Risk Management

Overview of the Fundamental Concepts of Risk

Dr. David Mosoma(PhD OD, PhD DODT, Msc A & F, PGDEED)

Basic principles, concepts,
definitions
A risk is ANYTHING that may affect the achievement of an
organization’s objectives.

It is the UNCERTAINTY that surrounds future events and outcomes.

It is the expression of the likelihood and impact of an event with the

potential to influence the achievement of an organization’s objectives.

2
• uncertainty involves situations with unknown
variables, information, and outcomes.
• Uncertainty cannot be measured or calculated.
Since uncertain events are unique and difficult
to plan for, they come with even greater
downsides for unprepared businesses
The Difference Between Risk and
Uncertainty
Risk
• Risk is defined as the possibility or probability of an
unpleasant or undesirable event.
• In business, risk might suggest the potential loss of
money, time, or information.
• Most importantly, risk can be calculated or measured.
• Entrepreneurs can use market data to calculate
whether a new product may be worth
introducing.
• Accountants can use SFP to measure the
profitability of certain organizations.
• Calculated risk can be beneficial, as risk takers
can also generate significant returns.
The Difference Between Risk and
Uncertainty
Uncertainty
• On the other side, there’s uncertainty. In contrast, uncertainty
involves situations with unknown variables, information, and
outcomes.
• Uncertainty simply means the lack of certainty or sureness of an
event.
• In accounting, uncertainty refers to the inability to forecast
consequences or outcomes because there is a lack of knowledge or
bases on which to make any predictions.
• Uncertainty cannot be measured or calculated. you can only
deal with uncertainty.
This is why we look for certainty as much as we can: the
more certain future events are to take place, the better a
business can prepare.
• Since uncertain events are unique and difficult to plan for,
they come with even greater downsides for unprepared
businesses.
The Difference Between Risk and
Uncertainty
Examples
Uncertainty Continu…
• During the dot-com era, companies invested heavily in
expensive domains before understanding their value.
• When the bubble finally burst, several companies
disintegrated, and thousands of employees laid off.
• The main takeaway from these two concepts: risk can be
measured and predicted, while uncertainty cannot.
Examples of Risk and Uncertainty

Here are a few examples of risk and uncertainty in the

business world:
• Risk is when an online clothing store decides to sell a new
line of clothing, based on customer analysis. Uncertainty is
when that same clothing store introduces a new, unrelated
product without research, such as a new furniture line.
• Risk is when an ad agency opens an office in a new country.
Uncertainty is when the country enters a recession.
Examples of Risk and Uncertainty
• Let’s say a gardener puts two different plants in two pots and
labels them A and B.
• Now, he calls an trainee gardener and tells him the things to
do to plant A, which include putting it under the sun for
several hours a day every day, watering it two times a day,
and weeding it every other day.
• On the other hand, he says not to do any of these things to
the other plant but will give it organic fertilizer to help it
grow.
Examples of Risk and Uncertainty
• He then asks which of the two will probably live and
thrive.
• Of course, given the background and the knowledge
of the things the gardener will do, the trainee can
weigh which of the two plants will most probably
grow.
• This is an example of risk.
Examples of Risk and Uncertainty
• Now, what if the gardener says he will do
nothing to either of the plants and asks the
apprentice which he thinks will most likely
survive?
• The answer would be uncertain because of the
lack of sufficient information and the inability to
predict the outcome.
How to Turn Uncertainty into an
Advantage
• The only thing certain thing about uncertainty is that it can happen
anytime, and when it does, no company is exempt from feeling its
effects. Therefore, the most effective thing to do is to prepare for it
and turn it into an advantage. Here’s how:
(i) Forecasting is essential
• Companies who rely on annual budgets are finding themselves in
shallow waters nowadays because the figures may no longer be
applicable even before a specific financial year is over. This is why
forecasting and updating plans regularly are important.
How to Turn Uncertainty into an
Advantage
(ii) Shift to automation
• Manual collection of data takes up more time than actually analyzing
it, which is why it is often too late when problems are identified.
Business organizations should shift to automation because it cuts the
time needed for data collection and analysis.
(iii) Efficient reporting of finances
• Automation also contributes to achieving financial reports that are
efficient and accurate.
How to Turn Uncertainty into an
Advantage
(iv) Self-service is key
• Stakeholders are an important component of an organization, which is
why providing self-service apps is helpful. For example, users can use
a specific app that lets them open their accounts and evaluate the
data by themselves.
• This not only gives them the freedom to do so anytime it is
convenient for them but it also frees up work for the organization’s IT
team, letting them concentrate on more important processes.
How to Plan for High-Risk Events

