C V
RISK C I T C
MANAGEMENT
CAGAYAN VALLEY COLLEGE OF INFORMATION TECHNOLOGY
28 Carreon Street, Centro East, Santiago, Philippines
RISK MANAGEMENT
FINALS - MODULE 1
INTRODUCTION TO RISK MANAGEMENT
DISCUSSION:
Introduction:
Approaches to defining the risk
• The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility
of danger, loss, injury or other adverse consequences’ and the definition of at risk is
‘exposed to danger’. In this context, risk is used to signify negative consequences.
However, taking a risk can also result in a positive outcome. A third possibility is that
risk is related to uncertainty of outcome.
Table 1.1 Definitions of risk
Organization Definition
ISO Guide 73 Effect of uncertainty on objectives. Note that an effect may be
ISO 31000 positive, negative, or a deviation from the expected. Also, risk
is often described by an event, a change in circumstances or a
consequence.
Institute of Risk Risk is the combination of the probability of an event and its
Management (IRM) consequence. Consequences can range from positive to
negative.
“Orange Book” from Uncertainty of outcome, within a range of exposure, arising
HM Treasury from a combination of the impact and the probability of
potential events.
Institute of Internal The uncertainty of an event occurring that could have an
Auditors impact on the achievement of the objectives. Risk is measured
in terms of consequences and likelihood.
Alternative Definition Event with the ability to impact (inhibit, enhance or cause doubt
by about) the mission, strategy, projects, routine operations,
the author objectives, core processes, key dependencies and/or the
delivery of stakeholder expectations
Risk in an organizational context is usually defined as anything that can impact the
fulfilment of corporate objectives. However, corporate objectives are usually not fully stated
1
�by most organizations. Where the objectives have been established, they tend to be stated as
RISK MANAGEMENT
internal, annual, change objectives. This is particularly true of the personal objectives set for
members of staff in the organization, where objectives usually refer to change or developments,
rather than the continuing or routine operations of the organization.
Impact of Risk on Organization
Risk importance
Following the events in the world financial system during 2008, all organizations are
taking a greater interest in risk and risk management. It is increasingly understood that the
explicit management of risks brings benefits. By taking a proactive approach to risk and risk
management, organizations will be able to achieve the following three areas of improvement:
• Operations will become more efficient because events that can cause disruption will be
identified in advance and actions taken to reduce the likelihood of these events
occurring, reducing the damage caused by these events and containing the cost of the
events that can cause disruption to normal efficient production operations.
• Processes will be more effective, because consideration will have been given to
selection of the processes and the risks involved in the alternatives that may be
available. Also, process changes that are delivered by way of projects will be more
effectively and reliably delivered.
• Strategy will be more efficacious in that the risks associated with different strategic
options will be fully analyzed and better strategic decisions will be reached. Eficacious
refers to the fact that the strategy that will be developed will be fully capable of
delivering the required outcomes.
It is no longer acceptable for organizations to find themselves in a position whereby
unexpected events cause financial loss, disruption to normal operations, damage to reputation
and loss of market presence. Stakeholders now expect that organizations will take full account
of the risks that may cause disruption within operations, late delivery of projects or failure to
deliver strategy.
Types of Risk
Risks can be classified in many ways. Hazard risks can be divided into many types of
risks, including risks to property, risks to people and risks to the continuity of the business.
Although it should not be considered to be a formal risk classification system, this part
considers the value of classifying risks according to the timeframe for the impact of the risk.
2
� RISK MANAGEMENT
Classification of risk
• Medium-term Risk
o have their impact some-time after the event occurs or the decision is taken,
and typically this will be about a year later.
o Medium-term risks are often associated with projects or programs of work.
o decisions regarding the project to implement the new software will be
medium-term decisions with medium-term risk attached.
• Short-term Risk
o have their impact immediately after the event occurs
o Accidents at work, traffic accidents, fi re and theft are all short-term risks that
have an immediate impact and immediate consequences as soon as the event
has occurred.
o These short-term risks cause immediate disruption to normal efficiency
operations and are probably the easiest types of risks to identify and manage.
