RISK ➢ Risk in an organizational context is usually defined as anything that can impact the

1. Risk is used to signify negative consequences; fulfillment of corporate objectives.

2. Risk can also result in a positive outcome; or ➢ For a risk to materialize, an event must occur.
3. Risk is related to uncertainty of outcome. ➢ Risks may be considered to be related to an opportunity or a loss or the presence of
uncertainty for an organization.
DEFINITION OF RISK
➢ An organization adopts the risk classification system that is most suitable for its own
• Oxford English Dictionary
circumstances.
- a chance or possibility of danger, loss, injury or other adverse consequences
TYPES OF RISKS
• ISO Guide 73 / ISO 31000 1. Compliance (Mandatory) Risks – minimize
- Effect of uncertainty on objectives. Effect may be:
o positive, 2. Hazard (Pure) Risks – mitigate
o negative, or - risk events that can only result in negative outcomes
o a deviation from the expected - may be thought of as operational or insurable risks
- Risk is often described by an: - are associated with a source of potential harm or a situation with the potential to
o event, undermine objectives in a negative way
o a change in circumstances or - is concerned with mitigating the potential impact.
o a consequence - are the most common risks associated with operational risk management, including
occupational health and safety programmes
• Institute of Risk Management (IRM)
- Risk is the combination of the probability of an event and its consequence. 3. Control (Uncertainty) Risks – manage
o Consequences can range from positive to negative - risks that give rise to uncertainty about the outcome of a situation
- associated with project management
• Orange Book from HM Treasury - uncertainties can be associated with the:
- Uncertainty of outcome, within a range of exposure, arising from a combination of the o benefits that the project produces,
impact and the probability of potential events o uncertainty about the delivery of the project on time, within budget and to
specification
• Institute of Internal Auditors - The management of control risks will often be undertaken in order to ensure that the
- The uncertainty of an event occurring that could have an impact on the achievement outcome from the business activities falls within the desired range.
of the objectives. - The purpose is to reduce the variance between anticipated outcomes and actual
o Risk is measured in terms of consequences and likelihood. results

• Author 4. Opportunity (Speculative) Risks – embrace

- An event with the ability to impact (inhibit, enhance or cause doubt about) the - organizations deliberately take risks in order to achieve a positive return
effectiveness and efficiency of the core processes of an organization - Opportunity risks relate to the relationship between risk and return.
o The purpose is to take action that involves risk to achieve positive gains.
o The focus of opportunity risks will be towards investment
 - are associated with unknown and unexpected events.
- sometimes referred to as uncertainty risks
- can be extremely difficult to quantify
- are often associated with project management and the implementation of tactics.
- the approach is based on managing the uncertainty about the potential impacts and
consequences of these events
Two Main Aspects Associated with Opportunity Risks
1. There are risks/dangers associated with taking an opportunity, but
2. There are also risks associated with not taking the opportunity
RISK DESCRIPTION
• Name or title of risk
• Nature of risk, including details of the risk classification and timescale of potential impact
Stakeholders in the risk, both internal and external
• Risk attitude, appetite, tolerance, limits for the risk and/or risk criteria Likelihood and
magnitude of event and consequences should the risk materialize at current/residual
level
• Control standard required, target level of risk or risk criteria Incident and loss experience
• Existing control mechanisms and activities
• Responsibility for developing risk strategy and policy
• Potential for risk improvement and level of confidence in existing controls
• Risk improvement recommendations and deadlines for implementation
• Responsibility for implementing improvements
• Responsibility for auditing risk compliance
Inherent Level of Risk (Absolute/Gross Risk)
- This is the level of the risk before any actions have been taken to change the likelihood
or magnitude of the risk
- Identifying the inherent level of the risk makes it possible to identify the importance of
the control measures in place
Risk Matrix - used to show the inherent level of the risk in terms of likelihood and magnitude
Purpose of Any Risk Assessment - to identify what is believed to be the current level of the
risk and identify the key controls that are in place to ensure that the current level is actually
achieved
Risk Classification Systems
Risks can be classified according to:
• the nature of the attributes of the risk – e.g. such as timescale for impact, and
• the nature of the impact and/or likely magnitude of the risk
- Some risks can cause detriment to the finances of the organization, whereas others will
have an impact on the activities or the infrastructure
- risks may have an impact on the reputation of the organization, or on its status and the
way it is perceived in the marketplace
• the timescale of impact after the event occurs
• the source of the risk can also be used as the basis of classification
• a risk may be classified according to its origin
• according to the component or feature of the organization that will be impacted - risks can
be classified according to whether they will impact people, premises, processes or
products
An important consideration for organizations when deciding their risk classification system is
to determine whether the risks will be classified according to the source of the risk, the
component impacted or of the consequences of the risk materializing.
RISK LIKELIHOOD AND MAGNITUDE
• Simple Risk Matrix (Risk/Heat Map)
- commonly used method of illustrating risk likelihood and the magnitude (or severity)
of the event should the risk materialize
- can be used to plot the nature of individual risks, so that the organization can decide
whether the risk is acceptable and within the risk appetite and/or risk capacity of the
organization