• Identify risk – Spot the risk early through research and historical analyses.
• Assess the probability – Evaluate all the factors involved, including the
likelihood of positive and negative outcomes
• Make a cost-benefit analysis of alternatives – Measure the pros and cons
of each decision you could take.
• Choose a response
• Evaluate results – How did the chosen action impact the business?
• Ongoing monitoring – Risk events should be constantly checked for
changing circumstances. In some cases, risk aversion may be the best
option.
How to Plan for High-Risk Events
• While uncertainty cannot be measured, the same
approach may be taken in addressing related tasks
and challenges.
• While a recession cannot be predicted, a business can
take steps to protect the future of its employees and
customers.
What are goals and objectives?”

• Goals are general guidelines that explain what you want to achieve in
your community. They are usually long-term and represent global
visions such as “protect public health and safety.”
• Objectives define strategies or implementation steps to attain the
identified goals(SMART). Unlike goals, objectives are specific,
measurable, and have a defined completion date. They are more
specific and outline the “who, what, when, where, and how” of
reaching the goals.
Basic principles, concepts,
definitions Cont…

• A risk is an uncertain event which may occur in the future

• A risk may prevent or delay the achievement of an organization’s or units

objectives or goals

• A risk is not certain – Its likelihood can only be estimated

• Note: Not all risk is bad, some level of risk must be taken in order to progress /
prevent stagnation.
 Why do we need Risk Management?
The only alternative to risk management is crisis
management --- and crisis management is much more
expensive, time consuming and embarrassing

(JAMES LAM, Enterprise Risk Management, Wiley Finance ©

2003)

20
Why do we need Risk Management?
• Crisis management is the application of strategies designed
to help an organization deal with a sudden and significant
negative event.
• A crisis can occur as a result of an unpredictable event or an
unforeseeable consequence of some event that had been
considered as a potential risk.
• In either case, crises almost always require that decisions be
made quickly to limit damage to the organization.
Why do we need Risk Management?
Crisis management goals
• Crisis management seeks to minimize the damage a crisis
causes. However, this does not mean crisis management is
the same thing as crisis response.
• Instead, crisis management is a comprehensive process that
is put into practice before a crisis even happens.
• Crisis management practices are engaged before, during and
after a crisis.
Why do we need Risk Management?
Recovery crisis management vs. risk management
• Before a crisis begins, pre-crisis planning aims to identify risks and then find
ways to mitigate or lessen those risks.
• It is important to note, however, that crisis management and risk
management are two different things.
• Risk management means looking for ways to minimize risks. Crisis
management involves figuring out the best way to respond when an
incident does occur.
• As such, risk management is an important part of crisis management, but
crisis management covers incident response, whereas risk management
usually does not.
Why do we need Risk Management?

Without good risk management practices, government cannot manage

its resources effectively. Risk management means more than preparing
for the worst; it also means taking advantage of opportunities to
improve services or lower costs.

Sheila Fraser, Auditor General of Canada

What are your thoughts on risk management?
What are your thoughts on risk management?

Risk management is an essential tool

for ensuring your business operates in
a safe and secure manner.
i. But how can you ensure your business is as safe as possible?
ii. How can you identify risks before they become costly problems?
iii. And how can you mitigate those risks so they don't grow into big
problems?
• In short, risk management is all about
anticipating and controlling the risks associated
with your business operations.
• Risk management begins at the very beginning of
your business, with thoughtful planning.
• It continues throughout the life of your business
by monitoring key performance indicators and
adjusting your strategy as necessary to minimize
or eliminate potential threats.
• And it ends when you close out your business for
good.
• Risk management may not seem like an obvious
topic for entrepreneurs, but it's essential
regardless of whether you're running a tiny one-
person side project or a large multinational
corporation. The only way to ensure your
business stays afloat is to anticipate and control
the risks that come with it.
What are some of the biggest risks that
businesses face?
 What are some of the biggest risks that businesses face?

