What is risk?
The definition used in ISO Guide
73:2009 Vocabulary for Risk Management is: “…the effect of
uncertainty on objectives. “It is important to note that risk is not just
uncertainty of future events, it is the uncertainty of the effect of specific
events which could have an impact on achieving the objectives of an organization.
It is recognized that the risk caused by uncertain events can have either:
• Beneficial effects (such as share
price performing well – this is upside risk)
• Negative effects (such as
interest rates increasing on borrowed money- this is downside risk).
Strategic risk
These risks will affect the
achievement of Board level objectives and are general relatively static in
nature:
Political: relating to political policy which may affect
the marketplace in which the organization is operating
Economic – relating to
economic changes, such as interest rates or foreign exchange rates, or the
consequences of investment decisions
Competitive – relating to the ability
to deliver a competitive product or service
Environmental – relating to the
environmental consequences of progressing the objectives of the organization (e.g.
energy efficiency, carbon emissions, pollution, recycling, climate change)
Operational risk
These are risks likely to be faced
on a day to day basis by managers
Financial – relating to
financial planning and control, such as the performance of investments and
adequacy of insurances
Contractual – relating to
contractors delivering services or products to the agreed cost and
What is risk
management?
Risk management includes the
identification and analysis of risks (both upside and downside) to which an organization
is exposed, the assessment of potential impacts on the business, deciding what action
can be taken to eliminate or reduce downside risk, or to exploit or enhance
upside risk. Risk management is not intended to eliminate all risk. Risk is an
intrinsic part of enterprise and, when fully implemented, a comprehensive risk
management process can actually encourage increased appetite for risk, because
risks in existing programs have been identified and their impact is being
managed.
Why have a risk
management system?
It may seem that the risks to an organization
are obvious, and that other risks are of such a low impact or likelihood that a
formalized management system is unnecessary. In the short term this may seem to
be a viable cost saving option; however it is not a good footing to ensure the
long term sustainability of an organization
Guidelines for
risk management
Standards
There are a number of different
risk management processes and standards, but for the most part, they have the
following stages:
1. Identify and characterize
risks
To identify the risks, the
objectives of an organization must be clearly outlined – the high level risks
can then be identified. Identification of risks should be done by external consultants
or in-house. The latter can be beneficial as owing to the additional knowledge
of internal processes, available resources and business objectives, ownership
of the process is likely to be greater. Identification of risks can be done at
Board level to identify overall strategic level risks, but feeding into the
process should also be risks identified by other parts of the organization
which can show their operational risks.
Risks can be identified for the organization,
through methods such as:
• Scenario Analysis
• Brainstorming
• Internal Questionnaires
• Industry Benchmarking
• Lessons Learnt Feedback
Identification should be approached
in a methodical way to ensure all activities of a business have been articulated
as well as the risks that result from them. External consultants may be used to
assist the process, although in-house expertise and knowledge is essential.
Using internal resources also aids the ownership of the risk management
process.
2. Assess risks
Once identified, risks need to be
assessed according to:
• Likelihood of occurrence
• Impact on objectives
The results can be depicted in a conventional
grid matrix such as the simple matrix above. The estimation of the impact can
be in qualitative or quantitative terms. The key issue for the Board to understand
is which risks are unacceptable to them and be able to decide how they are to
manage those risks
3. Evaluate risks
Once risks have been assessed, they
can be prioritized in terms of their impact and likelihood of occurrence.
Consideration should be given to more than just the financial impact on an organization
and its objectives. Legal, environmental, social and moral aspects of the risks
are also factors; for example, one risk can result in only a minor financial
loss but also a very big reputational loss (from any negative media coverage
that might follow). Risk evaluation is used to decide what the significance of
risks to the organization is and whether each risk should be accepted or
managed.
4. Manage risks
In order to determine how to manage
risks, the acceptable level of exposure to risk, or risk appetite needs to be
determined. This risk appetite is subjective according to each organization –
factors which can be taken into account in deciding this are:
Cost effectiveness
–
what is the cost relationship between implementing the change and the expected
risk reduction benefits?
Compliance – any controls in
place must comply with the law
Stakeholders – what risk
reduction measures would stakeholders expect?
