Risk management involves identifying, assessing, and prioritizing risks, then applying resources to minimize their impact or maximize opportunities. There are typical business risks like strategic, operational, compliance and financial risks. Risk management processes include establishing the context, identifying risks, assessing them, developing risk strategies, implementing a risk management plan, reviewing and communicating. Key strategies for addressing risks include transferring risks, avoiding risks, reducing risks, and accepting risks.
2. WHAT IS RISK MANAGEMENT
Risk management is
the identification, assessment, and prioritization of risks
followed by coordinated and economical application of resources
to minimize, monitor, and control the probability and/or impact of unfortunate events
or to maximize the realization of opportunities.
3. TYPICAL BUSINESS RISKS
Risk categories I. STRATEGIC II. OPERATIONAL III. COMPLIANCE IV. FINANCIAL
Risk classes 1. Macroeconomic 5. Innovation 9. Regulatory 13. Treasury
2. Industry / market changes 6. People 10. Litigation 14. Tax
3. M&A / restructuring 7. IT 11. Business Conduct 15. Pensions
4. Reputation 8. Supply Chain 12. Environmental 16. Reporting
Risks 1.0 Macroeconomic 5.0 Innovation 9.0 Regulatory 13.0 Treasury
1.1 Economy 5.1 Business / product portfolio 9.1 Permits 13.1 Liquidity risk
1.2 Political risk 5.2 Corporate / product branding 9.2 Sanctions 13.2 Currency risk
1.3 Disaster 5.3 Product quality and liability 13.3 Interest rate risk
5.4 Sales
10.0 Litigation 13.4 Commodity price risk
2.0 Industry / market
changes
5.5 Services 13.5 Credit rating risk
2.1 Market action 11.0 Business Conduct 13.6 Insurance risk
2.2 Capacity expansion 6.0 People 11.1 ABC, AML, CTF 13.7 Counter party risk
2.3 New Entrants 6.1 Skilled talent 11.2 FCD
2.4 Imports 6.2 Labor relations 14.0 Tax
2.5 Complementors 6.3 Productivity / projects 12.0 Environmental
12.1 Emissions 15.0 Pensions
3.0 M&A / restructuring 7.0 IT
3.1 M&A / JV / divestments 7.1 Cybersecurity 16.0 Reporting
3.2 Restructuring /
integration
7.2 Outsourcing 16.1 Use of estimates
3.3 Competitor M&A 16.2 Loss exposures
8.0 Supply Chain
4.0 Reputation 8.1 Own capacity
4.1 Health & Safety 8.2 Sourcing suppliers
4.2 Sustainable
Development
8.3 Raw materials
4.3 Corporate Governance 8.4 Energy
8.5 Procurement
8.6 Logistics
8.7 Business interruption
Note: Mergers & Acquisitions (M&A), Anti-Bribery & Corruption (ABC), Anti-Money Laundering (AML), Counter Terrorism
Financing (CTF), Fair Competition Directive (FCD)
4. INTANGIBLE RISK MANAGEMENT
ī Intangible risk management identifies a new type of a risk that has a 100%
probability of occurring but is ignored by the organization due to a lack of
identification ability. For example,
ī When deficient knowledge is applied to a situation, a knowledge risk materializes.
ī Relationship risk appears when ineffective collaboration occurs.
ī Process-engagement risk may be an issue when ineffective operational procedures
are applied. These risks
ī directly reduce the productivity of knowledge workers,
ī decrease cost effectiveness,
ī profitability,
ī service,
ī quality,
ī reputation,
ī brand value,
ī and earnings quality.
ī Intangible risk management allows risk management to create immediate value
from the identification and reduction of risks that reduce productivity.
