the qualities that risk management technology develops. In addition, such a leader understands that the executor's mistake is often caused by the negligence of his leader, which manifests itself in the fact that he did not fully assess all possible threats. And those who believe that all risks are equally dangerous or unacceptable, that is, impossible, are simply not able to make decisions.
As a result, they do it at random, using their favorite "poke" method, or shift the responsibility for the decision onto another, for example, the same performer. It's easier. The practice of doing only what is required and only as understood is inherently flawed. You must admit that we often find ourselves in situations where it is difficult and sometimes scary to make a decision and there is a feeling of uncertainty and unpredictability as to how it will affect the quality of the product, and hence the safety of the patient. And then it may seem that risks are something that does not depend on us. Or, conversely, we will become presumptuous of believing that we have completely eliminated risk.
However, in reality this is not the case. Any deviation, failure in the operation of the engineering system or equipment, a complaint received or a signal about a side effect of the drug is a realized risk. Of course, you can simply not register deviations and emerging problems, thereby confirming the reliability of your processes. This is a bluff! There are and always will be risks. The main thing is to see the threats in time and calculate the "unforeseen circumstances" in which these threats can be realized, to understand what we can do to prevent this from happening and how to act if it does happen. To do everything that depends on us and to be ready for any development of events.
Is it worth spending a lot of effort where you can get by with little money? If your decision is based on a regulatory requirement and you are confident in it - no, you shouldn't. No risk assessment is needed here. However, if you are in a difficult situation, you need to understand the possible threats and their consequences, calculate in advance how to act in this or that course of events, and be prepared for anything.
Risk management improves predictability and certainty, which gives us a sense of confidence. Of course, this is an approach that provides sufficient consumer protection, which, in turn, does not interfere with making a profit or slow down the development of the enterprise.
The basic principles of quality risk management in the pharmaceutical industry are set out in the ICH Q9 guidelines, the text of which has been included in the European GMP framework since 2008: first in Appendix 20 and then in Part 3 of GMP. The need for risk management is documented in various guidelines issued by regulatory agencies, professional communities (eg ISPE, PDA, IEST) and healthcare organizations around the world. This methodology is based on knowledge and experience accumulated in different countries. However, in Russia there are still debates about how correct this methodology is. Its erroneous perception has already led to the exclusion of the text of ICH Q9 from GOST R 52249-2009 with a “criminal” wording: “ This text is stated vaguely and is not suitable for practical application". Why is it not suitable? The risk management process model presented in ICH Q9 (Figure 1) is simple and, most importantly, action-oriented (Figure 2).
Figure 1. Traditional quality risk management process (in accordance with ICH Q10 guidelines) of the model presented in ICH Q9
Of course, in risk management, as in any technology, there are enough nuances and details. In order to use this technology correctly, it is necessary create internal standards and procedures, to trainleaders and experts involved, exercise constant supervisionfor the quality of the assessment.
Attempts to exclude risk management technology from the effective decision-making process are absurd. It is unacceptable to simply remove the risk management process from the standards just because the author of the national standard does not understand its methodology. Do not go to extremes and blame the technology of risk management for redundancy, incorrectness or subjectivity.
The decision of any person is subjective in nature. You need to fight not with subjectivity, but with carelessness in decision-making. Risk assessment should not be based on guesswork, but on modern scientific achievements, known facts, while taking into account the experimental base, etc. All gaps in knowledge and data should also be attributed to a separate risk category, the so-called missing information.
Likewise, the risk management methodology cannot be elevated to the status of a “regulatory requirement”. Decision making techniques, by definition, cannot be so. This is the same as forcing everyone to think and act according to the same template, which is simply unacceptable and, moreover, dangerous! Risk management is not aimed at circumventing regulatory requirementsand not a direct regulatory requirement(see Section 1 Part 1 GMP). The GMP rules declare the need for risk management only in order to emphasize their paramount importance and relationship with the quality system and the rules of proper production and quality control of medicines.