•Risks are one of the biggest concerns for any business owner.
In fact, many small businesses fail because of major risks and
mistakes that they make along the way.

• These risks can include any number of things, such as fraud

or a lack of customers.
• Other common risks include financial
problems or poor product quality.
• No matter what kind of business you're
running, you should always be aware of
potential risks and take steps to reduce them
as much as possible.
The biggest risks that businesses face are:

 Not having enough capital to start up and grow.

 Not being able to get enough funding to fund expansion or take on

new employees.
 Not being able to find a good location for their business.

 Not being able to find qualified employees.

The biggest risks that businesses face are:

 Not knowing how to market their business.

 Not knowing how to deal with regulatory compliances.

 Not understanding the laws of the area where they want to operate.

 Not knowing how to manage a business effectively when it grows

large enough and becomes too complex for one person to handle
Why do you think risk management is important
for businesses?
 Why do you think risk management is important for businesses
?

Risk management is important to any business because it helps to identify

he potential risks and take steps to minimize those risks.
Businesses that are well-versed in risk management can be more
uccessful than those that aren’t because they know how to prepare for
otential problems and how to prevent them from happening.
Being able to identify risk early on can help businesses avoid major issues
• There are several different types of risk that a business can face,
including financial risk and operational risk.
• Financial risk refers to the possibility of losses due to unexpected
events, such as an economic downturn or a decline in customer
spending.
• Operational risk refers to the possibility of loss due to poor decision-
making or other factors within the organization.
Risk management helps businesses address all of these types
of risk and reduce their chances of experiencing any issues.
• By taking steps such as identifying potential risks early
on and implementing proper procedures, businesses
can increase their chances of success and profitability.
Explain the meaning of risk breakdown structu
re?
Explain the meaning of risk breakdown structure?

 This is one of the most important risk analyst interview questions. Risk breakdown
structure is a term used in risk management to describe the relationship between
risks facing an organization and the resources available to address them.
 It is also sometimes referred to as risk budgeting. Risk breakdown structure is a tool
used by organizations to help them prioritize their risks, allocate resources, and
evaluate and control risk exposure.
• One of the key roles of risk breakdown structure is
to define the relative importance of each risk. This
means that it should be possible to rank all of the
risks facing an organization from most important to
least important. This helps the organization make
informed decisions about which risks should be
given priority.
• Risk breakdown structure can also be used
to determine which resources are needed in
order to address each risk. For example, it
may be necessary to hire more people or
purchase additional equipment in order to
reduce the risk of system failure.
• Finally, risk breakdown structure can be used to
evaluate how well an organization is managing
its risks. This can help organizations identify
areas where they need to improve, so that they
can create a safer working environment for
employees.
Have you ever had a risk management plan fail
?
Have you ever had a risk management plan fail?

 We all face risks, but it is important to understand the risk management process
and be aware of your organization's current strengths and weaknesses.
A risk management plan is a structured, comprehensive approach to managing
risk across an organization's key mission, business processes, and resources.
 It should include a clear understanding of the organization's goals and objectives,
strategic plans, financial position and risk tolerance level.
• It should also include a comprehensive set of measurements that can
be used to assess the effectiveness of the plan. Risk management plans
are most effective when they are regularly reviewed by all
stakeholders. This can be done through formal or informal meetings,
or through regular check-ins throughout the year.
Organizations should also make sure that their policies are clear and
well-defined so that everyone is on the same page as it relates to risk
management. The risk management interview questions and answers
assess your abilities and capabilities for the job you are applying for.
Are there any types of risks that you don't
worry about?
Are there any types of risks that you don't worry about?

 There are a number of risks that you might not think about when it comes
to investing in real estate. First, there’s the risk of losing money. Investing
in real estate can be a long-term venture and can take several years before
you start seeing your Return on Investment. If you don’t have the
patience to wait that long, you might want to consider an alternative
investment option.
• There are also other risks associated with investing in real estate, such
as changing property values and rising interest rates. These changes
can affect your overall return on investment, so it’s important to keep
an eye on them. Finally, there is the risk of fraud and scams.
• Many people have reported being scammed out of their hard-earned
money by fraudulent real estate agents and websites. It’s important to
do your research before committing any money to a real estate
investment opportunity.
As a risk manager, how can you ensure monitor
ing and control of risks?
As a risk manager, how can you ensure monitoring and control
of risks?