The approach to managing the
various risks identified will be dictated by the likelihood and potential
impact of the risk, in conjunction with the risk appetite of the organization.
The strategies to manage the identified downside risk include:
• Transferring (e.g.: insurance
cover - paying a third party to take the impact of the risk if it occurs)
• Avoiding the risk (e.g.: ceasing an
activity in a certain area)
• Reducing the negative effect of
the risk (e.g.: through internal controls, such as introducing a new procedure
to reduce errors)
• Accepting some or all of the
negative impact of the risk (e.g.: if the cost of reducing risk is too high,
then the Board may decide to accept the risk and its possible impact) Where the
risks identified are an upside risk, there are strategies to manage these too:
• Exploit – removing the
uncertainty by seeking to make the opportunity definitely happen
• Share – passing ownership to a
third party best able to manage the opportunity and maximize the chance of it
happening
• Enhance – increasing its
probability and/or impact to maximize the benefit to the project
• Accept – adopting a reactive
approach without taking explicit actions
5. Reporting and
Monitoring
To achieve the desired outcomes,
the findings of the risk management process need to be communicated effectively.
This will enable those in charge of business units to be aware of risks which
fall in their area, and understand the impact the possible risks will have on themselves
and other areas of the organization. It will also allow individuals within the
organization; to understand the wider impact of their actions and understand
their accountability for their risk, thereby building risk management into an organization’s
culture.
Risk management is
most effective when embedded into existing systems which are established and
accepted, rather than creating stand-alone systems.
Ongoing regular monitoring, usually
with a developed risk register, of current and potential risks is also important,
as:
• Existing controls need to be
examined to determine that they are still effective in controlling the risk,
operating in an efficient manner and cost-effective
• The risk levels in the organization
may have changed
• New risks may emerge
Making it stick
For risk management to be
effective, it has to be embedded within the culture of an organization that risk
management becomes just the way business is done. There is no concrete process
for this to occur, but the following are some guidelines:
Build on existing
foundations
Risk management should be seen to
be part of efficient existing processes. For example the identification of risk
(and opportunities) should be part of the business planning process whenever it
is formulated or revised.
Risk Assessment Seminars
This allows members of the organization
to gain an understanding and appreciation of risk. The objective of the
workshop is to gain consensus as to the real risks the organization faces, and
why later control measures are in place
Champions
Particular individuals who may have
a risk management element in part of their jobs (e.g.: health and safety
manager/investment manager), could be identified, if they are willing to act as
champions for the process. These individuals can help, through advocacy, for an
organization to adopt a culture of risk management being a fully embedded part
of daily activities.
By communicating with the whole organization
via a number of different mechanisms, risk management should be demonstrated as
being able to provide tangible value to individuals within the organization. Individuals
will then understand and realize that early identification of constraints and
uncertainties can provide for timely management decisions, reduced costs and
increased job security.
Benefits
Some of the benefits of having an
effective risk management system are set out below. The extent to which these
benefits are realized depends on a number of factors such as: the thoroughness
of the initial evaluation, the regularity of review and follow up, and the
communication and embedding of the risk management process throughout an organization.
• A systematic, well-informed and
thorough method of decision making
• Fewer financial surprises with
unforeseen costs
• Faster decision making and taking
• A greater likelihood of a more predictable,
secure, income stream
• Stakeholders of the organization
are likely to be reassured
• A reduced likelihood of reputation
damage
• Access to opportunities that an organization
may have otherwise not been aware of, and enables a faster grasp of such
opportunities
• Protects the organization’s image
and reputation
• A better basis for the allocation
of resources
• Greater likelihood of achieving
the organization’s objectives
Conclusion
An effective risk management system
will tread the middle ground between being
insufficiently thorough in identifying potential risks that an organization is
vulnerable to volatility through disruption, and being
overly burdensome that an organization is prevented from operating and seizing
new opportunities. When risk management is embedded
within an organization and its culture, it should help anticipate what could go
wrong and speculate what could be an opportunity. Examining both of these
aspects should improve the probability of business growth, cost savings and
profitability.
Culled from CMI
No comments:
Post a Comment