Scheme 2. Algorithm for risk management for quality. Based on ICH Q9 model
GMP regulations require a risk assessment when there is uncertainty. Analysis of the European version of GMP confirms that the need for a risk assessment is only prescribed in the following situations:
- if during the investigation of the deviation it is impossible to establish the true cause of its occurrence (part 1, paragraph 1.4 (XIV)). Then it is necessary to select the most probable cause using deductive or inductive risk management methods;
- at the stage of making a decision on the possibility of combining the production of different drugs at a single production facility (part 1, clause 5.9);
- to create a cross-contamination prevention program (part 1, clauses 5.18, 5.19);
- when organizing packaging processes (part 1, clause 5.44);
- when making decisions on the possibility of processing or re-processing substandard products (part 1, clauses 5.62, 5.63);
- when deciding on the possibility of resuming the turnover of all or part of the returned products (part 1, clause 5.65);
- when justifying the scope of validation work (Appendix 15).
In other words, when there is a need to make difficult decisions. And, mind you, solutions that do not conflict with regulatory requirements.
Both the successful functioning and the survival of the enterprise depend on the effectiveness of the managerial decisions taken by the manager. It is also necessary to take into account the fact that, in addition to the obvious advantages, the risk management process has serious disadvantages (Table 1).
Table 1
Advantages and Disadvantages of a Quality Risk Management Process
The statement of the task is also incorrect in its essence - to exclude only the risks that are indicated in the regulatory documents. I repeat: regulatory documents are a kind of average perception of known risks. Each production has its own specifics, and regulatory requirements do not take it into account.
You also do not need to strive for total control. It is important for us to be able to identify the most dangerous risks and develop adequate and timely measures to manage them. Even a not very large-scale assessment can reveal dozens, even hundreds of different risks. This can be confusing for any specialist, since it is not clear what to do with them and what to tackle in the first place. Of course, it would be nice to eliminate all the risks, but most often it is impossible to do this. Our resources, like funds, are always limited, so we are forced to choose priorities.
It is intuitively clear that some risks require priority solutions, and some are generally not interesting to us. To determine the priority actions, it is just necessary to establish the elements of risk - the level of its impact and the probability of implementation. If a hazard is realized, it can have a different effect, which largely determines the severity of the risk, just as an assessment of the likelihood of a particular negative event can tell us a lot and predetermine our perception of security.
A-priory, risk- This is a combination of the probability of a particular hazard and the severity of the harm it causes. There is no methodological error here. Indeed, values \u200b\u200bthat are different in meaning are multiplied and a conclusion is drawn from the result. When using two criteria for assessing risk, we are not talking about its averaging.
The probability is taken into account in order to cut off incredible, unreal events. Another question is that we still prioritize based on the level of their impact.
The methodological error lies in the fact that some domestic critics do not take into account the main axiom of risk management: the severity of harm has a higher priority over probability.
Therefore, if, for example, consider the boring example of an airplane, an incorrect gradation of risk when using a quantitative assessment can be considered an error. Consider two events using a five-point scale (1 to 5).
First.Nonhazardous event - late arrival of the aircraft (severity of harm equal to 1), but often repeated (probability equal to 5).
Second.A dangerous event is a plane crash (the severity of harm is 5), but extremely rare (the probability is 1).
Indeed, multiplying the weight coefficients gives the same figure 5, but it does not equalize their significance.
The first event is an insignificant risk, but the second event can be ranked as a significant risk (due to the fact that the severity of harm coefficient exceeds a certain predetermined threshold, for example, 2), which means it will require our close attention and the development of a program to control such risk, ensuring constant monitoring of its effectiveness. The risk control program can be different - from one action to a separate comprehensive plan.
Embedding the risk management process into the daily life of the enterprise does not require investment and does not imply the introduction of any complex systems and models. It is enough to take just five steps.