•Risk management, in its simplest form, is the act of

identifying and controlling risks. It is the process of
monitoring and controlling risks to ensure that they do
not cause any problems for the organization that would
result in loss of money, assets, or reputation.
•There are a number of ways that you can go about risk management.
 You can look at your current processes to see if there are any gaps and try to fill those
gaps.
 You can also take steps to reduce the likelihood of a problem occurring in the first
place.
 Finally, you can set up systems and processes to help you monitor and control risks as
they occur.

•By taking these steps, you can greatly improve your ability to identify and control risks.
Risk importance

Following the events in the world financial system during 2008, all
organizations are taking a greater interest in risk and risk management.

It is increasingly understood that the clear management of risks brings

benefits.
Risk importance Cont…

(i) Operations will become more efficient

Operations will become more efficient because events that can cause
disruption will be identified in advance and actions taken to reduce the
likelihood of these events occurring, reducing the damage caused by
these events and containing the cost of the events that can cause
disruption to normal efficient production operations.
Risk importance Cont…

(ii) Processes will be more effective

Processes will be more effective, because consideration will have been given to
selection of the processes and the risks involved in the alternatives that may
be available.

Also, process changes that are delivered by way of projects will be more
effectively and reliably delivered.
Risk importance Cont…

(iii) Strategy will be more efficacious (effective)

Strategy will be more efficacious in that the risks associated with

different strategic options will be fully analyzed and better strategic
decisions will be reached.

Efficacious refers to the fact that the strategy that will be developed will
be fully capable of delivering the required outcomes.
Risk importance Cont…

It is no longer acceptable for organizations to find themselves in a

position whereby unexpected events cause financial loss, disruption to
normal operations, damage to reputation and loss of market presence.
Stakeholders now expect that organizations will take full account of the
risks that may cause interruption within operations, late delivery of
projects or failure to deliver strategy.
Why do we need Risk Management?
Cont…

(i) Promotes good management

(ii) May be a legal requirement depending upon industry or sector

(iii) Resources available are limited therefore a focused response to Risk

Management is needed
 Why bother with RM?

(i) Increase risk awareness – What could affect the achievement of

objectives? What could change? What could go wrong? What could go
right?

(ii) Increase understanding of risk – sensitivities. What makes my risks

increase/decrease/disappear?

(iii) Promote a “healthy” risk culture – It’s safe to talk about risk. Open
and transparent.
60
 Why bother with RM?
Cont….
• Is proactive…. not reactive – Prepare for risks before they happen.
Identify risks and develop appropriate risk mitigating strategies.

• Improve outcomes – achievement of objectives (corporate,

clinical, etc)

• Really comes to down to simple good management

• Enables accountability, transparency and responsibility

• And may be even mean survival 61

Risk Equation
Risk = Vulnerability x Threat x Impact
*Probability

• Vulnerability = An error or a weakness in the design,

implementation, or operation of a system.
• Threat = An adversary that is motivated to exploit a system
vulnerability and is capable of doing so
• Impact = the likelihood that a vulnerability will be exploited or
that a threat may become harmful.
• *Probability = likelihood already factored into impact.
Types of risks

(i) Risk may have positive or negative outcomes or may simply result in
uncertainty.

• Therefore, risks may be considered to be related to an opportunity or

a loss or the presence of uncertainty for an organization.

• Every risk has its own characteristics that require particular

management or analysis.
3 Types of risks

Risks are divided into three categories:

(i) Hazard (or pure) risks;

(ii) Control (or uncertainty) risks;

(iii) Opportunity (or speculative) risks.

