Center for Enterprise Risk Management

Certified Risk Management

Professional (CRMP)

Module 1 – Introduction to Risk Management

Ahsan Jamal ACII MIIRSM AIFirE PE Syed M Fahim

Chartered Insurance Risk Manager B.Eng. MIE MIRSM Cert CII
Head of Learning & Development
 Points of Discussion
- Define Risk and its evolving definition
- Risk management explained
- Categories of Risk
- Risk Appetite and Tolerance
- Risk Quadrant
- Risk management Process
- Roles and Responsibilities
 Risk – Definition and Evolution

 Risk is a basic and ancient concept.. It has been there and shall remain..
 What is risk??

 Traditional definition is.. “ the possibility of loss or injury”..” a situation involving

exposure to danger”
 The traditional definition has evolved to broader definitions.
 Risk originates from the Italian word “risicare”, meaning, to dare.
 Some definitions refer to risk as a choice rather than fate.. Some refer to it as
uncertainty about outcome..
 The traditional concept only enforced that outcome of risk would be negative or would
result in a loss.
 Broader definitions introduce the idea of a gain as well and see risk to lead to a
positive outcome too
 Risk exists in our daily life and is not restricted to corporations only..
 From crossing a road to entering a new business venture.. Risk exists..
 The evolution of the concept is from:

Uncertainty about
Possibility of loss (a
future (can be
negative outcome)
positive too)

 The concept of risk management evolved primarily after 2008 (Financial Crisis)
 Certain industry specific standards emerged forming part of the risk management process.
 Risk management therefore became a field of study based on the lesson learned from 2008.
 Today, the process is implemented based on several international guidelines and principles.
 But what exactly is risk management?
 Risk Management explained

“The identification, evaluation, and prioritization of risks followed by coordinated and

economical application of resources to minimize, monitor, and control the probability or
impact of unfortunate events or to maximize the realization of opportunities”

 The definition refers to a complete process, involving several steps till risk is managed.
 Remember, risk today refers simply to loss or profit- BOTH.
 Example: a business can flourish or fail. The prices of property can increase or decrease
etc. etc.
 What required the definition to change though?
 Technology, globalization and finance to quote a few.
 Internal factor and external factor contribute to a risk and can dramatically change the
scenario.
 Today, international standards are applied to organisations for risk management.
 Some international standards and their definitions of risk:

Definition of Risk Source

Effect of uncertainty on objectives ISO 31000:2009 ( International
Organization for Standardization)
The possibility that an event will occur COSO ERM:2004 (Committee of
and adversely affect the achievement of Sponsoring Organizations of the
objectives Treadway Commission)
An uncertain future outcome that can RIMS (Risk and Insurance Management
either improve or worsen your position Society)
The probable frequency and probable Risk Management Insight
magnitude of future loss
Exposure to a proposition of which one CFA Institute
is uncertain

 The key word is “Uncertainty” across all definitions.

 Risk Management Standards

 ISO 31000 and COSO (The Committee of Sponsoring Organizations of the Treadway
Commission is an organization) are the two leading risk management standards in the world
today.

 The key and ultimate purpose of the risk management standard is to ensure the organization
is “…taking the right risks at the right level.

 a risk management standard’s foremost goal is to support not just decision-making,

but any activity at any level of the organization that has any uncertainty associated with it.

“We make money by taking risks, and we lose money, when we do not manage the
risks we are taking”
 ISO 31000 and COSO explained

Similarities
 Both standards expand the scope of risk management.
 Both versions are meant to be guidelines
 Both current versions are a dramatic improvement.
 Both standards embed risk management in decision processes.

Differences
 Structure- ISO is brief and 16 pages in total. COSO is a 100 page document.
 Geography – ISO reaches around 70+ countries. COSO is US centric
 Target audience – COSO focuses on people in accounting and audit. ISO31000 is broader
 Focus - COSO focuses more on general corporate governance. ISO focuses on risk and
incorporating it in the strategic planning process
 Risk Trends
 Classifications of Risks

 Based on the current definition risks can be broadly categorized into:

 Pure Risks – the possibility of a loss only and no gain. A car accident for example.
 Speculative Risks – the chance of a gain as well. Investment in stocks is an example.
(Market Risk, Inflation Risk, Interest Rate Risk and Liquidity risks)
 Diversifiable and Non-Diversfiable Risks: Diversifiable effect only some individuals (risks in
one area or geography) whereas non-diversifiable affect larger segment (inflation,
earthquake etc.)
 Subjective and Objective Risks – subjective is the perceived amount of risk, objective is
supported by facts.
 Risk Quadrants – An organization may select to categorize risks as Hazard, Operational,
Financial and Strategic risks.
The Risk Quadrant
 Hazard risks: arise from property, liability, or personnel loss exposures and are generally
the subject of insurance.
 Operational risks: arise from people or a failure in processes, systems, or controls,
including those involving information technology.
 Financial risks: arise from the effect of market forces on financial assets or liabilities
and include market risk, credit risk, liquidity risk and price risk.
 Strategic risks: arise from trends in the economy and society, including changes in the
economic, political, and competitive environments, as well as from demographic shifts.
 Whereas the classifications of risk focus on some aspect of the risk itself, the four
quadrants of risk focus on the risk source and who traditionally manages it. For example,
the chief financial officer traditionally manager financial risk, and the risk manager
traditionally manages hazard risk.
 Just as a particular risk can fall into more than one classification, a risk can also fall into
multiple risk quadrants. For example, embezzlement of funds by an employee can be
considered both a hazard risk, because it is an insurable pure risk, and an operational
risk, because it involves a failure of controls.
 According to ISO 31000, a risk appetite definition is “the amount and type of risk that
an organization is prepared to pursue, retain or take.”
 The amount and type of risk that an organisation is willing to take in order to meet their
strategic objectives
 A risk appetite statement is a higher level statement, while risk tolerances are narrower.

Example:
 Using a driving analogy, the speed limit that one can drive is 80 Kmph (risk appetite) with
the additional 20 Kmph grace window (risk tolerance), the radar flashes if catches one
driving at 101 Kmph (unacceptable risk). If you are currently driving 80 Kmph, you may
decide to go faster, as long as you do not exceed 100 Kmph.
 The residual risk is the amount of risk or danger associated with an action or event
remaining after natural or inherent risks have been reduced by risk controls.

 Inherent Risk: the natural level of risk inherent in a process or activity without doing
anything to reduce the likelihood or mitigate the severity of a mishap.
 Risk Management Framework and Process

 All standards for risk management contain frameworks for organisations to design their
RM programs.

 A Risk management framework is built on several major components.

 Components apply on the organization as a whole and address the organization’s risks.
 These components are to be adopted with the organization’s objectives and built in the
operations too.

 Purpose: to integrate risk management throughout the organisations. Risk management

should add value to the organization.
Four components of Framework Model:
 Lead and establish accountability – ownership, roles and indicators
 Align and integrate – alignment with organization’s objectives and processes.
 Allocate resources- dedicated resources and trainings.
 Communicate and report – continuous communication and reporting is required.

Steps of process model

 Scan Environment
 Identify Risks
 Analyse Risks
 Treat Risks
 Monitor and Assure

 The framework and process requires periodic checks for updates.

Risk accountability/ownership
example
Risk Management Process
Risk Management Roles and Responsibilities
 Roles and responsibilities must be clearly defined and understood throughout the organization.
 Board of directors & CEO - have ultimate accountability for all risks. Risk management
practices must be discussed periodically and risk management related policies must be
reviewed and approved.
 Senior management - design, implement, and maintain an effective Framework. Develop
policies and procedures, establish and monitor the risk appetite, and report regularly to the
board of directors. Promote a risk-aware culture.
 Business units - identify, assess, measure, monitor, control, and report risks to senior
management. Manage relevant risks within the framework established by senior management.
Ensure compliance with policies and procedures.
 Support functions (i.e. Legal, HR, IT, etc) - provide support to business units in developing and
enforcing policies and procedures.
 Internal Audit & Compliance - monitor and provide independent assurance of the effectiveness
of the Framework.
 Risk management - coordinate the establishment of the Framework and provide risk
management expertise.
 Summary

 Risk exists and is dynamics in nature.

 The need of enterprise risk management can not be neglected and is evident.
 Modern definition of risk is broader and addresses the positive aspects as
well.
 Risk management is everyone’s responsibility.
 Center for Enterprise Risk Management

Oceanic House Mezzanine Floor 6-E

Street 11 Badar Commercial Phase V Ext. D.H.A. Karachi – 75500 Pakistan
Tel: +92 21 35244160 – 2 Email: [email protected]
Web: www.cermpakistan.com