INTRODUCTION TO RISK

MANAGEMENT
Strategic
Foresight for
an Obscure
Future…
 Legal Bases of Risk Management
• EO No. 176 series of 2015, “Institutionalizing the IMP as the
National Corruption Prevention Program in all Government
Departments, Agencies, Offices including GOCCs, GFIs,
SUCs and LGUs through the Establishment of Integrity
Management Systems”
• DBM Circular Letter 2008-08, 23 October 2008, the
National Guidelines on Internal Control Systems (NGICS) is
“a benchmark towards designing, installing, implementing
and monitoring internal controls in the public sector”
• EO No. 605, series of 2007, “Institutionalizing the Structure,
Mechanisms, and Standards to Implement the Government
Quality Management Program (QMP)”
• EO 55 series of 2011, Philippine Public Financial
Management (PFM) Program Roadmap
•Rigorous risk management is a
MUST in the public sector
Reasons for Failure
• Lack of foresight
• Unclear objectives &
strategy
• Unrealistic plan
• Poor communication
• Poor leadership
• Uncoordinated efforts
Definition of Risk
• Risk is the expression of the likelihood and
impact of an uncertain, sudden and extreme
event that, if it occurs, may impact positively
(opportunity) or negatively (threat) on the
achievement of the organization’s strategic and
operational objectives
• Risk is as much a potential missed
opportunity as well as a potential threat
Example
 Risk Management
• Risk Management – focuses on identifying and
assessing the risks to the organization and
managing those risks to minimize the impact on
the organization’s goals, program and project
• It is a coordinated set of activities to direct and
control an organization with regard to risks
• Risk management is not about eliminating
risk but about identifying, assessing and
managing risk effectively
 Risk-Conscious Planning & Programming

• WBS is an effective tool in identifying risks through the

whole work structure
• Logical Framework (LogFrame) summarizes the
program/project in a 4x4 matrix with inclusion of
assumptions and risks as part of conceptualization
• Situational Analysis in development plans/sector-wide
strategy formulation
• Investment Programming – safety nets for big-ticket
agency programs and projects (ODA-FAPs)
Other Types of Risks
PROCESS • Risks associated with misaligned processes

• Damage to reputation, image/brand and lost

INTANGIBLE information

TIME • Delays, opportunity costs

• Loss of knowledge, skills and commitment of

HUMAN people

LEGAL • Loss due to governmental or local regulations

• Loss of land, building/s and equipment

PHYSICAL
Risk Management Framework
Establish Risk Context
 15

▪ What can go ▪ What is the ▪ Which should be

wrong? impact? attended to first?
▪ Where/When can ▪ What is the ▪ Which should be
it happen? likelihood? handled directly/
▪ What is the likely can be delegated?
cause?

RISK ASSESSMENT
IDENTIFY ANALYZE EVALUATE
 Risk Identification
• A process of determining what, where, when,
why and how something could happen
• Risks can be threats to a business or project or
opportunities
• Everything that we do has some element of risk.
The problem is that risk identification is often not
done well
• Risks are not inherently bad and the presence of
risk is inevitable
Identify Risks
Identifying Risks:
• Retrospect - those that have previously occurred, such as incidents or
accidents
• Prospective – these are risks that may or may not be currently managed but
will occur in the future depends on the level of controls placed by the
organization
Identifying Risks
Retrospective • Hazard or incident logs or registers
• Audit reports
• Customer complaints
• Accreditation documents and reports
• Past staff or client surveys
• Newspapers or professional media, such as journals or websites

Prospective • Brainstorming with staff or external stakeholders

• Researching the economic, political and operating environment
• Conducting interviews with relevant people and/or organizations
• Undertaking surveys of staff or clients to identify anticipated
issues or problems
• Flow charting a process or Value Chain Analysis
• Reviewing system design or preparing system analysis techniques
Techniques for Identifying Risks
• Brainstorming
• Risk Checklist
• 6 Questions
• PESTLE and 7S
• Previous
Projects/Industry
Benchmarking
• Scenario Building
and Analysis
 Risk Checklist
❑Funding: will it be enough? Are some areas under estimated?
❑Time: delays may happen, deadlines may change
❑ Staffing: availability of skills, availability of key people,
loss/reassignment of staff
❑Relations with Clients/Stakeholders: maturity, acceptability
❑Size and Complexity: large and complex projects can be difficult to
plan, monitor and control
❑Overall Structure: is the project organization clear? Is it clear who has
the accountability? Are reporting lines clear?
❑External Factors: new regulations, market changes, changes in
technology, changes in regulatory processes or market forces
Questions to Identify Risks
• What could go wrong?
• What could happen unexpectedly?
• What can harm us?
• What is the worst case scenario?
• What threats do we face?
• What opportunities could we find?
PESTLE AND 7S
PESTLE 7S