(i) 3 Types of Pure Risks (What
is Pure Risk)
Pure risks are types of risk where no profit or gain is possible and only
full loss, partial loss or break-even situation are probable outcomes.
There are three types of pure risk.
(a) Personal,
(b) property and
(c) liability
3 Types of Pure Risks (What is
Pure Risk)
(a) Personal risk
These are the risks that directly affect the individual’s capability to earn
income. Personal risks can be classified into the following types:
(i) Premature Death: Death of the bread earner with unfulfilled or un
provided financial obligations.
3 Types of Pure Risks (What is
Pure Risk)
(ii) Old Age: It refers to the risk of not having sufficient income at the
age of retirement or the age becoming so that mere is a possibility
that the individual may not be able to earn the livelihood.
(iii) Sickness or Disability: The risk of poor health or disability of a
person to earn the means of survival. E.g. the possibility of damage to
limbs of a driver due to an accident.
(iv) Unemployment: The risk of unemployment due to socio-economic
factors resulting in financial insecurity.
3 Types of Pure Risks (What is
Pure Risk)
(b) Property risk
• These are the risks to the persons in possession of the property being
damaged or lost.
• The immovable like land and building being damaged due to flood,
earthquake or fire, the movables like appliances and personal assets
being destroyed due to the fire or stolen.
3 Types of Pure Risks (What is
Pure Risk)
• The losses may be direct or indirect/consequential.
• A direct loss implies the visible financial loss to the property due to
mis-happenings.
• Whereas, the indirect ones are the losses arising from the occurrence
of an incident resulting in direct/physical damages or loss.
• The loss to crops due to flood is a direct loss, the destruction of the
growing power is a consequential one.
3 Types of Pure Risks (What is
Pure Risk)
(c) Liability risks
• These are the risks arising out of the intentional or unintentional
injury to the persons or damages to their properties through
negligence or carelessness.
3 Types of Pure Risks (What is
Pure Risk)
• Liability risks generally arise from the law. E.g. liability of the employer
under the workmen’s compensation law or other labor laws in India.
In addition to the above categories, risks may also arise due to the
failure of others.
• For example,
• The financial loss arising from the non-performance or standard
performance in a contract – in engineering/ construction contracts.
Hazard (or pure) risks;

• There are certain risk events that can only result in negative outcomes.
These risks are hazard risks or pure risks, and these may be thought of as
operational or insurable risks.

• In general, organizations will have a tolerance of hazard risks and these

need to be managed within the levels of tolerance of the organization.

• A good example of a hazard risk faced by many organizations is that of

theft.
Hazard (or pure) risks;Cont…

• Hazard risks are the most common risks associated with

organizational risk management, including occupational health and
safety programs.

• There are certain risks that give rise to uncertainty about the outcome
of a situation.
 (ii) Control (or uncertainty) risks

• These can be described as control risks and are frequently associated

with project management.

• In general, organizations will have a dislike to control risks.

Uncertainties can be associated with the benefits that the project
produces, as well as uncertainty about the delivery of the project on
time, within budget and to specification.
Control (or uncertainty) risks

• The management of control risks will often be undertaken in order to

ensure that the outcome from the business activities falls within the
desired range.

• Control risks are associated with unknown and unexpected events. They
are sometimes referred to as uncertainty risks and they can be
extremely difficult to quantify. Control risks are often associated with
project management.
control (or uncertainty) risks Cont…

• In these circumstances, it is known that the events will occur, but the
precise consequences of those events are difficult to predict and
control.

• Therefore, the approach is based on minimizing the potential

consequences of these events.
3. opportunity (or speculative) risks

• At the same time, organizations deliberately take risks, especially

marketplace or commercial risks, in order to achieve a positive return.
These can be considered as opportunity or speculative risks, and an
organization will have a specific appetite for investment in such risks.
opportunity (or speculative) risks
Cont…
• There are two main aspects associated with opportunity risks.

There are risks/dangers associated with taking an opportunity, but

there are also risks associated with not taking the opportunity.

• Opportunity risks may not be visible or physically apparent, and they

are often financial in nature.
(iii) opportunity (or speculative)
risks
• Although opportunity risks are taken with the intention of having a
positive outcome, this is not guaranteed.