5. INTERNAL CONTROL
Internal control is a process effected by an entityâs board of directors, management
and other personnel designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
ī Efficiency and effectiveness of operations
ī Reliability of reporting
ī Compliance with laws and regulations
The five pillars of internal control are:
ī Control environment
ī Risk Assessment
ī Control Activities
ī Monitoring
ī Information and Communication
6. ENTERPRISE RISK MANAGEMENT
COSO Framework of Enterprise Risk Management
Enterprise risk management is:
ī a process effected by an entityâs board of directors, management and other
personnel,
ī applied in strategy setting
ī and across the enterprise,
ī designed to identify potential events that may affect the entity and manage risks to
be within its risk appetite,
ī to provide reasonable assurance
ī regarding the achievement of entity objectives.
The COSO framework consists of eight interrelated components:
ī Internal or control environment
ī Objective setting
ī Event identification
ī Risk assessment
ī Risk response
ī Control activities or procedures
ī Information and communication
ī Monitoring
7. UNCERTAINTY
Knight introduced a technical distinction between risk and uncertainty
ī Risk is a quantification of the potential variability in a value based on past data
(e.g. how many life assurance policy holders will live beyond the age of 65)
ī Uncertainty on the other hand is non-quantifiable (whether a key customer will
be retained for the next two years)
Strictly speaking risk should therefore be defined as a measure of the variability in
the value of a factor that is capable of statistical or mathematical evaluation.
ī In practice, the distinction between risk and uncertainty is blurred. Huge losses
by insurance underwriting syndicates show that assessments of risk used in
insurance have been compromised by unanticipated events such as flooding
and hurricanes from climate change and claims for industrial injury resulting form
asbestos and stress.
ī Despite using terms like risk, many business strategies are actually taking
place in situations of uncertainty. A management team that only undertakes
strategies in which the likelihood of success or failures can be precisely
quantified would launch no products, enter no new markets and research no
new technologies.
8. PROCESS
ī According to the standard ISO 31000 "Risk management -- Principles and
guidelines on implementation," the process of risk management consists of
several steps as follows:
ī Establishing the context
ī Identification
ī Assessment
ī Risk Strategies
ī Risk Management Plan
ī Implementation
ī Review and evaluation of plan
ī Communication
9. ESTABLISHING THE CONTEXT
ī Establish the internal context
ī Risk is essentially the chance that an event will occur that will prevent the company from meeting its objectives.
Therefore in order to understand the risks, you must first identify the objectives.
ī Establish the external context
ī The external context is the overall environment in which the business operates, including an understanding of the
perceptions that clients or customers have of the business. This could take the form of a SWOT analysis. It should also
cover such issues as external regulations that the business must comply with.
ī Establish the risk management context
ī In order to correctly identify risks associated with a project, you must first define the project limits objectives and scope.
This may include identifying:
ī The timeframe of the project
ī Additional resources and expertise required
ī Team membersâ roles and responsibilities
ī Documentation required
ī Develop risk criteria
ī This step allows the business to identify unacceptable levels of risk, or, looking at it in another way, to define
acceptable level of risk for a particular project. These risk levels can be more closely defined as the process
progresses.
ī Once acceptable or unacceptable risks have been identified for each activity, these can be used to assess different risks
associated with the project to determine whether these risks need to be controlled.
ī Any risk that results in any or all of the projectâs objectives not being met will be deemed unacceptable and a
strategy for controlling such risks must be developed.
ī Define the structure for risk analysis
ī The final step in the establishment of context is to define the structure for risk analysis. This involves isolating the risk
categories that need to be managed, which can then be assessed individually.
ī Risk categories vary according to the project but may include such areas as:
ī Security (such as the security of company installations)
ī Finance (the project must come in on budget)
ī Transport (what happens if the vehicle carrying computer equipment and general documentation breaks down)?
10. IDENTIFICATION
After establishing the context, the next step in the process of managing risk is to
identify potential risks. Risks are about events that, when triggered, cause
problems.
Hence, risk identification can start with the source of problems, or with the problem
itself.
ī Source analysis Risk sources may be internal or external to the system that is
the target of risk management.
ī Examples of risk sources are: stakeholders of a project, employees of a
company, the weather over an airport or customers.