First stepis to learn to see and clearly identify hazards (threats). We often do this empirically, dare I say, unconsciously. This is not enough. To fully identify risks means taking into account all their parameters.
Second step- you need to learn how to create risk profiles, that is, to systematically determine all the risks inherent in the object of our assessment (draw up a risk assessment protocol). This is important, because it is useful to manage risks “on the spot”, but not enough.
Task third stepis to learn how to determine which risks should be dealt with first. To do this, you need to be able to analyze risks, prioritize.
For successful implementation fourth stepyou need to select and implement strategies to manage significant risks. Here it is important to understand what specific actions we need to take in order to gain more and / or lose less.
And finally fifth step- learn how to create an optimal "safety cushion", that is, develop an action plan in case a particular risk is realized. The goal of this step is to prepare for any development of events and always have a "B" plan. These are basic steps that apply in any situation, in any business, and at any level of the enterprise hierarchy. The model shown in ICH Q9 is used in most countries around the world. A similar model is presented in the basic ISO 31000 2 standard. Today, there is a serious methodological base for introducing the risk management process into the practice of pharmaceutical companies, which has been actively developing since the 60s of the last century. More than 100 risk assessment methods are known. The ICH Q9 guidelines state only six of the most common tools (Table 2), ISO 31000 describes 31 methods, and there are even more in life. However, this does not mean that everyone should be used. You need to choose for yourself those risk assessment tools that you can work with and which you will trust. The main thing is that they are clear to you.
table 2
Summary of ICH Q9 Risk Assessment Methods
|
Risk Assessment Tool |
Specialization |
Detail of the assessment |
Complexity |
disadvantages |
|
PHA - Preliminary Risk Analysis |
You need to be able to predict threats. Prevents relationships between different threats |
|||
|
HAZOP - Risk and Opportunity Analysis |
Requires a lot of information about the subject of assessment. Evaluates threats by components / elements without linking to other components / elements |
|||
|
HACCP - Hazard Analysis and Critical Control Points |
Various |
Not suitable for assessing the relationship between failures and their causes. Does not allow assessing the risks associated with objects / systems |
||
|
FMEA - Failure Modes and Effects Analysis |
Not very useful for retrospective risk assessment. Does not establish a relationship between failures / threats and their causes |
|||
|
FTA - Fault Tree Analysis |
May be monotonous and lengthy |
|||
|
RRF - classification and screening of risks |
Not suitable for retrospective risk assessment. Of little use with a small number of identified threats |
Thus, learning to manage risk professionally requires practice and experience. Naturally, this takes effort and time. First to a greater extent, then to a lesser extent. The main thing is to start gradually introducing risk management technology into your work. To do this, you do not need to allocate any special day, wait for some event or mood. By managing risks, we ensure the quality of our work and, conversely, by ensuring quality, we manage risks. The result of risk management is a guarantee of the quality of your products, compliance with regulatory requirements, a stable profit, and therefore a guarantee of our stability. Modern life insists on this!
Per. from English VIALEK Group of Companies
1 GMP (Good Manufacturing Practice) - good manufacturing practice (standard for a production management system). - Approx. ed.
The risk assessment manager is responsible for the enterprise risk assessment. He develops, advises and directs risk management programs and loss prevention activities to maximize the protection of corporate property and capital. Conducts investigation and reports on accidents, incidents related to the company's products, and then coordinates the actions of insurance companies and lawyers. Reviews and analyzes data and develops programs to minimize risks. Monitors compliance with safety regulations, ensures that the company's products comply with industrial standards and market requirements.
There are several approaches to risk assessment in an enterprise. Let's consider some of them.
The main task of the first of the considered risk assessment methods is their systematization and the development of an integrated approach to determining the degree of risk affecting the financial and economic activities of the enterprise. The following risk assessment algorithm is proposed, which is shown in Fig. 1.1.
All risk researchers do not pay due attention to assessing the quality of the information with which they assess risk.
Figure: 1.1.