• Likelihood
- includes frequency,
- refers to the chances of an unlikely event happening
- word ‘probability’ will often be used to describe the likelihood of a risk materializing
• Magnitude
- same style of risk matrix can be used to illustrate compliance, hazard, control and
opportunity risks
- The magnitude of the risk may be considered to be its gross or inherent level before
controls are applied
- The magnitude of an event may be considered to be the inherent level of the event
and the impact can be considered to be the risk-managed level
o the impact (and the associated consequences) of an event is usually more
important than its magnitude (or severity)
- indicate the size of the event that has occurred or might occur
• Severity - implies that the event is undesirable and is, therefore, related to compliance and
hazard risks
• Risk Matrix
- The basic style of risk matrix plots the likelihood of an event against the magnitude or
impact should the event materialize
- can also be used to indicate the likely risk control mechanisms that can be applied.
- The risk matrix can also be used to record the inherent, current (or residual) and target
levels of the risk
As risks move towards the top right-hand corner of the risk matrix, they become more likely
and have a greater impact. Therefore, the risk becomes more important and immediate and
effective risk control measures need to be in place.
LEVEL OF RISK
By taking a proactive approach to risk and risk management, organizations will be able to
achieve the following four areas of improvement:
a. Strategy, because the risks associated with different strategic options will be fully
analyzed and better strategic decisions will be reached.
b. Tactics, because consideration will have been given to selection of the tactics and the
risks involved in the alternatives that may be available.
c. Operations, because events that can cause disruption will be identified in advance and
actions taken to reduce the likelihood of these events occurring, limit the damage
caused by these events and contain the cost of the events.
d. Compliance will be enhanced because the risks associated with failure to achieve
compliance with statutory and customer obligations will be recognized.
The exposure presented by an individual risk can be defined in terms of:
- the likelihood of the risk materializing and
- the impact of the risk when it does materialize
As risk exposure increases, the likely impact will also increase.
Current Level of Risk (Residual/Net/Managed)
Impact
- used to define how the event affects the finances, infrastructure, reputation and/or
marketplace (FIRM) of the organization
Consequences - the extent to which the event results in failure to achieve effective and
efficient strategy, tactics, operations and compliance (STOC).
IMPACT OF HAZARD RISKS
- Hazard risks undermine objectives, and the level of impact of such risks is a measure of
their significance
- a hazard (or pure) risk can only have a negative outcome.
- Hazard risk management is concerned with issues such as:
 o health and safety at work,
o fire prevention,
o avoiding damage to property and
o the consequences of defective products.
- Hazard risks can cause disruption to normal operations, as well as resulting in increased
costs and poor publicity associated with disruptive events.
- Hazard risks are related to business dependencies, including IT and other supporting
services.
o There is increasing dependence on the IT infrastructure of most organizations and IT
systems can be disrupted by computer breakdown or fire in server rooms, as well as
virus infection and deliberate hacking or computer attacks
- Theft and fraud can also be significant hazard risks for many organizations.
o This is especially true for organizations handling cash or managing a significant
number of financial transactions.
o Techniques relevant to the avoidance of theft and fraud include:
▪ adequate security procedures,
▪ segregation of financial duties, and
▪ authorization and delegation procedures, as well as
▪ the vetting of staff prior to employment
If a hazard risk materializes, it may have a very large magnitude, such as the destruction of
the main distribution warehouse of an organization.
- This large magnitude event will have an impact on the organization related to potential
financial costs, destruction of infrastructure, damage to reputation and the inability to
function in the marketplace.
- Magnitude represents the gross or inherent level of the risk.
However, the impact of the event will be reduced because of the controls that are in place.
- Impact represents the net, residual or current level of the risk.
- These controls reduce the financial impact, the extent of destruction of infrastructure, as
well as controls designed to protect reputation and marketplace activities
Compliance risks can be substantial for many organizations, especially those business sectors
that are heavily regulated.
- In some cases, compliance with mandatory requirements, represents a ‘license to
operate’ and failure to achieve the level of compliance activities required by the relevant
regulator can have a significant impact on the reputation of the organization and
substantial consequences for routine business activities
ATTACHMENT OF RISKS
Risks are shown in the diagram as being capable of impacting the key dependencies that
deliver the core processes of the organization.
Corporate objectives and stakeholder expectations help define the core processes of the
organization.
- These core processes are key components of the existing nature and future enhancement
of the business model and can relate to operations, tactics and corporate strategy (STOC),
as well as compliance activities
- Significant risks can be attached to features of the organization other than corporate
objectives.
o Significant risks can be identified by considering the key dependencies of the
organization, the corporate objectives and/or the stakeholder expectations, as well
as by analysis of the core processes of the organization.
- Risks are greater in circumstances of change.
- To be useful to the organization, the corporate objectives should be presented as a full
statement of the short-, medium-and long-term aims of the organization.
 o Internal, annual, change objectives are usually inadequate, because they may fail
to fully identify the operational (or efficiency), change (or competition) and strategic
(or leadership) requirements of the organization
The most important disadvantage associated with the ‘objectives-driven’ approach to risk
and risk management is the danger of considering risks out of the context that gave rise to
them.
- Risks that are analysed in a way that is separated from the situation that led to them will
not be capable of rigorous and informed evaluation
Many organizations continue to use an analysis of corporate objectives as a means of
identifying risks, because some benefits do arise from this approach.
- using the ‘objectives-driven’ approach facilitates the analysis of risks in relation to the
positive and uncertain aspects of the events that may occur, as well as facilitating the
analysis of the negative and compliance aspects.
- The value at risk represents the risk appetite of the organization with respect to the
activity that it is undertaking.
When an organization puts value at risk in this way, it should do so with the full knowledge of
the risk exposure and it should be satisfied that the risk exposure is within the appetite of the
organization.
- Even more important, it should ensure that it has sufficient resources to cover the risk
exposure.
- The risk exposure should be quantified, the appetite to take that level of risk should be
confirmed, and the capacity of the organization to withstand any foreseeable adverse
consequences should be clearly established.