• Insurable Risk
o are quite often short-term risks, although the exact timing and magnitude/
impact of the insured events is uncertain
o In other words, insurance is designed to provide protection against risks that
have immediate consequences
o In the case of insurable risks, the nature and consequences of the event may be
understood, but the timing of the event is unpredictable.
Three types of Risk
• Hazard Risk
o Hazard risks are the risks that can only inhibit achievement of the corporate
mission.
o Typically, these are insurable type risks or perils, and will include fi re, storm,
flood, injury and so on.
3
� RISK MANAGEMENT
Category Example of Disruption
People Lack of people skills and / or resources Unexpected absence of key
personnel Ill-health, accident or injury to people
Premises Inadequate or insufficient premises
Denial of access to premises
Damage to or contamination of premises
Assets Accidental damage to physical assets Breakdown of plant or
equipment
Theft or loss of physical assets
Supplier Disruption caused by failure of supplier
Delivery of defective goods or components
Failure of outsourced services and facilities
Information and Failure of IT hardware systems
Technology Disruption by hacker or computer virus
Inefficient operation of computer software
Communication Inadequate management of information
Failure of internal or external communications
Transport failure or disruption
• Control Risk
o are risks that cause doubt about the ability to achieve the mission of the
organization.
o are associated with uncertainty, and examples include the potential for legal
non-compliance and losses caused by fraud.
o They are usually dependent on the successful management of people and
successful implementation of control protocols
o are the most difficult type of risk to describe
Internal financial control protocols are a good example of a response to a control risk. If
the control protocols are removed, there is no way of being certain about what will happen.
• Opportunity Risk
o are the risks that are (usually) deliberately sought by the organization
o These risks arise because the organization is seeking to enhance the
achievement of the mission, although they might inhibit the organization if the
outcome is adverse.
4
� RISK MANAGEMENT
o This is the most important type of risk for the future long-term success of any
organization.
Principles and Aims of Risk Management
Risk management operates on a set of principles, and there have been several attempts
to define these principles. It is suggested that a successful risk management initiative will be:
• Proportionate to the level of risk within the organization;
• Aligned with other business activities;
• Comprehensive, systematic and structured;
• Embedded within business processes;
• Dynamic, iterative and responsive to change.
This provides the acronym PACED and provides a very good set of principles that are
the foundations of a successful approach to risk management within any organization. A
more detailed description of the PACED principles of risk management is set out in Table
5.1. The approach to risk management is based on the idea that risk is something that can be
identified and controlled.
PRINCIPLE DESCRIPTION
Proportionate Risk management activities must be proportionate to the level of
risk faced by the organization.
Aligned Risk management activities need to be aligned with the other
activities in the organization.
Comprehensive In order to be fully effective, the risk management approach must
be comprehensive.
Embedded Risk management activities need to be embedded within the
organization.
Dynamic Risk management activities must be dynamic and responsive to
emerging and changing risks.
5
� RISK MANAGEMENT
APPROACHES TO RISK MANAGEMENT
Risk Management Standard
Risk Management Standards set out a specific set of strategic processes which start
with the overall aspirations and objectives of an organization, and intend to help to identify
risks and promote the mitigation of risks through best practice.
Standards are often designed and created by a number of agencies who are working
together to promote common goals, to help to ensure that organizations carry out high-quality
risk management processes.
What are Risk management standards like?
Risk management standards are like a guide to help ensure that risk management is
carried out in a proper way. Standards usually include checkpoints and examples, to make it
really easy for organizations to comply.
What is the purpose of Risk management standards?
Risk management standards have been designed so that those who must carry out risk
management processes have a guide to help them to work. These standards help to provide an
international consensus on how to deal with certain risks, and they offer best practice advice
on how to deal with others. Risk management standards help organizations to implement
strategies which are tried and tested, and proven to work.
What are the different types of Risk management standards?
The ISO 31000 risk management standards framework includes:
• ISO 31000:2009 – Principles and Guidelines on Implementation
• ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
• ISO Guide 73:2009 – Risk Management – Vocabulary
6
� RISK MANAGEMENT
ISO 31000:2009 – Principles and Guidelines on Implementation
There are two elements of the process that can be considered as continually acting. These
are:
• Communication and consultation with internal and external stakeholders, where
practicable, to gain their input to the process and their ownership of the outputs. It is
also important to understand stakeholders’ objectives, so that their involvement can be
planned and their views can be considered in setting risk criteria.