Requirements for the quality of information should be as follows:
- - reliability (correctness) of information - a measure of the proximity of information to the original source or the accuracy of information transmission;
- - objectivity of information - a measure of how information reflects reality;
- - unambiguity;
- - order of information - the number of transmission links between the original source and the end user;
- - completeness of information - a reflection of the exhaustive nature of the correspondence of the information received to the purposes of collection;
- - relevance - the degree of approximation of information to the essence of the issue or the degree of correspondence of information to the task;
- - relevance of information (significance) - the importance of information for risk assessment;
- - the cost of information.
It is proposed to establish the relationship between the risk and the quality of the information on which it (risk) is assessed. It is suggested that the probability of the risk of making a poor-quality (unprofitable) decision depends on the quality and volume of the information used. This assumption is taken from neoclassical risk theory. According to this theory, in the presence of several options for making a decision (with equal profitability), a decision is chosen in which the probability of risk (fluctuation) is the smallest. It can be assumed that also in the presence of several options with the same profit, a decision is chosen that is based on better quality information, that is, there is a relationship between risk and information.
In fig. 1.2. the assumed dependence of the probability of the risk of making a low-quality (unprofitable) decision and the volume / quality of information is shown.
A high probability of risk occurrence corresponds to a minimum of quality information.
Figure 1.2. Dependence of risk and information
To assess the quality of information, it is proposed to use Table 1.3.
Table 1.3
Assessment of the information used
This table allows you to analyze any information and visually verify its quality. The numbers 1-10 at the top of the table denote the quality of the information: the better the information, the higher the number is assigned to it. The result of the analysis can be the final value of the information quality, which is found as an arithmetic mean.
Fixing risks. When assessing financial and economic activity, it is proposed to fix risks, that is, to limit the number of existing risks using the principle of "reasonable sufficiency". This principle is based on taking into account the most significant and most common risks for assessing the financial and economic activities of an enterprise. It is recommended to use the following types of risks: regional, natural, political, legislative, transport, property, organizational, personal, marketing, production, settlement, investment, currency, credit, financial.
Drawing up an algorithm for the decision. This stage in assessing the risks of financial and economic activities is intended for the stage-by-stage division of the planned solution into a certain number of smaller and simpler solutions. This action is called composing a decision algorithm.
Qualitative risk assessment. Qualitative risk assessment implies: identification of risks inherent in the implementation of the proposed solution; determination of the quantitative structure of risks; identification of the most risky areas in the developed decision algorithm.
To carry out this procedure, it is proposed to use a qualitative analysis table. In this table, the algorithm of actions when making a decision is presented by rows, and by columns - previously fixed risks. So, when deciding to place new base stations at one of the communications enterprises, the risk assessment may look like this (see Table 1.4).
Table 1.4
Qualitative risk assessment
|
Decision Algorithm |
Risk type |
||||||||||||||||||||||||
|
regional |
natural |
transport |
political |
legislative |
organizational |
personal |
property |
calculated |
marketing |
industrial |
currency |
credit |
financial |
investment |
|||||||||||
|
Identifying the need to place new equipment in the area |
|||||||||||||||||||||||||
|
Attraction of working capital |
|||||||||||||||||||||||||
|
Organization of the transaction, purchase |
|||||||||||||||||||||||||
|
necessary equipment |
A quantitative assessment of risks is carried out on the basis of data obtained during their qualitative assessment, that is, only those risks that are present in the implementation of a specific operation of the decision-making algorithm will be assessed. For each recorded risk, a risk assessment table is compiled based on data obtained from statistical, scientific, periodic sources, as well as based on the personal experience of managers. These risk assessment tables are compiled in such a way as to most fully determine the constituent risk factors. When using this approach, a high efficiency of the qualitative assessment of the financial and economic activities of the enterprise is achieved. In the tables compiled, the values \u200b\u200bthat most closely correspond to the questions posed are selected. In