Core Processes are the high-level processes that drive the organization.
- Risks may be attached to this core process, as well as being attached to objectives and/or
key dependencies.
- Core processes can be classified as strategic, tactical, operational and compliance (STOC).
- Mature (or sophisticated) risk management activities can then be designed to enhance
the effectiveness and efficiency of core processes.

Attachment of risks to key dependencies and, especially, stakeholder expectations is becoming

more common.
- The organization will need to ask what are the features or components of the organization
and its external context that are key to success.
o This will result in the identification of the strengths, weaknesses, opportunities and
threats (SWOT Analysis) facing the organization.
- Having identified the key dependencies, the organization can then consider the risks that
will impact these dependencies.
RISK AND REWARD
Many risks are taken by organizations in order to achieve a reward.
- A business will launch a new product because it believes that greater profit is available
from the successful marketing of that product.
- In launching a new product, the organization will put resources at risk because it has
decided that a certain amount of risk taking is appropriate.
• Start-up operations are usually high risk and the initial expected return may be low.
o The activity will commence in the bottom right-hand corner as a start-up operation,
which is high risk and low return.
• Growth phase for the business or product - As the business develops, it is likely to move to
a higher return for the same level of risk
• As the investment matures, the reward may remain high, but the risks should reduce.
• Eventually, an organization will become fully mature and move towards the low risk and low-
return quadrant.
o The normal expectation in very mature markets is that the organization or product will
be in decline.
In the case of hazard risks, it is likely that the reward for increased risk management effort will
be fewer disruptive events.
In the case of project risks, the reward for increased risk management effort will be that the RISK AND TRIGGERS
project is more likely to be delivered on time, within budget and to specification/quality.
Risk is sometimes defined as uncertainty of outcomes.
For opportunity risks, the risk versus reward analysis should result in fewer unsuccessful new
Control risks are the most difficult to identify and define, but are often associated with
products and a higher level of profit or (at worst) a lower level of loss for all new activities or
projects.
new products.
- The overall intention of a project is to deliver the desired outcomes on time, within
In all cases, profit or enhanced level of service is the reward for taking risk. budget and to specification, quality or performance.
- Because control risks cause uncertainty, it may be considered that an organization will
ATTITUDES TO RISK
have an aversion to them - the potential variability in outcomes that then need to be
Different organizations will have different attitudes to risk.
managed.
- Some organizations may be considered to be risk averse, whilst others will be risk
- Tolerance in relation to control risks can be considered to have the same meaning as in
aggressive.
the manufacture of engineering components, where the components must be of a
- To some extent, the attitude of the organization to risk will depend on the sector and the
certain size, within acceptable tolerance limits
nature and maturity of the marketplace within which it operates, as well as the attitude
of the individual board members.
- One of the major contributions from successful risk management is to ensure that
strategic decisions that appear to be high risk are actually taken with all of the
information available.
o Improvement in the robustness of decision-making activities is one of the key
benefits of risk management.