• Monitoring and review, so that appropriate action occurs as new risks emerge and
existing risks change as a result of changes in either the organization’s objectives or
the internal and external environment in which they are pursued. This involves
environmental scanning by risk owners, control assurance, taking on board new
7
� RISK MANAGEMENT
information that becomes available, and learning lessons about risks and controls
from the analysis of successes and failures.
The central spine of the risk management process is concerned with preparing for
and then conducting risk assessment leading, as necessary, to risk treatment. The process
starts through defining what the organization wants to achieve and the external and internal
factors that may influence success in achieving those objectives. This step is called
establishing the context and is an essential precursor to risk identification.
Risk assessment under ISO 31000 comprises the three steps of risk identification,
risk analysis, and risk evaluation.
Risk identification requires the application of a systematic process to understand
what could happen, how, when, and why.
In ISO 31000, risk analysis is concerned with developing an understanding of each
risk, its consequences, and the likelihood of those consequences. Whether the end result is
expressed as a qualitative, semiquantitative, or quantitative manner, gaining this
understanding requires consideration of the effect and reliability of existing controls and any
control gaps. Risk analysis can be undertaken with varying degrees of detail, depending on
the risk, the purpose of the analysis, and the information, data, and resources available.
Analysis can be qualitative, semiquantitative, quantitative, or a combination of these,
depending on the circumstances.
Risk evaluation then involves deciding about the level of risk and the priority for
attention through the application of the criteria developed when the context was established.
Risk treatment is the process by which existing controls are improved or new
controls are developed and implemented. It involves evaluation of and selection from options,
including analysis of costs and benefits and assessment of new risks that might be generated
by each option, and then prioritizing and implementing the selected treatment through a
planned process. If this process is followed, the systematic way in which the risks have been
assessed means that risk treatment can proceed with confidence.
How do Risk management standards impact on managing organizational risk?
Risk Management standards impact on the ways which risk management processes
are created and implemented. They offer guidance on setting the context of the strategies, as
well as providing ideas about what should and should not be implemented as part of the risk
8
� RISK MANAGEMENT
management strategy. Many standards provide advice on how to best to quantify and classify
risk.
What terms are used in Risk management standards?
Standard – a rule or principle which is used as the basis for judgment of the risk
management process, a series of checkpoints which an organization should strive to achieve.
Risk – a potential consequence of an action. In recent developments in risk management, a
risk can now be considered to be a negative or a positive consequence. A risk may or may not
occur.
Management – the strategies which are implemented in an attempt to combat potential risk.
ENTERPRISE RISK MANAGEMENT
What Is Enterprise Risk Management (ERM)?
Enterprise risk management (ERM) is a plan-based business strategy that aims to
identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both
physical and figurative—that may interfere with an organization's operations and objectives.
The discipline not only calls for corporations to identify all the risks they face and to decide
which risks to manage actively, but it also involves making that plan of action available to all
stakeholders, shareholders and potential investors, as part of their annual reports. Industries
as varied as aviation, construction, public health, international development, energy, finance,
and insurance all utilize ERM.
Companies have been managing risk for years. Historically, they've done this by
buying insurance: property insurance for literal, detrimental losses due to fires, thefts, and
natural disasters; and liability insurance and malpractice insurance to deal with lawsuits and
claims of damage, loss, or injury. But another key element in ERM is a business risk—that is,
obstacles associated with technology (particularly technological failures), company supply
chains, and expansion—and the costs and financing of the same.
Advantages of ERM
In creating ERM initiatives, companies should focus not only on the downside of risk
but on the upside as well. The traditional approach was to concentrate on negatives—the
losses from currency or interest rate trades in financial markets, for instance, or financial
9
� RISK MANAGEMENT
losses that might be caused by a disruption in a supply chain or a cyber-attack that impairs a
company's information technology.
In thinking about the upside, companies now are supposed to consider competitive
opportunities and strategic advantages that might arise out of the deft management of risk.
Some of these "better decisions" involve items like where to locate a plant or office abroad
based on a risk analysis that would examine the political environment in a country.