ī Problem analysis Risks are related to identified threats. For example: the threat
of losing money, the threat of abuse of privacy information or the threat of
accidents and casualties. The threats may exist with various entities, most
important with shareholders, customers and legislative bodies such as the
government.
When either source or problem is known, the events that a source may trigger or
the events that can lead to a problem can be investigated. For example:
ī Customers may default causing loss to the company
ī privacy information may be stolen by employees even within a closed network;
11. RISK IDENTIFICATION TECHNIQUES
The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development of
templates for identifying source, problem or event. Common risk identification methods
are:
ī Objectives-based risk identification Organizations and project teams have
objectives. Any event that may endanger achieving an objective partly or completely
is identified as risk.
ī Scenario-based risk identification In scenario analysis different scenarios are
created. The scenarios may be the alternative ways to achieve an objective, or an
analysis of the interaction of forces in, for example, a market or battle. Any event that
triggers an undesired scenario alternative is identified as risk.
ī Taxonomy-based risk identification The taxonomy in taxonomy-based risk
identification is a breakdown of possible risk sources. Based on the taxonomy and
knowledge of best practices, a questionnaire is compiled. The answers to the
questions reveal risks.
ī Common-risk checking In several industries, lists with known risks are available.
Each risk in the list can be checked for application to a particular situation.
ī Risk charting This method combines the above approaches by listing resources at
risk, threats to those resources, modifying factors which may increase or decrease
the risk and consequences it is wished to avoid. Creating a matrix under these
headings enables a variety of approaches. One can begin with resources and
consider the threats they are exposed to and the consequences of each.
Alternatively one can start with the threats and examine which resources they would
affect, or one can begin with the consequences and determine which combination of
12. ASSESSMENT
ī A risk assessment is a process to identify potential hazards and analyze what could
happen if a hazard occurs. A business impact analysis (BIA) is the process for
determining the potential impacts resulting from the interruption of time sensitive or
critical business processes.
ī There are numerous hazards to consider. For each hazard there are many possible
scenarios that could unfold depending on timing, magnitude and location of the
hazard.
ī There are many âassetsâ at risk from hazards. First and foremost, injuries to people
should be the first consideration of the risk assessment.
ī Hazard scenarios that could cause significant injuries should be highlighted to ensure
that appropriate emergency plans are in place.
ī Many other physical assets may be at risk. These include buildings, information
technology, utility systems, machinery, raw materials and finished goods. The
potential for environmental impact should also be considered.
ī Consider the impact an incident could have on your relationships with customers, the
surrounding community and other stakeholders. Consider situations that would cause
customers to lose confidence in your organization and its products or services.
ī As you conduct the risk assessment, look for vulnerabilitiesâweaknessesâthat
would make an asset more susceptible to damage from a hazard. Vulnerabilities
include deficiencies in building construction, process systems, security, protection
systems and loss prevention programs. They contribute to the severity of damage
when an incident occurs.
ī For example, a building without a fire sprinkler system could burn to the ground while
a building with a properly designed, installed and maintained fire sprinkler system
would suffer limited fire damage.
14. COMPOSITE RISK INDEX
ī The above formula can also be re-written in terms of a Composite Risk Index, as follows:
ī Composite Risk Index = Impact of Risk event x Probability of Occurrence
ī The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5
represent the minimum and maximum possible impact of an occurrence of a risk (usually in
terms of financial losses). However, the 1 to 5 scale can be arbitrary and need not be on a linear
scale.
ī The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1
represents a very low probability of the risk event actually occurring while 5 represents a very
high probability of occurrence. This axis may be expressed in either mathematical terms (event
occurs once a year, once in ten years, once in 100 years etc.) or may be expressed in "plain
english" - event has occurred here very often; event has been known to occur here; event has
been known to occur in the industry etc.). Again, the 1 to 5 scale can be arbitrary or non-linear
depending on decisions by subject-matter experts.