• Risk attitude indicates the long-term view of the organization to risk

• Risk appetite indicates the short-term willingness to take risk.
- This is similar to the difference between the long-term or established attitude of an
individual towards the food they eat and their appetite for food at a particular moment
in time. • The left-hand side of the bow-tie represents the source of a particular hazard and will
indicate the classification system used by the organization for sources of risk.
Other key factors that will determine the attitude of the organization to risk include the stage o these sources of risk used are the high-level sources of strategic, tactical,
in the maturity cycle: operational and compliance (STOC) risks.
- For an organization that is in the start-up phase, a more aggressive attitude to risk is • The right-hand side of the bow-tie sets out the impact should the risk events occur,
required than for an organization that is enjoying growth or one that is a mature and uses the high-level components of financial, infrastructure, reputational and
organization in a mature marketplace. marketplace (FIRM) impact of a risk materializing.
- Where an organization is operating in a mature marketplace and is suffering from decline,
• In the centre of the bow-tie is the risk event. It indicates the categories of disruption
the attitude to risk will be much more risk averse.
that can affect organizations, and the same categories of people, premises, processes
The attitude to risk has to be different when an organization is a start-up operation rather than and products are used here.
a mature organization, that it is often said that certain high-profile businessmen are very good
at entrepreneurial start-up but are not as successful in running mature businesses.
 • The purpose of using the bowtie illustration is to demonstrate the risk classification
systems used by the organization and the potential range of impacts should a risk
materialize.
• Controls can be put in place to prevent the event occurring and these can be
represented by vertical lines on the left-hand side of the bow-tie.
• In a similar manner, recovery controls can be represented on the right-hand side of
the bowtie.
• A BOW-TIE is a simple way of analysing a risk to gain a greater understanding.
o The first stage is to put the risk description into the middle box.
o The causes of the risk then need to be recorded along with the preventive
controls to stop the risk occurring.
o The impact of the risk is also considered. This enables the identification of
response controls to lessen the impact of the risk should it occur.
TIMESCALE OF RISK IMPACT
Risks can be classified in many ways: a very useful means of analysing the risk exposure of an
organization.
- These risks will be related to the strategy, tactics and operations of the organization
- risks may be considered as related to events, changes in circumstances, actions or
decisions
1. Long-Term Risks
- will impact several years, perhaps up to five years, after the event occurs or the
decision is taken.
- relate to strategic decisions.
- When a decision is taken to launch a new product, the result of that decision (and the
success of the product itself) may not be fully apparent for some time
2. Medium-Term Risks
- have their impact sometime after the event occurs or the decision is taken, and
typically this will be about a year later.
- are often associated with projects or programmes of work.
3. Short-Term Risks
- have their impact immediately after the event occurs.
o Accidents at work, traffic accidents, fire and theft are all short-term risks that
have an immediate impact and immediate consequences as soon as the event
has occurred.
- These short-term risks cause immediate disruption to normal efficient operations and
are probably the easiest types of risks to identify and manage or mitigate.
Insurable risks are quite often short-term risks, although the exact timing and
magnitude/impact of the insured events is uncertain.
- insurance is designed to provide protection against risks that have immediate
consequences
- the nature and consequences of the event may be understood, but the timing of the
event is unpredictable
An increasingly important consideration for organizations is what will be the trigger
mechanism that causes a risk to materialize.
- The challenge for management is then based on recognition of the circumstances in
which one or more of the significant risk events may be triggered.
- The question of what would trigger such an event requires as much consideration as the
source of the risk and the nature of the event if it was to happen
FOUR TYPES OF RISK
A common language of risk is required throughout an organization if the contribution of risk
management is to be maximized - enable the organization to develop an agreed perception of
risk and attitude to risk.
a. Compliance Risks
- often considered a separate category of risk and they are often managed or minimized
differently
b. Hazard Risks
- risks that can only inhibit achievement of the corporate mission.
- these are insurable-type risks or perils, and will include fire, storm, flood, injury and
so on.
- The discipline of risk management has strong origins in the control and mitigation of
hazard risks.
- Normal efficient operations may be disrupted by loss, damage, breakdown, theft and
other threats associated with a wide range of dependencies
 4Ps Disruption - These risks arise because the organization is seeking to enhance the achievement of
1. People the mission, although they might inhibit the organization if the outcome is adverse.
- Lack of people skills and/or resources - This is the most important type of risk for the future long-term success of any
- Inappropriate behaviour by a senior manager organization.
- Unexpected absence of key personnel
EMBRACE OPPORTUNITY RISKS
- Ill-health, accident or injury to people
2. Premises Opportunity Risks (Commercial, Speculative Or Business Risks)
- Inadequate, insufficient or denial of access to premises - the type of risk with potential to enhance (although they can also inhibit) the achievement
- Damage to or contamination of premises of the mission of the organization.
- Damage to and breakdown of physical assets - These risks are the ones associated with embracing business opportunities.
- Theft or loss of physical assets - normally associated with the development of new or amended strategies, although
3. Processes opportunities can also arise from enhancing the efficiency of operations and implementing
- Failure of IT hardware or software systems change initiatives
- Disruption by hacker or computer virus
- Inadequate management of information Opportunity management is the approach that seeks to maximize the benefits of taking
- Failure of communication or transport systems entrepreneurial risks.
4. Products - The desire is to maximize the likelihood of a significant positive outcome from investments
- Poor product or service quality in business opportunities
- Disruption caused by failure of supplier MANAGE UNCERTAINTY RISKS
- Delivery of defective goods or components Uncertainty or control risks are an inevitable part of undertaking a project.
- Failure of outsourced services and facilities - A contingency fund to allow for the unexpected will need to be part of a project budget, as
well as contingent time built into project schedules.
c. Control Risks - When looking to develop appropriate responses to control risks, the organization must
- risks that cause doubt about the ability to achieve the organization’s mission. make the necessary resources available to identify the controls, implement the controls
o Internal financial control protocols are a good example of a response to a and respond to the consequences of any control risk materializing.
control risk.
o If the control protocols are removed, there is no way of being certain about The nature of control risks and the appropriate responses depend on the level of uncertainty
what will happen. and the nature of the risk.
- Control risks are the most difficult type of risk to describe • Uncertainty represents a deviation from the required or expected outcome.
- are associated with uncertainty o When an organization is undertaking a project, such as a process enhancement, the
o examples include the potential for failure to achieve legal compliance and losses project has to be delivered on time, within budget and to specification.
caused by fraud. o Also, the enhancement has to deliver the benefits that were required.
- usually dependent on the successful management of people and effective
• Deviation from the anticipated benefits of a project represents uncertainties that can only
implementation of control protocols.
be accepted within a certain range.

