Dynamics of Risks –

Responding with Evolving Risk

Management
by Ramesh Ruben Louis, CA(M), CPA(M), CFP

Everyone is exposed to risk in some form or manner – some catastrophic; some negligible. It is
inevitable, so long as one is alive and kicking! (there are some who “claim” there are certain risks
that exist in the grave as well!). The way one deals with risk, is by managing it. Businesses are no
exception to this either. Risk management encompasses methods and processes used by
organisations to manage risks and seize opportunities in relation to achievement of their business
objectives. It typically involves identifying particular events or circumstances relevant to the
organisation's objectives, assessing them in terms of likelihood and magnitude of impact,
determining a response strategy, and monitoring progress. By identifying and proactively
addressing risks and opportunities; enterprises protect and create value for their stakeholders that
include their owners, employees, customers, regulators, and the public at large.

As risks changes with the dynamics of environment, technology, market trends, etc., so too must
risk management evolve to effectively address the risks that an organisation would face.

Dynamics of Risks – just when you thought you had it....

More often than not, risks that an organisation is exposed to will change in tandem with changes in
the environment where it operates. A good way to look at the dynamics of risk is from the
perspective of probability (or likelihood) of the risk occurring and impact of the risk to the
organisation and its stakeholders (i.e. in terms of financial, reputation, market share/positioning,
business continuity, etc.). This is part of risk 101. While many organisations that implement risk
management already know this, what most fail to realise is that this process of identifying and
assessing the likelihood-impact of risks MUST BE UPDATED constantly at regular intervals, at
least annually. The failure to do so will not only result in outdated mechanisms to address risk;
whereby new/emerging risks may have not been incorporated or previously identified risks
excessively managed (because the likelihood-impact may have reduced), but allocation of resources
to manage the risks poorly matched or even mismatched. Having put risk management mechanism
in place but not updating and aligning it with changes is in fact, an “artificial sense of security”.

Depending on the type of business and industry that on organisation is in, the rate of change taking
place in their environment (especially the external/macro environment) could be rapid. The IT
sector for example, changes so fast that a technology developed and the way it is “consumed” by
customers today becomes almost obsolete tomorrow! And when players in that sector compete to
outdo the other, the risks associated with their business, their product/service and their customers
inevitably changes too; some for the better, some for the worse.

Let’s take an airline business in Asia Pacific as an illustration and chart some key risks that they
faced over the past 10 year time horizon (from 2000 to 2010). It may look something like this:-

High Labour risk - shortage/

competency
Fuel price risk

Competition risk from

RISKLEVEL

LCC
Environmental risks

Regulatory risks - carbon

emmission, open skies
Safety risks

Economic downturn

2000 2002 2004 2006 2008 2010

Low

Figure 1: Risk positioning for airline business in Asia Pacific 2000 - 2010

Using the risk positioning depicted in Figure 1 as an illustration of the evolution of key risks, it is
rather obvious that risks of an organisation has the potential of changing across time when its
environment changes. If we were to analyse Figure 1, we can see risks such as environmental and
regulatory risks (including concerns and policies/standards on carbon emissions and open skies) are
on an uptrend, while labour associated risks are stabilising and risks such as safety, economic
downturn and fuel price are somewhat taking a yoyo trend. Competition risk from low cost carriers
which blossomed post-2000 (especially after Air Asia gained momentum and eroded market share
of other carriers in the region) seemed a major risk to be reckoned with but somehow other airlines
were able to get around it in recent years.

What is clear from the illustration above is that risks in terms of probability-impact may increase,
decrease, move up and down or even witness marginal movement from time to time. It is therefore
critical that risk management take a dynamic and evolving stand as well so as to be ready to address
these risks as and when they occur.
Pro-Active Risk Management – taking the bull by its horns!

In order for risk management (“RM”) to be effective and successful, it must possess 2 key
ingredients; amongst others, especially when dealing with evolving risk:-
• Dynamic – the framework and available RM tools/approach must be able to adapt with the
changes in risk levels likely to be faced by the organisation. For this, constant monitoring and
updating of the environment (both micro and macro) by experienced RM personnel is essential.
Every organisation must entrust and empower a person to be responsible to oversee the risk
management process (if all else fail, the director or owner him/herself must take responsibility
of this task), starting with identifying and subsequently updating the associated risks of the
organisation. This must be followed with proper communication of these risks across the
organisation.
• Relevant – the right RM tool/approach for the identified/associated risk, best utilising the
available resources (which is usually limited) given the significance of the risk. Risk
significance is usually or best portrayed by analysing its likelihood and impact, as depicted on a
grid/quadrant as below:
High Likelihood High Likelihood