ī The Composite Index thus can take values ranging (typically) from 1 through 25, and this
range is usually arbitrarily divided into three sub-ranges. The overall risk assessment is then
Low, Medium or High, depending on the sub-range containing the calculated value of the
Composite Index. For instance, the three sub-ranges could be defined as 1 to 8, 9 to 16 and 17
to 25.
ī Note that the probability of risk occurrence is difficult to estimate, since the past data on
frequencies are not readily available, as mentioned above. After all, probability does not imply
certainty.
ī Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate
the potential loss in the event of risk occurrence.
ī Further, both the above factors can change in magnitude depending on the adequacy of risk
avoidance and prevention measures taken and due to changes in the external business
environment.
ī Hence it is absolutely necessary to periodically re-assess risks and intensify/relax mitigation
15.
16. RISK IMPACT / PROBABILITY CHART
ī Low impact/Low probability â Risks in the bottom left corner are low level, and you can often ignore
them.
ī Low impact/High probability â Risks in the top left corner are of moderate importance â if these things
happen, you can cope with them and move on. However, you should try to reduce the likelihood that
they'll occur.
ī High impact/Low probability â Risks in the bottom right corner are of high importance if they do occur,
but they're very unlikely to happen. For these, however, you should do what you can to reduce the
impact they'll have if they do occur, and you should have contingency plans in place just in case they
do.
ī High impact/High probability â Risks towards the top right corner are of critical importance. These are
17. RISK STRATEGIES
ī Once risks have been identified and assessed, all techniques to manage the risk
fall into one or more of these four major categories:
ī Transfer (transfer - outsource or insure)
ī Avoidance (eliminate, withdraw from or not become involved)
ī Reduction (optimize - mitigate)
ī Accept (accept and budget)
Transfer
ī Risks can be transferred through insurance or outsourcing. Financial risks can
be transferred by hedging
Avoidance
ī Avoidance may seem the answer to all risks, but avoiding risks also means
losing out on the potential gain that accepting (retaining) the risk may have
allowed.
ī Hazard prevention refers to the prevention of risks in an emergency. The first
and most effective stage of hazard prevention is the elimination of hazards.
If this takes too long, is too costly, or is otherwise impractical, the second stage
is mitigation.
18. RISK STRATEGIES
Risk Reduction
ī Risk reduction or "optimization" involves reducing the severity of the loss or the
likelihood of the loss from occurring. For example,
ī sprinklers are designed to put out a fire to reduce the risk of loss by fire. This method
may cause a greater loss by water damage and therefore may not be suitable.
ī Halon fire suppression systems may mitigate that risk, but the cost may be
prohibitive as a strategy.
ī By an offshore drilling contractor effectively applying HSE Management in its
organization, it can optimize risk to achieve levels of residual risk that are tolerable.
ī Modern software development methodologies reduce risk by developing and
delivering software incrementally.
Risk reduction controls generally fall into the following categories:
ī Prevention â SOD, Authorizations, Security of assets
ī Detection â Review of perfomance, reconciliations, physical checks, audits
ī Directive â corporate policies, spending limits,
ī Corrective â corrective journal entries, controls after cyber attacks or virus
attacks
ī Manual or system based
19. CREATE A RISK MANAGEMENT PLAN
ī Select appropriate controls or countermeasures to measure each risk.
ī Risk mitigation needs to be approved by the appropriate level of
management. For instance
ī a risk concerning the image of the organization should have top
management decision behind it
ī whereas IT management would have the authority to decide on computer
virus risks.
ī The risk management plan should propose applicable and effective security
controls for managing the risks. For example, an observed high risk of
computer viruses could be mitigated by acquiring and implementing
antivirus software.
ī A good risk management plan should contain a schedule for control
implementation and responsible persons for those actions.
ī According to ISO/IEC 27001, the stage immediately after completion of the risk
assessment phase consists of preparing a Risk Treatment Plan, which should
document the decisions about how each of the identified risks should be
handled.