d. Opportunity Risks
- the risks that are (usually) deliberately sought or embraced by the organization.
 Control Management is the basis of the approach to risk management adopted by internal
auditors and accountants. It also is the basis of the approach to risk management adopted
by internal auditors and accountants
MITIGATE HAZARD RISKS
Organizations face exposure to a wide range of risks. These risks will be hazard risks, control
risks and opportunity risks. Organizations need to tolerate a hazard risk exposure, accept
exposure to control risks and invest in opportunity risks.
• Hazard risks can result in unplanned disruption for the organization.
• Disruptive events cause inefficiency and are to be avoided, unless they are part of, for
example, planned maintenance or testing of emergency procedures
For each category of hazard risks, the organization needs to evaluate the types of incidents
that could occur, the sources of those incidents and their likely impact on normal efficient
operations.
• Management of hazard risks involves analysis and management of three aspects of
the hazard risk
- the organization should look at the necessary actions to prevent the loss
occurring, limit the damage that the event could cause and contain the cost of
recovering from the event
- Hazard management is traditionally the approach adopted by the insurance
world.
- The approach should be based on reducing the likelihood and magnitude/impact
of hazard losses.
• Insurance represents the mechanism for limiting the financial cost of losses.
MINIMIZE COMPLIANCE RISKS
Compliance requirements vary considerably between business sectors, and many sectors are
highly regulated with their own dedicated regulator for the industry or sector.
- Failure to comply with regulatory requirements may result in the ‘license to operate’ being
withdrawn by the regulator.
- If a regulator were to take this extreme action, the organization could ultimately cease to
exist.
All organizations that handle financial transactions are required to introduce procedures to
reduce the chances of money-laundering activities being undertaken.
In the insurance industry, if an insurance policy is issued in one country to protect the assets
and/or cover the liabilities in other countries, compliance issues present particular difficulties.
- Failure to comply with all obligations may result in insurance claims not being paid or, in
the extreme, being illegal in a particular country, if an unauthorized type of insurance or
illegal insurance policies have been issued.
For organizations that do not have regulators dedicated to that industry or business sector,
there are still a wide range of regulatory requirements that must be fulfilled.
Generally speaking, organizations will work towards ensuring full compliance with all
applicable rules and regulations and, thereby, minimize the compliance risks.
- It is also important to ensure that the various areas of risk management expertise
within the company co-operate with each other, so that an organized and/or
coordinated approach to compliance is achieved.
ORIGINS OF RISK MANAGEMENT
a. One of the early developments in risk management emerged in the United States out of
the insurance management function.
- The practice of risk management became more widespread and better coordinated
because the cost of insurance in the 1950s had become prohibitive and the extent of
coverage limited.
- Organizations realized that purchasing insurance was insufficient if there was
inadequate attention to the protection of property and people.
- Insurance buyers therefore became concerned with the quality of property
protection, the standards of health and safety, product liability issues and other risk
control concerns.
b. Risk financing and risk control developed in Europe during the 1970s and the concept of
total cost of risk became important
DEFINITION OF RISK MANAGEMENT
ISO Guide 73 / BS 31100 - Coordinated activities to direct and control an organization with
regard to risk.
Institute of Risk Management (IRM) - Process which aims to help organizations understand,
evaluate and take action on all their risks with a view to increasing the probability of success
and reducing the likelihood of failure.
HM Treasury - All the processes involved in identifying, assessing and judging risks, assigning
ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing
progress.
London School of Economics - Selection of those risks a business should take and those
which should be avoided or mitigated, followed by action to avoid or reduce risk.
Author - Risk management is the set of activities within an organization undertaken to
deliver the most favou.rable outcome and reduce the volatility or variability of that outcome.
IMPORTANCE OF RISK MANAGEMENT
• Managing the organization
- Variable cost or availability of raw materials
- Cost of retirement/pension/social benefits
- Desire to deliver greater shareholder value
- Greater transparency required from organizations
- Pace of change in business ever increases
- Impact of e-commerce on all aspects of business life
- Increased reliance on information technology (IT) systems
- Increasing importance of intellectual property (IP)
- Greater supply chain complexity/dependency
- Reputation becomes more and more important
- Reputational damage – especially to worldwide brands
- High-profile losses and failures ruin reputations
- Regulatory pressures continue to increase
- Changes/variation in national legislative requirements
- Joint ventures becoming more common
• Changes in the marketplace
- Changing commercial and marketplace environment
- Globalization of customers, suppliers and products
- Increased competition in the marketplace
- Greater customer expectations, often led by competitors
- Need to respond more rapidly to stakeholder expectations
- More volatile markets with less customer loyalty
- Diversification leads to working in unfamiliar areas
- Constant need to make bold strategic decisions
- Short-term success required, without long-term detriment
- Product innovation and continuous improvements
- Rapid changes in (consumer) product technology
- Threats to world/national economy
- Threat of influenza or other pandemics
- Potential for international organized crime
- Increasing occurrences of civil unrest/political risks
- Extreme weather events resulting in population shift
DEVELOPMENT OF RISK MANAGEMENT
Risk management as a formalized discipline has been around for at least 100 years.
• It has its early origins in the specialist activity of insurance, which can trace its history back
for several centuries.
- As insurance became more formalized and structured, the need for risk control
standards increased, especially in relation to the insurance of cargo being transported
by ships around the world.
- Perhaps one of the earliest developments in this field was the introduction of the
‘Plimsoll Line’ to indicate the level of cargo that a ship could safely transport without
being dangerously overloaded.
• Education programmes emerged to support the development of risk management as a
profession.
- Risk management regulations associated with corporate governance began to develop
and various regulators were given more authority in relation to specific hazards (such
as health and safety), and also in relation to particular business sectors (such as financial
institutions).
- The development of risk management qualifications became increasingly more
formalized during the 1980s.
• Risk management standard AS/NZS 4360:1995 was one of the early examples of a
comprehensive approach to the management of risk.
- As well as the generic risk management standards applicable to all industries, specific
risk management approaches also emerged in particular sectors, including the finance
sector.
 - The emergence of regulated capital requirements for banks and insurance companies
indicated the increased level of risk management maturity required of financial