some cases, it is proposed to independently determine the value of the risk on a ten-point scale. After choosing the risk value at its level exceeding 0.8, an arbitrary mark (+) is made in the corresponding column. The final stage of filling in the columns of the table is the setting of the value of the quality of the information on the basis of which the decision was made. At the end of the table, the final quantitative assessment is summarized as the arithmetic mean of all indicators of risk components. Decision-making. Decision making is the final and most responsible procedure in assessing the risks of financial and economic activities. When developing a behavior strategy and in the process of making a specific decision, it is advisable to distinguish and highlight certain areas (risk zones) depending on the level of possible (expected) losses in financial and economic activities. So, based on the generalization of the results of studies by many authors on the problem of quantitative assessment of the risks of financial and economic activities of enterprises, an empirical scale of risk has been developed and proposed, which can be used for its quantitative assessment (Table 1.5). Table 1.5 Empirical risk scale
Making a decision consists of three stages:
As mentioned earlier, when making a decision under conditions of uncertainty, special attention should be paid to the quality of information. In this regard, it is proposed to use the risk-information table of decision making (Fig. 1.3).  Figure: 1.3. The Delphi method can also be used for a qualitative risk assessment. This method is a collective peer review. It was developed by the renowned expert from the DAND Research Corporation Olaf Helmer, a mathematician by training. Therefore, this method combines a creative approach to solving the problem and sufficient forecast accuracy. The essence consists in conducting questionnaires among specialists of the chosen field of knowledge. The obtained personal data are subjected to statistical processing, as a result of which a range of experts' opinions is formed, reflecting their collective opinion on the selected problem. Usually, after the first survey, there is a wide range of opinions. Therefore, the procedure for implementing the Delphi method involves conducting another three or four surveys, on the eve of which each of the experts is introduced to the result of the previous survey, but not in order to put pressure on him, but so that the experiment can obtain additional information about the subject of the survey. Ideally, the survey is repeated until the opinions of experts coincide, in reality - until the narrowest range of opinions is obtained. |
Risk analysis and assessment is an important stage in risk management technology. A harbinger of planning measures to reduce the likelihood of threats, the assessment can be made both on the basis of financial reporting data and on the basis of management information. Management, as a rule, uses past experience, analysis of the current situation inside the enterprise and in the outside world, as well as forecast assumptions. Risk assessment methods based on management information data are the subject of this article.
Business risk assessment
It is assumed that the previous stages of risk management at the time of their analysis and assessment at the enterprise have already been completed. This means that the results of the identification of the main factors and the identification of risk made it possible to perform their primary analysis, some qualitative and quantitative assessment. In business, all losses come down to three main threats:
- unexpected drop in profit margins;
- forced search of funds for expenses to reduce losses;
- additional costs for damages and the consequences of the damage.
The form of entrepreneurial losses is taken into account in three variants of expression: absolute, relative and intermediate. The methodology for assessing losses identifies, depending on the resources under consideration, the following types.
- Material.
- Labor.
- Cost.
- Temporary.
- Special.
- Intelligent.
- Informational.
All of the above types of losses are fairly obvious. Cost losses pose a direct financial threat to the company in the form of a drop in income, unplanned payments (taxes, fines, penalties and other penalties), direct monetary damage, loss of securities, etc. The enterprise may also experience special losses, among which are damage to the environment and the environment, loss of image, the prestige of the company and its management, damage to the health of employees. The classification of possible business losses is presented in the diagram below.
Classification of forms and types of business losses
The above classification covers almost all possible types of risks of adverse events that may arise in any organization. The methodology for assessing the risk of entrepreneurial losses in the scientific literature is widespread. Its applied development in the interpretation of Professor GS Tokarenko, in my opinion, is of the greatest practical interest. Some methodological messages are borrowed from the course of lectures of the named author.