20. IMPLEMENTATION OF PLAN
Implementation follows all of the planned methods for mitigating the effect of the
risks.
ī Purchase insurance policies for the risks that have been decided to be
transferred to an insurer,
ī avoid all risks that can be avoided without sacrificing the entity's goals,
ī reduce others,
ī and retain the rest.
21. REVIEW AND EVALUATION OF THE PLAN
ī All risk management plans must be monitored to ensure that
ī they are achieving the desired results and
ī that changes to the projectâs risk profile are reflected.
ī As with any process, evaluation of risk management plan is essential to ensure
that they are performing to expectations. Managers and stakeholders in the
risk management process should consider such areas as:
ī How successful was the plan and were the benefits and costs at the predicted levels
ī In the light fo the above, are any changes needed to improve the plan?
ī Would the plan have benefitted from the availability of additional information?
ī You can think of risk monitoring as being similar to an audit of the risk
management process. Various tests will be carried out to determine whether
individual controls are working properly and recommendations made in the
light of results.
ī However, unlike auditing, risk management monitoring does not take place
only on an annual basis. Risk management is a continuous process.
ī The environment in which organization work changes constantly and with
those changes come different risks, all of which should be analyzed and
incorporated into the process.
22. EXAMPLES OF RISK MONITORING PROCESSES INCLUDE:
ī Regular review of projects against specific costs and compliance milestones
ī Systems of notification of incidents (e.g. accidents at work, near misses of aircrafts)
ī Internal audit functions (e.g. financial, systems security, compliance with heath and
safety)
ī Employment of compliance monitoring staff
ī Skills assessment and medical examinations of staff and managers to assure
compliance with fitness to work
ī Practices and drills to confirm readiness (e.g. fire drills, evacuations, disruptions to
operations)
ī Intelligence gathering on occurrences elsewhere (e.g. experience of frauds,
equipment failures, outcome of legal cases)
ī Monitoring of the regulatory framework of the industry to ensure compliance
The monitoring and review process should also establish whether:
ī The controls adopted achieved the desired results
ī The procedures adopted and information gathered for undertaking the assessment
were appropriate
ī Improved knowledge would have helped to reach better decisions, identifying what
lessons could be learnt for future assessments.
23. RISK COMMUNICATION
Internal communication and learning
Effective and efficient communication is vital for the business as it is essential that:
ī Everyone in the risk management process is fully familiar with its importance
to the business, the risk priorities of the business and their role within the
process.
ī Knowledge gleaned from any new risk identified by one area of the
business or any lessons learnt from risk events its transferred to all other
areas of the business in a considered and consistent manner, so that it can be
correctly incorporated into the business-wide risk management strategy.
ī All levels of management are regularly updated about the management of
risk in their areas of responsibility, to enable them to monitor the adequacy
and completeness of any risk plans and controls.
ī There are procedures in place for escalation of any issues arising.
External communication and learning
ī No organization operates in isolation; they all have trading partners/ customers/
suppliers. Management must gain assurance that its major partners have
implemented an adequate and appropriate risk management strategy.
24. INFORMATION TECHNOLOGY RISKS
The major risks from IT systems could arise from:
ī Natural threats â fire, flood etc
ī Human threats â individuals with grudge against the organisation
ī Data systems integrity â incorrect entry of data, loss of data through lack of
backup
ī Fraud â dishonest use of computer system
ī Deliberate sabotage â industrial espionage
ī Viruses and other corruption including hacking
ī Denial of Service attack â attempt by attackers to prevent computer use
ī Non compliance with regulations â normally subject to internal and external
compliance
25. COMBATING IT RISKS AND IT SECURITY
ī The ISO Code of practice for information security management recommends the
following be examined during a risk assessment:
ī security policy
ī Organization of information security,
ī asset management
ī human resources security,
ī Physical and environmental security
ī communications and operations management,
ī access control,
ī information systems acquisition, development and maintenance,
ī information security incident management
ī business continuity management, and
ī regulatory compliance