Many functions within large organizations will have a significant risk management component
institutions.
to their activities, such as tax, treasury, human resources, procurement and logistics.
• The corporate risk management role in the United States during the 1950s became an
extension of insurance purchasing decisions.
• During the 1960s, contingency planning became more important to organizations.
- There was also an emphasis beyond risk financing on loss prevention and safety
management.
• During the 1970s, self-insurance and risk retention practices developed within
organizations.
- Captive insurance companies also started to develop.
- Contingency plans then developed into business continuity planning and disaster
recovery plans.
• At the same time during the 1960s and 1970s, there were considerable developments in
the risk management approach adopted by occupational health and safety practitioners.
• During the 1980s, the application of risk management techniques to project management
developed substantially.
- Financial institutions continued to develop the application of risk management tools
and techniques to market risk and credit risk during the 1980s.
• Also, during the 1980s, treasury departments began to develop the financial approach to
risk management.
- There was recognition by finance directors that insurance risk management and
financial risk management policies should be better co-ordinated.
• During the 1990s, the financial institutions further broadened their risk management
initiatives to include structured consideration of operational risks.
• During the 1990s, risk financing products emerged that combined insurance with
derivatives.
- At the same time, corporate governance and listing requirements encouraged
directors to place greater emphasis on enterprise risk management (ERM) and
- the first appointment of a chief risk officer (CRO) occurred at that time.
• During the 2000s, financial services firms have been encouraged to develop internal risk
management systems and capital models.
• The financial crisis of 2008 called into question the contribution that risk management can
make to corporate success, especially in financial institutions.
- The application of risk management tools and techniques failed to prevent the global
financial crisis
SPECIALIST AREAS OF RISK MANAGEMENT
• One of the best known and specialist areas of risk management is that of health and safety
at work
• Another specialist area is that of disaster recovery planning and business continuity
planning.
• Other specialist areas of risk management have developed over the past decades,
including:
a. Project Risk Management
- Project risk management is an area where the application of risk management
tools and techniques is particularly well developed.
b. Clinical/Medical Risk Management
- This area of risk management is primarily concerned with patient care, especially
during surgical operations.
- The cost of medical malpractice claims and the inevitable delay in making
insurance payments has resulted in risk management systems being introduced.
- Particular aspects of clinical risk management include greater attention to making
patients aware of the risks that may be associated with the procedure they are
about to undertake
- Considerable emphasis has been placed in clinical risk management on the need
to report, in an accurate and timely manner, details of any incidents that occur in
the operating theatre.
c. Energy Risk Management
- For some organizations in the energy sector, risk management is mainly concerned
with the future price of energy and with exploration risk.
- Therefore, the risk management approach is similar to the activities of the treasury
function, where hedging and other sophisticated financial techniques form the
basis of the risk management effort.
d. Financial Risk Management;
- Banks and other financial institutions will be concerned with the credit risk and
market risk, as well as operational risk.
 - Finance and insurance are highly regulated business sectors, governed by
international standards such as Basel III and Solvency II.
e. It Risk Management
- The increasing importance of information to organizations, in terms of the
management of and security of data, has resulted in the development of specific
standards applicable to IT risk management.
- Amongst the best established of these risk management standards is COBIT, which
is similar in many regards to the COSO standard
SIMPLE REPRESENTATION OF RISK MANAGEMENT
These stages build into valuable risk management activities, each of which makes an
important contribution.
8 Rs of Risk Management
1. Recognition or identification of risks and identification of the nature of the risk and the
circumstances in which it could materialize.
2. Rating or evaluation of risks in terms of magnitude and likelihood to produce the ‘risk
profile’ that is recorded in a risk register.
3. Ranking or analysing the current or residual level of risk against the established risk
criteria or risk appetite.
4. Responding to significant risks, including decisions on the appropriate action regarding
the following options (4 Ts of RM):
● tolerate;
● treat;
● transfer;
● terminate.
5. Resourcing controls to ensure that adequate arrangements are made to introduce and
sustain necessary control activities.
6. Reaction planning and/or event management. For hazard risks, this will include disaster
recovery or business continuity planning.
7. Reporting and monitoring of risk performance, actions and events and communicating
on risk issues, via the risk architecture of the organization.
8. Reviewing the risk management system, including internal audit procedures and
arrangements for the review and updating of the risk architecture, strategy and protocols.
The activities associated with risk management are as follows:
• recognition of risks;
• rating of risks;
• ranking against risk criteria;
• responding to significant risks;
• resourcing controls;
• reaction (and event) planning;
• reporting of risk performance;
• reviewing the risk management system.
Risk management can improve the management of the core processes of an organization by
ensuring that key dependencies are analysed, monitored and reviewed.
The 8R's of the risk management process are a framework that helps organizations effectively
manage risks.
Recognize: Identify and acknowledge potential risks that could impact the organization's
objectives. This involves understanding the internal and external factors that may contribute
to risk.
Research: Gather information and data about the identified risks. This includes analyzing
historical data, conducting risk assessments, and seeking expert opinions to gain a deeper
understanding of the risks.
Rank: Prioritize the identified risks based on their potential impact and likelihood of
occurrence. This step helps allocate resources and focus on the most critical risks.
Respond: Develop and implement risk mitigation strategies to reduce the likelihood or impact
of the identified risks. This may involve implementing controls, creating contingency plans, or
transferring the risk through insurance or contracts.
Review: Regularly monitor and evaluate the effectiveness of the implemented risk mitigation
strategies. This step ensures that the risk management process remains dynamic and
responsive to changing circumstances.
Report: Communicate the identified risks, mitigation strategies, and their status to relevant
stakeholders. This promotes transparency and enables informed decision-making.
Record: Maintain comprehensive documentation of the risk management process, including
risk assessments, mitigation plans, and monitoring activities. This documentation serves as a
reference for future risk management efforts and audits.
Revisit: Continuously review and update the risk management process to adapt to new risks,
changes in the organization's objectives, or external factors. This step ensures that the risk
management process remains relevant and effective over time.