The "upside" also includes focusing on preventive measures that help a company
avoid potential disasters down the road. For example, some of these actions may include
determining when and how physical assets need to be maintained and replaced.
This way, the company can avoid unexpected and costly plant and equipment failure
that might result in shutdowns, explosions or other events that put a company's employees,
communities and public profile at risk. Understanding that their most important and valuable
asset is their image, some companies work proactively when dealing with man-made or
natural disasters.
Example of Enterprise Risk Management
One of the most model reputation risk management stories in corporate history
involves Johnson & Johnson. The pharmaceutical giant found its reputation and its stock
price severely bruised in 1982 over revelations that someone had tampered with and poisoned
bottles of its pain reliever Tylenol, resulting in several deaths.
The company reacted quickly, removing and replacing its products at retail outlets,
cooperating fully with law enforcement authorities, and keeping the media (and, hence, the
public) informed throughout. Its decisive actions and honest open communication during the
crisis helped in the recovery of share value within a few months.
From 2006 to 2008, the recent push for companies is to prove they are "going green,"
hoping that aggressive environmental risk management will position their products, plants,
supply chain, and other operations positively with current and future customers.
10
� RISK MANAGEMENT
To enable you to achieve these capabilities, we can work with you to:
• Identify and assess the current risks facing your organization - at an enterprise-wide
level and at business unit or activity levels - using qualitative and quantitative
measurement techniques
• Assist you to understand the different stages of evolution and sophistication of ERM
and to determine what attributes you want your risk management program to have
• Assess the current state of risk management throughout your organization and make
recommendations for improvement
• Design an ERM program - including the desired risk culture, risk appetite and
tolerances, risk management process, structure, methodologies and systems - and
implementation plan -that will achieve the program you envision
• Implement ERM pilots and assist with a full organization wide implementation
• Help establish Risk Management functions and/or Committee
• Design and conduct tailored risk management training and awareness sessions for
directors, management and staff
• Automate the risk assessment process
APPROACHES TO RISK MANAGEMENT
Risk assessment considerations
Importance of risk assessment
Risk assessment involves the recognition of risks and the rating of them
to determine the significant risks facing the organization, project or strategy.
Because the risk management input into strategy focuses on improved decision
making, risk assessment is the main risk management input into strategy
formulation. Risks may be attached to corporate objectives, stakeholder
expectations, core processes and key dependencies. Whichever of these features
is selected as the starting point, risk assessment can be undertaken. The purpose
of risk assessment is to identify the significant risks that could impact the
selected feature.
11
� RISK MANAGEMENT
Although risk assessment is vitally important, it is only useful if the
conclusions of the assessment are used to inform decisions and/or to identify the
appropriate risk responses for the type of risk under consideration. It should be
considered as the starting point of the risk management process and it is
certainly not an end in itself.
An important feature of undertaking a risk assessment is to decide
whether the identified risk is going to be evaluated at the inherent level or at the
current (or residual) level. Assessment of inherent risk is undertaken without
taking account of the controls that are currently in place.
Approaches to risk assessment
There are several approaches that can be taken when planning how to
undertake risk assessment. One of the key decisions will be who to involve in
the risk assessment exercise. Sometimes risk assessments are undertaken by the
board of directors as a top-down exercise. Risk assessments can also be
undertaken by involving individual members of staff and local departmental
management. This bottom-up approach is also valuable.
Risk assessment techniques
There are a wide range of risk assessment techniques available and a
Final Draft International Standard (FDIS) has recently been published providing
detailed information on the full range of risk assessments techniques that can be
used.
12
� RISK MANAGEMENT
Table 1.1 Technique of risk assessment
TECHNIQUE BRIEF DISCUSSION
Questionnaires and checklists Use of structured questionnaires and
checklists to collect information that
will assist with the recognition of the
significant risks
Workshops and brainstorming Collection and sharing of ideas at
workshops to discuss the events that
could impact the objectives, core
processes or key dependencies
Inspections and audits Physical inspections of premises and
activities and audits of compliance
with established systems and
procedures
Flowcharts and dependency
analysis
HAZOP and FMEA
approaches
SWOT and PESTLE analysis
--END--
13