Modeling the assessment of the expected consequences of entrepreneurial risk is based primarily on mathematical methods. At the same time, assessment models based on management reporting can be expressed through the function of the studied parameters and performance indicators. Classification and risk assessment of such parameters as income, profit, loss, damage, etc., are the subject of special concerns of management at the enterprise. The function formula for assessing the dynamics of the parameter under study takes into account the probability of a risk event and the level of its consequences.
Mathematical model for assessing entrepreneurial risk
Risk assessment methods are based on the analysis of typical financial statements: balance sheet, profit and loss statement, etc. In addition, management accounting statistics are used, which are extremely useful to collect at the enterprise. The analysis of foreign markets is also useful: stock, foreign exchange, raw materials, labor, etc. Using the knowledge base, managers will need to perform some mathematical statistics and probability calculations to determine their risk exposure.
Probabilistic assessment methods
It should be borne in mind that the actions themselves to form a probabilistic model of risk assessment and its analysis are quite laborious. This is due to the fact that risk factors are subjective and constantly changing. In addition, the results of the assessment work are very difficult to formalize. Therefore, when developing assessment models, it is necessary to carefully analyze the initial information, expert positions for the consistency and targeted nature of the identified causes and risk factors.
Key methodological points
The very nature of entrepreneurial risk implies some probability of an adverse event occurring. This means that considering it as a probabilistic category, we can fully apply mathematical tools that use the so-called stochastic models. For the best understanding of the level of risk, the distribution density function associated with the standard normal distribution law is used.
This law can be characterized by the fact that statistical data on the studied parameter (losses, losses, incomes) are grouped around a certain center with approximately the same spread to the left and right. And if this scatter is presented visually, then the image of a bell-shaped curve arises, which in probability theory is called a graph of probability density.
Probability Density Plot
Normal distribution functions f (t) have the following main features used for risk assessment.
- This is an even function (follows from formula 1), which means that its value remains unchanged when the sign of its variable changes.
- Identity of the mode, median and mean value of the parameter.
- The probability density tends to zero, provided that the current variable tends to infinity, regardless of the sign of the variable value.
- The probability density is maximum when the current variable is equal to 0.
- The area under the curve is 1.0 (follows from formula 2).
The presented law has good application potential for risk assessment after identification. Let's imagine that the parameter studied from the standpoint of risks is the company's income. Normal distribution properties can be exploited using sigma rules. There are rules of one sigma, two sigma and three sigma.
3σ probabilistic models
Above is a graph of probability density, using statistical information accumulated over a long period of company revenues, to which the sigma rules are applied. For example, the mathematical expectation corresponds to the value of 20 million rubles. The standard deviation σ has a value of 2 million rubles. Therefore, deferring to the left and to the right of the central axis along 1 σ, we can assert with a probability of 0.68 that the income forecast will be in the range from 18 to 22 million rubles. Applying the rule of two sigma, with a probability of 0.95 we get the range from 16 to 24 million rubles, etc.
Risk analysis methods based on a probabilistic model are applicable to any enterprise. Suppose we have a certain value of income from period to period and we want to get the value of the risk of falling income below the required value for the next year. Then we must admit that:
- The statistics of the considered parameter obeys the normal distribution law.
- We managed to calculate the average value of the parameter.
- The scatter is calculated as the standard deviation from the mean.
An example of a probabilistic risk assessment
The risk is considered from the standpoint of the probability of the occurrence of a result less than the required size of a given parameter. The risk value itself is calculated as an integral from -∞ to the level of the required value (in our case, income) of the distribution density according to the normal distribution law. If the above assumptions are met, then the risk is defined as the area shown in the normal distribution density chart below.
Model for visual determination of risk on the normal distribution density curve
Let's analyze a practical example of the implementation of a very specific investment project. As a result of the identification of the main risk factors and its identification, the main threats to the success of the project were identified. An expert analysis of the risks made it possible to establish that the danger is posed by the untimely repayment of the bank's loan, which the company intends to receive for investment. The average project implementation time is 3 years. The implementation time has a likely spread of six months, therefore, with a certain margin, loan funds are attracted for a period of 4 years. The question follows: is there a risk that the company will not return the loan on time? How to avoid additional penalties from the bank and prevent violations of credit history?