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management (‘ERM’) is a strategic business discipline that supports the
achievement of an organization’s objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an interrelated risk portfolio (US Risk
Management Association, the Risk and Insurance Managers Society (RIMS).
- When an organization considers all of the risks that it faces and how these risks could
impact its strategy, projects and operations, then the organization is embarking on an
enterprise risk management approach.

LEVELS OF RISK MANAGEMENT SOPHISTICATION

1. Inform
At first, an organization may be unaware of the legal and contractual obligations that it
faces. In that case, it will be necessary to inform the organization of its obligations in
relation to the risk.
2. Reform
As the level of sophistication develops, the organization will become aware of the need
to comply with obligations and the more general need for improved risk management.
Once it is aware of obligations, there will be a need for the organization to reform in
response to the hazard risks
5. Deform
3. Conform
A danger that organizations will become obsessed with risk management to the point that
As the organization responds to the risk, it will seek to conform to the appropriate risk
important decisions are not taken. At this point, it may be said that too much attention and
control standards.
concern about risk and risk management will cause the organization to deform its
operations.
4. Perform
• unaware of obligations – INFORM;
After this stage, the organization may realize that there are benefits to be obtained from
• awareness of non-compliance – REFORM;
the risk. The organization will then have the ability to perform and view the risk as an
• actions to ensure compliance – CONFORM;
opportunity risk
• achieve business opportunities – PERFORM;
• inactivity caused by obsession – DEFORM.

As the level of sophistication increases and risk management professionals become aware of
the alternative approaches to risk management, they should value the contribution that can
be made by other approaches.
The development in risk management approach can be summarized as follows:
● Compliance management must not be undertaken in a fragmented manner, even if
excellent standards of compliance are achieved.

● Hazard management specialists may find that there has been a trend towards a desire to
retain more insurable risks (and buy less insurance) as a result of a more holistic approach
to risk management.

● Control management specialists must not squeeze entrepreneurial spirit and effort out of
the organization.

● Strategic planners must recognize that risk management tools and techniques can
contribute to better strategic decisions and the successful exploitation of business
opportunities.

An alternative approach to increasing levels of risk management sophistication or risk

management maturity is the fragmented, organized, influential, leading (FOIL) approach.
PRINCIPLES OF RISK MANAGEMENT
The main principle of risk management is that it delivers value to the organization.
In other words, risk management activities are designed to achieve the best possible outcome
and reduce volatility or uncertainty of outcomes.
What RM should do or deliver: MADE2
● mandatory obligations placed on the organization;
● assurance regarding the management of significant risks;
● decisions that pay full regard to risk considerations;
● effective and efficient core processes.
If organizations are to get maximum benefit out of their risk management activities, the above
principles should be implemented when the risk management initiative is planned and the risk
management framework is developed.

A successful risk management initiative (and framework) will be: PACED
● Proportionate to the level of risk within the organization;
● Aligned with other business activities;
● Comprehensive, systematic and structured;
● Embedded within business procedures and protocols;
● Dynamic, iterative and responsive to change.
PACED provides a very good set of principles that are the foundations of a successful approach
to risk management within any organization.
- The approach to risk management is based on the idea that risk is something that can be
identified and controlled.
- These principles describe what risk management should be in practice.
Core processes represent the activities of the organization and can be strategic, tactical,
operational or compliance (STOC) in nature.
The objectives for risk management (MADE2) confirms that outputs from risk management
will lead to:
• less disruption to normal efficient operations,
• a reduction of uncertainty in relation to tactics and
• improved decisions in relation to evaluation and selection of alternative strategies.
In other words, a key part of risk management is improved organizational decision making.
 When deciding the importance of risk management in the organization, the design of the risk
management initiative and the risk management framework must reflect the reasons why risk
management is being undertaken in the organization (MADE2).