• Political risks • Skills

• Economic risks • Staff
• Socio-cultural risks • Structure
• Technological risks • System
• Legal risks • Strategy
• Environmental risks • Style of Leadership
• Shared Values
Previous Projects
• Review lessons learned reports from within
your own organization
• Get stories from other program/project
managers
• Speak to your principals/sponsors to learn
from their experience
Analyze Risks
Risk analysis involves combining
the possible consequences or
impact of an event with the
likelihood of that event occurring.
The result is a ‘level of risk’.

Risk Level = consequence +

likelihood
LIKELIHOOD (or Probability)
5 Almost Certain 4 Likely 3 Possible 2 Unlikely 1 Rare

CONSEQUENCE (or Impact)

5 Severe 4 Major 3 Moderate 2 Minor 1 Negligible
Evaluate Risks
Risk evaluation involves comparing the level of risk
during the analysis process with established risk
criteria, and deciding whether these risks require
treatment or further action.
• The risks are too large and the outcome so
unacceptable, cannot be justified on any ground
Unacceptable
(4-5)
• Needs treatment

• The risk is on a level between U & A and action is only

Tolerable undertaken if a benefit is desired
(3)

The risk considered so low, reduction efforts not

Acceptable justified
(1-2)
Risk Mapping
Risk Treatment
Risk Treatment

TREAT - to take steps to mitigate the probability or consequence of

the risk

TOLERATE - to live with the consequence of the risk

TERMINATE - to stop doing the process, practice or activity that

brings the risk

TRANSFER - to move the responsibility of the risk to a 3rd party

(such as insurance against loss)
 Risk
Risk Identification Risk Analysis
Evaluation

A – RISK
LIKELIHOOD B - RISK

ACCEPTANCE
RISK RATING
5 – Almost Certain/Constant CONSEQUENCE
4 – Likely/Often 5 –Severe/Catastrophic

RISK
RISK 3 – Possible/
Sometimes
4 – Major
3 – Moderate
RISK NAME 2 – Unlikely/ 2 – Minor
DESCRIPTION Occasionally
1 – Very Unexpected/Rare
1 – Insignificant

(A+B) U
/2 TA

CAUSE:
EFFECT:
Sample RISK Register and Treatment Plan
Risk Risk Cause Potential Existing Controls Effectivenes Risk Risk
ID/Name Description Effect (if any)* s** Analysis Evaluation
(U/T/A)
State Put A, I Put A, F, R or
Never
L C R
current or M
control/s L

Planned Risk Response:

Treat:
Tolerate:
Terminate:
Transfer:
Responsible Office/Unit:
Timeframe/Schedule:
Required Resource(s):
* A-adequate, I–inadequate, M–moderate. ** A- always, F- frequent, R-rarely, N-never
 Sample Issue Log
# ISSUE DESCRIPTION REPORTED ASSIGNED STATUS PRIORITY DATE DATE RESOLUTION
BY TO REPORTED RESOLVED

1
Timeline Project X Y Closed Medium 05 01 Sep Meetings
timeline August 2018 reschedul
depends on 2018 ed for
scheduling January
client 2019
meetings in
December

2
Expertise Need SME A B Active/ High 15
expert with a Ongoing August
donor 2018
coordination
experience
Monitoring Risk Management

Risks need to be monitored

periodically to ensure
changing circumstances do
not alter risk priorities that
would directly impact on
achievement of agency or
PPA objectives
Communication and Consultation
Communication and consultation aims to
identify who should be involved in assessment
of risk (including identification, analysis and
evaluation) and it should engage those who will
be involved in the treatment, monitoring and
review of risk.

Communication and consultation are aimed at:

• Communicating risks to partners and

stakeholders
• Managing stakeholder perceptions and
expectations for management of risk
Summary of
Risk
Management
Integrating Risk Management with Quality
Management System
Product Client feedback
and mechanism
Service
Quality Aligning business
processes
Functional IMP
systems
Continuous
QMS process
improvements
Strengthening
Stakeholders
Customer Performance
Satisfaction
standardization
Scenario building
discipline
Thank You