Risk calculation model for an example investment project
Since we assume that the typical assumptions of the probabilistic estimation method are met, the given three conditions are sufficient to make a proper calculation. We start Excel and set a series of time values \u200b\u200bbased on the maximum payback period of the project of 60 months. Since the distribution density obeys the normal distribution law, we need to calculate the risk value using the formula 6. In the Formula Selection Function Wizard in the “Statistical” category, select “NORM.DIST”, enter the values \u200b\u200bof the X series, the average is 36, the standard deviation is 6, the integral is "FALSE". Using the obtained values \u200b\u200bof the function, we build a diagram, the image of which is presented below.
Extract from the calculation of the normal distribution function and the corresponding curve
Further, in a separate field, we set the formula “\u003d (1-NORM.DIST (42; 36; 6; TRUE)) * 100%” through the function and calculate the risk value, which is obtained at the level of 16%. The results of determining the risk using this method mean that with a probability of 16%, under the given conditions, the loan will not be repaid on time. By changing the terms of the loan duration, increasing it by 3 months, we achieve that the risk value is reduced to 6.6%. The risk area is marked on the diagram in the form of an area indicated by red arrows.
Thus, the probabilistic assessment methodology allows the company's management to calculate the options for solutions, hypothetically put forward after identifying and identifying risks. The most acceptable option is selected. However, one should not forget that each option has its own price, and in our example, an increase in the duration of lending will entail additional costs for servicing a bank loan.
Application of the VaR method in risk assessment
The work shown in the example above is useful at the planning stage, when the project has not yet started and the need to identify the loan maturity is high. Risk analysis methods, in addition to the considered assessment option, include another interesting method called VaR. VaR should be understood as such a value of a parameter (loss, loss, damage) that can appear with a probability 1-α, where α is the confidence probability that we assign ourselves.
In other words, the VaR estimate assumes that with a confidence level α it is possible to consider with confidence possible losses that will not exceed a given value. The original VaR formula is reflected in the graphical model of the normal distribution density curve at # 7a, located slightly below. We set the confidence level as an image of personal perception of the degree of reliability of the answer to our question. For example, a confidence level of 0.95 means that in 95% of cases our expectations will be met, and in 5% unfavorable events for us will occur. Variants of a brief definition of VaR in riskology:
- risk value;
- cost of risk;
- cost versus risk.
Model of VaR location on the normal distribution density curve
Let's go back to our example. To reduce the risk, we need to shift the loan duration to the right along the curve, and, as we have already noted, the risk value will begin to rise. The additional charge will arise from interest costs. If the economics of the project does not allow increasing the cost of attracted resources, then the duration of lending can, on the contrary, be reduced (shift the duration of the loan to the left). Below, on the image of the normal distribution curve, for example, the application of formula 7 is shown for the described time shifts. Red arrows show the area corresponding to the remaining risk of losses after the implementation of solutions.
Changes in the risk value during manipulations with the VaR indicator
Until now, we have viewed VaR as an idealized form of risky maneuvering. A number of assumptions were made that the mean time x, standard deviation and distribution shape are known. In reality, things are often different. In most cases, management has only statistical information, and everything else has to be difficult to calculate for yourself. Therefore, the VaR method includes types of implementation options, the classification of which takes into account the information specificity and the method of calculation. There are the following options for calculating VaR:
- probabilistic (analytical) methods;
- statistical methods;
- imitation techniques (in conditions when there are no statistics).
Statistical methods of risk assessment
In the case when we do not know the normal distribution law of the estimated parameter, and only a set of statistical data is available, we can still calculate the risk. First, you have to find out the average result, that is, find the point around which the values \u200b\u200bscatter. To do this, use the formula for No. 9 from the group below.