• Opportunity risks for small businesses include moving a business to a

new location, acquiring new property, expanding a business and
diversifying into new products.
Risk Appetite & Risk Tolerance
• Risk Appetite Is the total exposed amount that an organization wishes
to undertake on the basis of risk -return trade-offs for one or more
desired and expected outcomes
• Risk Tolerance Is the amount of uncertainty an organization is
prepared to accept in total or more narrowly within a certain business
unit, a particular risk category or for a specific initiative
REASONS FOR HAVING RISK APPETITE STATEMENT

• Resolving tensions in the business plan

• Communicating the board’s vision in practical terms
• Articulating acceptable risks
• Quantifying risks
• Aligning incentives
• Branding the firm
• Strengthening controls
• External party dealings
• More accurate budgeting
THREE STEPS IN DEVELOPING
RISK APPETITE

(i) Develop risk appetite

(ii) Communicate risk appetite
(iii) Monitor and update risk appetite
EXAMPLES OF RISK APPETITE STATEMENTS

(i) The organization has a higher risk appetite related to strategic

objectives and is willing to accept higher losses in the pursuit of
higher returns
(ii) The organization has a low risk appetite related to risky ventures
and therefore is willing to invest in new business but with low
appetite for potential losses
(iii) A manufacturer of engineered wood products has adopted a higher
risk appetite relating to product defects in accepting the cost savings
from lower -quality raw materials
EXAMPLES OF RISK TOLERANCE STATEMENTS

(i) While we expect a return of 18% on this investment, we are not

willing to take more than a 25% chance that the investment leads to a
loss of more than 50% of our existing capital
(ii) We will not accept more than a 5% risk that a new line of business
will reduce our operating earnings by more than 5% over the next ten
years
RISK ENVIRONMENT
(i) Risk Culture
Consists of the norms and traditions of behavior of individuals and of
groups within an organization that determine the way in which they
identify, understand, discuss and act on the risk the organization
confronts and takes
(ii) Risk Attitude
Is the organization or individuals’ view/perspective of the perceived
qualitative and quantitative value that may be gained in comparison to
the related potential loss or losses
MEASURING RISKS
Risk Target
Is a desired level of risk that the organization believes is optimal to
meet its objective
• Risk Capacity
Is the amount of risk an organization can actually bear
COMMUNICATE RISK APPETITE
• Risk appetite and tolerance statements are meaningless if they are not
part of the daily management decisions
• Specific enough to be monitored by management and others
responsible for risk management
• Impact scales can be determined per project, aggregated per
operational or business unit
• Key Risk Indicators can warn of impact to project or operational activity
• Use Value Maps to show both threats and opportunities to the
organization
the distinction between hazard,
control and opportunity risks
Example of Computer viruses

• Virus infection is an operational or hazard risk and there will be no

benefit to an organization suffering a virus attack on its software
programs.

• When an organization installs or upgrades a software package, control

risks will be associated with the upgrade project.
the distinction between hazard,
control and opportunity risks
• Example of Computer viruses CONT….

The selection of new software is also an opportunity risk, where the intention is
to achieve better results by installing the new software, but it is possible that
the new software will fail to deliver all of the functionality that was intended
and the opportunity benefits will not be delivered.

In fact, the failure of the functionality of the new software system may
substantially undermine the operations of the organization
Inherent/ Obsolute / Gross level
of risk
• It is important to understand the uncontrolled level of all risks that have
been identified.

• This is the level of the risk before any actions have been taken to change
the likelihood or magnitude of the risk.

• Although there are advantages in identifying the inherent level of risk,

there are practical difficulties in identifying this with certain types of risks.
Inherent/ Obsolute / gross level
of risk
Crossing the road

• Crossing a busy road would be inherently dangerous if there were no

controls in place and many more accidents would occur.

• When a risk is inherently dangerous, greater attention is paid to the

control measures in place, because the perception of risk is much
higher.
Crossing the road CONT….

Pedestrians do not cross the road without looking and drivers are
always aware that pedestrians may step into the road.

Often, other traffic calming control measures are necessary to reduce

the speed of the motorists or increase the risk awareness of both
motorists and pedestrians.
Question
• Not all risk is bad, some level of risk must be taken in order to
progress / prevent stagnation.
• Discuss
Example
By taking a proactive approach to risk and risk management,
organizations will be able to achieve the following three areas of
improvement:
It has been observed that By taking a proactive approach to risk and
risk management, organizations will be able to achieve the objectives
and goals. discuss
(i) Operations will become more efficient
(ii) Processes will be more effective
(iii) Strategy will be more efficacious