RISK MANAGEMENT ACTIVITIES

Risk management is a process that can be divided into several stages.

ISO Guide 73 and British Standard BS 31100 describe the risk management process as the
systematic application of management policies, procedures and practices to the tasks of
communicating, consulting, establishing the context, identifying, analysing, evaluating,
treating, monitoring and reviewing risk.

The risk management process is described as:

• identifying,
• analysing,
• evaluating,
Risk is unavoidable and every organization needs to take action to manage it in a way that it
• treating,
can justify to a level that is acceptable.
• monitoring and
The appropriate range of responses will depend on the nature, size and complexity of the • reviewing risk.
organization and the risks it faces.
4Ts of Hazard Risk Management
IMPORTANCE OF RISK MANAGEMENT ● tolerate;
● treat;
Risk management has taken on an increasingly high profile in recent times, because of the
● transfer;
global financial crisis and the number of high-profile corporate failures across the world that
● terminate.
preceded it.

Also, risk management has become more important because of increasing stakeholder
expectations and the ever-increasing ease of communication.

Assurance to stakeholders: EFFECTIVE AND EFFICIENT CORE PROCESSES

a. The directors of any organization need to be confident that risks have been identified and
As risk management has developed, emphasis has been placed on project management and
that appropriate steps have been taken to manage risk to an appropriate level.
the delivery of programmes to provide enhancements to core business processes.
b. Greater emphasis on accurate reporting of information by organizations, including risk
- Processes must be effective in that they deliver the results that are required, as well as
information.
being efficient.
• The Sarbanes–Oxley Act of 2002 (SOX) in the United States has accuracy of financial
- Risk management delivers improved information so that strategic decisions can be made
reporting as its main requirement. It brings the issue of the accurate reporting of
with greater confidence.
results to a higher priority, whilst also requiring full and accurate disclosure of all
- The strategy that is decided by an organization must be capable of delivering the results
information about the organization
that are required.
 o There are many examples of organizations that selected an incorrect strategy or failed
to successfully implement the selected strategy.
o Many of these organizations suffered corporate failure
- Strategic decisions are often most difficult when changes in technology or in customer
expectations emerge
- Strategy should be designed to take advantage of opportunities.
- Incorrect strategy has resulted in more corporate failures than ineffective or inefficient
operations and tactics.
o Organizations that have effective and efficient tactics, operations and compliance, but
an incorrect overall strategy will fail.
o This will be the case, however good the risk management activities are at operational
and project level.
IMPLEMENTING RISK MANAGEMENT
The integrative approach to risk management accepts that the organization must tolerate
certain hazard risks and must have an appropriate appetite for investment in opportunity risks.
Risk management tools and techniques should be used to achieve the following:
● Compliance management provides risk governance
● Hazard management makes outcomes less negative
- Within the context of hazard management, insurance represents the mechanism for
restricting the financial cost of losses when a risk materializes.
- Risk control and loss management techniques will reduce the expected losses and
should ensure that the overall cost is contained.
- The combination of insurance and risk control/loss management will reduce the actual
cost of hazard losses and this will inevitably (and correctly) cause the hazard tolerance
of the organization to decline.
- More of the risk capacity of the organization will then be available for opportunity
investment
● Control management reduces the range of possible outcomes from any event
- Control management is based on the established techniques of internal financial control
- The main intention is to reduce losses associated with inadequate control management
at the same time as reducing the range of possible outcomes.
o This is the contribution that internal control should make to the overall approach
to risk management within an organization.
● Opportunity management makes outcomes more positive
- Opportunity management seeks to make positive outcomes more likely and more
substantial.
- As part of the opportunity management approach, the organization should also look at
possibilities for increasing the revenue from the product or service.
- In not-for-profit organizations, opportunity management should facilitate the delivery
of better value for money
ACHIEVING BENEFITS
The most important point to make is that the support of senior management and (ideally) the
sponsorship of a board member are essential.
Also, an implementation plan to address the concerns of employees and other stakeholders is
needed.
In order to achieve the maximum benefit from risk management input in operations,
organizations need instead, however, to focus on loss control.
• Loss control is a combination of loss prevention, damage limitation and cost containment.
o Projects should be completed on time, to budget and to specification, performance or
quality
o Inevitably, there will be a considerable amount of uncertainty associated with all
projects.
o The contribution of risk management is to minimize these uncertainties.
The contribution of risk management to successful strategy is, therefore, focused on the
decision-making activities.
The overall benefits of risk management can be summarized in a number of ways:
• By undertaking a risk management initiative, less disruption to operations, successful
delivery of projects and better strategic decisions are the expectations.
• Also underpinning risk management initiatives (MADE2) will be the desire for adequate risk
assurance.
Using the structure of the FIRM risk scorecard, an organization will be able to demonstrate the
benefits that it has obtained from a risk management initiative.