 Risk 1
 Risk 1
 Risk 4
 Risk 2  Risk 2

Low Impact High Impact Low Impact High Impact

 Risk 5  Risk 3
 Risk 3
 Risk 4
 Risk 5

Low Likelihood Low Likelihood

Figure 2: Risk Grid Quarter 1 Figure 3: Risk Grid Quarter 2

The figures above show a typical risk grid where identified risks of an organisation have been
plotted against its likelihood/probability of occurring and impact to the organisation. Where
risks are analysed as a continuity from one period to another (say quarter to quarter, year to
year, etc.), the evolution of risk and its relevance to the organisation can be better observed &
analysed, risk treatment (i.e. RM tool) better prescribed and effectiveness of the treatment better
monitored. Unfortunately, many organisations are lacking in this and performing RM on
stagnant or outdated grids/analysis. Based on Figure 2 & 3, it appears that Risk 1, 3 and 4 have
become more significant, whilst Risk 5 less significant. Risk 2 seems unchanged.
It would also be beneficial to profile the identified risk into various clusters with attached action
plans – in other words, performing an action-oriented risk assessment. An example of such a
profile would be as follows:
Category of Risk Probability or Impact on business Action
Impact likelihood of
occurring

1. Catastrophic Very High (>80%) Significant Immediate

operational disruption improvement or
with almost certain overhaul. Follow-up
failure. Increased in with HODs and Board/
costs and delays in Audit Committee
values exceeding within next 2 weeks.
$1million

2. High High (61% – 79%) Major operational Remedial or

problems and some improvement within
business disruption. next 3 months.
Additional costs/loss
amounting between
$500,000 to $1
million

3. Medium Medium (31% – Some operational Improvement or

60%) delays and temporary changes within 6 to 12
setbacks. Some losses months
and additional cost
between $200,000 to
$500,000

4. Low Low (< 30%) Minor operational Judgmental, depending

delays which can be on availability of
mitigated with resources and on-going
alternative resources. monitoring.
Marginal cost impact
of less than $200,000
 The table/profile cluster above will thereafter be used for risk ranking which in turn would be an
invaluable tool or basis to determine allocation and deployment of limited resources to address
various risks faced by the organisation. As important as it is to derive an appropriate and
relevant profile & priority of risks such as the one above, it is even more critical that such
profiles and prioritisation be able to stand the test of time and continuously remain relevant.
Therefore, those involved in risk management should always view risks, the profiling of
identified risks and prioritisation of risk as a moving target. As and when the environment and
related factors change; which include stakeholder’s expectation and risk appetite, the parameters
within the RM framework (i.e. probabilities, impact assessment, RM tools available, resources
to implement RM and monitoring mechanisms & timeline) would likely change as well.

Using the illustration depicted in Figure 1, environmental risks may have been profiled as a
lower risk factor for an airline business in year 2000 and therefore resources assigned to manage
it may have been marginal. However, looking at this risk in 2010, it would likely seem that it
has climbed the rankings and now “deserve” more attention in terms of risk management.

ISO 31000 – championing Enterprise Risk Management (“ERM”)

In 2009, the ISO introduced ISO 31000: Principles & Guidelines for Risk Management in response
to the need to standardize the existing norms, regulations and frameworks related to risk
management. The ISO 31000 is very much in line with ERM which has an integrated view of risk
management and thus moving away from “silos” or isolated approach. ERM would also be the way
moving forward, if organisations want to capilatise on risk opportunities.

Besides putting forth a standardised view of RM on a global platform in terms of terminologies

used, objectives, approach and methodologies; this ISO also emphasises on RM as a continuous and
on-going process. This can be best depicted in the framework for RM as laid out in the ISO.
 Mandate and Commitment

Design of Framework for Managing Risk

• Understanding the organization and its context
• Establishing risk management policy
• Accountability
• Integration into organizational processes
• Resources
• Establishing internal communication and
reporting mechanisms
• Establishing external communication and
reporting mechanisms

Implementing Risk Management

• Implementing the framework for
Continual Improvement of managing risk
the Framework • Implementing the risk management
process (from risk identification to
monitoring & communication)

Monitoring and review of the framework

Figure 4: Relationship between the components of the framework for managing risk
(source: ISO 31000)

Figure 4 clearly indicates that the framework for managing risk is continuous and on-going in
nature, right from the design to implementation of RM even including improvement to the
framework itself.

Conclusion

Risk management is not just here to stay, it’s here to evolve and adapt. It is evolving to a strategic
function from merely safeguarding enterprise value to maximising enterprise value. It is shifting
from compliance oriented to value driven; from risk mitigation to risk optimisation; from excessive
risk assessment to key risks focussed and from being detached from strategic & operational
decisions to forming the core of those decisions.
Ramesh Ruben Louis is the Executive Director & Principal Trainer for MyLearning Training
Resources. He is a professional trainer and consultant in risk management, assurance & business
advisory for both the corporate and public sector in Malaysia and across Asia Pacific. He can be
contacted at [email protected]