Composition of formulas for statistical methods of risk assessment
Next, we have to find out how far or how close to the obtained average value all other observation “points” are grouped. The point is that risk is directly related to the magnitude of the spread. For a risk measure, the parameter is quite suitable - the standard deviation, which is calculated according to the formula for No. 13. If the risky decision that the company's management intends to make is quite important, then it is preferable to use the calculation of variance in addition to the specified formula (11).
The fourth indicator of statistical methods - the variation in the deviation of the result (15) - is useful when comparing solutions for two alternative options for which it is difficult to decide which is more important: risk minimization or the analyzed parameter (income, damage, losses). Let us explain this using the example of the visual model for comparing solution options presented below.
Model for making a risk decision on the ratio of risk and reward
In this case, the risky decision related to the company's income is considered again. To begin with, consider the most difficult option: points S and F. In practice, it often happens like this: solution S gives both higher income and greater risk compared to option F. In this case, the indicator of variation of the result deviation is very useful (15). On the basis of this indicator, the solution is selected for which the risk value is one unit of income less. Among options C, B and A, A is chosen, which has a lower risk with a single value of income. Of the two solutions D and E, the preference is given to the option E, which carries more income with the same risk.
So far, we have considered statistical methods for assessing risk, taking into account the extrapolation of values \u200b\u200bobserved in the past into the future. It was assumed that the main trends will be maintained. In fact, tendencies often tend to break. If we refuse to extrapolate, then we need to apply the scenario method, which takes into account the probability of one or another scenario for the development of events for the parameter under study. Consequently, the formulas should receive a mechanism for correcting calculations for the probability of the assumed scenarios. The modified formulas are presented above at numbers 10, 12 and 14.
Application of elements of game theory
In the practice of project activities, even more difficult situations are encountered when at least minimal statistics are absent and it is not possible to apply statistical and probabilistic methods. Suppose we are considering three new areas of activity A1, A2, A3 and four design solutions P1, P2, P3, P4. The starting question almost always arises: what criterion will we use to choose a solution? In such a case, it is necessary to perform an expert analysis of risks using elements of the game with selected rules or criteria from several variations.
Decision Making Model Under Uncertainty Based on a Design Case
The initial information for finding the optimal solution is formed in matrix form. The first income matrix is \u200b\u200bconstructed by analogy with the so-called “playing with nature” matrix, similar to how people guess the state of the weather. The element of the matrix is \u200b\u200bformed as the expected gain of the subject when he implements option A (income) and the state of the environment P (project). The risk matrix or the matrix of missed opportunities is the second information block of the solution search system, derived from the first. This method, although it does not differ in accuracy, nevertheless, allows you to organize the available information and evaluate the "gain-loss" ratio in various combinations. The following criteria are used to make a risk decision.
- Maximax principle. It is used to select an option on the assumption that events will develop according to the most favorable scenario: the best income among directions, the best income among projects.
- Wald's principle. The best worst case implementation is selected.
- Savage's principle. The lowest value of the maximum design risks is selected. Risks are calculated as follows: the maximum value of income by columns (projects) is taken and taken as a zero risk value. All other risk values \u200b\u200bin the column are calculated by subtracting the position's return value from the maximum return.
- Hurwitz criterion. An American economist of Russian origin introduced a coefficient that takes into account the analyst's subjective attitude to risk. This procedure allows you to narrow down the scope of decisions.
Risk indicators and methods of its assessment provide a key opportunity to make important decisions and plan measures to minimize it. This is of particular importance in design and investment activities. Therefore, this article is of interest primarily to project managers. Its topic is quite complex, although there is practically no higher mathematics in it, but questions of the theory of probability and mathematical statistics are not easily perceived by everyone. Nevertheless, it is imperative to go into the zone of practical methods of risk assessment, possibly overcoming internal discomfort. Unambiguously, having mastered them first at an elementary level, RM will get a completely different, qualitatively better result of projects at the exit.
