RISK MANAGEMENT
• Risk management is the process of measuring or assessing risk and developing strategies to manage
it.
• Risk management is a systematic approach in identifying, analyzing and controlling areas or events
with a potential for causing unwanted change.
• Risk management is the act or practice of controlling risk. It includes risk planning, assessing risk
areas, developing risk handling options, monitoring risks to determine how risks have changed and
documenting overall risk management program.
• As defined in the International Organization of Standardization (ISO 31000), Risk Management
is the identification, assessment, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor and control the probability and/or impact of
unfortunate events and to maximize the realization of opportunities.
• It is through risk management that risks to any specific program are assessed and systematically
managed to reduce risk to an acceptable level. Risks can come from uncertainty in financial market,
project failures, legal liabilities, credit risks, accidents, natural causes and disasters as well as
deliberate attack from adversary or events of uncertain or unpredictable root-cause.
BASIC PRINCIPLES OF RISK MANAGEMENT
The International Organization of Standardization (ISO) identifies the basic principles of risk
management. Risk management should:
1. create value - resources spent to mitigate risk should be less than the consequence of inaction, i.e.,
the benefits should exceed the costs
2. address uncertainty and assumptions
3. be an integral part of the organizational processes and decision-making
4. be dynamic, iterative, transparent, tailorable, and responsive to change
5. create capability of continual improvement and enhancement considering the best available
information and human factors
6. be systematic, structured and continually or periodically reassessed
PROCESS OF RISK MANAGEMENT
According to the Standard ISO 31000 "Risk management - Principles and Guidelines on
Implementation, "the process of risk management consists of several steps as follows:
1. Establishing the Context. This will involve
a. Identification of risk in a selected domain of interest
b. Planning the remainder of the process.
c.
Mapping out the following:
i. the social scope of risk management
ii. the identity and objectives of stakeholders
iii. the basis upon which risks will be evaluated, constraints.
d. Defining a framework for the activity and an agenda for identification.
e. Developing an analysis of risks involved in the process.
f.
Mitigation or Solution of risks using available technological, human and organizational
resources.
o
2. Identification of potential risks. Risk identification can start with the analysis of the source of
problem or with the analysis of the problem
itself. Common risk identification methods are:
a. Objective-based risk
b. Scenario-based risk
c. Taxanomy-based risk
d. Common-risk checking
e. Risk charting
3. Risk assessment. Once risks have been identified, their potential severity of impact and the
probability of occurrence must be assessed. The assessment process is critical to make the best
educated decisions in prioritizing the implementation of the risk management plan.
Risks Associated With Investments
Although a single risk premium must compensate the investor for all the uncertainty associated with the
investment, numerous factors may contribute to investment uncertainty. The factors usually considered
with respect to investments are
• business risk - refers to the uncertainty about the rate of return caused by the nature of the
business.
• financial risk - The firm's capital structure or sources of financing determine financial risk.
• liquidity risk - Liquidity risk is associated with the uncertainty created by the inability to sell the
investment quickly for cash.
• default risk - Default risk is related to the probability that some or all of the initial investment will not
be returned.
• interest rate risk - Because money has time value, fluctuations in interest rates will cause the value
of an investment to fluctuate also.
• management risk - Decisions made by a firm's management and board of directors materially affect
the risk faced by investors. Areas affected by these decisions range from product innovation and
production methods (business risk) and financing (financial risk) to acquisitions.
• purchasing power risk - Purchasing power risk is perhaps, more difficult to recognize than the other
types of risk. It is easy to observe the decline in the price of a stock or bond, but it is often more
difficult to recognize that the purchasing power of the return you have earned on an investment
has declined (risen) as a result of inflation (deflation).
Risks Associated With Manufacturing, Trading, and Service Concerns
a. Market Risk
• Product Risk
• Competitor Risk
b. Operations Risk
• Process Stoppage
• Health and Safety
After Sales Service Failure
Environmental
• Technological Obsolescence
• Integrity
c. Financial Risk
• Interest Rates Volatility
• Foreign Currency
• Liquidity
Derivative
• Viability
POTENTIAL RISK TREATMENTS
ISO 31000 also suggests that once risks have been identified and assessed, techniques to manage the
risks should be applied. These techniques can fall into one or more of these four categories:
o Avoidance
o Reduction
o Sharing
o Retention
Risk Avoidance
This includes performing an activity that could carry risk. An example would be not buying a property or
business in order not to take on the legal liability that comes with it. Avoiding risks. however, also means
losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a
business to avoid the risk of loss also avoids the possibility of earning profits.
Risk Reduction
Risk reduction or optimization involves reducing the severity of the loss or the likelihood of the loss from
occurring. Optimizing risks means finding a balance between the negative'risk and the benefit of the
operation or activity; and between risk reduction and effort applied. Outsourcing could be an example of
risk reduction if the outsourcer can demonstrate higher capability of managing or reducing risks.
Risk Sharing
Risk sharing means sharing with another party the burden of loss or the benefit of gain, from a risk, and
the measures to reduce a risk.
Risk Retention
Risk retention involves accepting the loss or benefit of gain from a risk when it occurs. Self insurance falls
in this category. All risks that are not avoided are transferred or retained by default. Also, any amounts of
potential loss over the amount insured is retained risk. This is acceptable if the chance of a very large
loss is small or if the cost to insure for greater coverage involves a substantial amount that could hinder
the goals of the organization.
STEPS IN THE RISK MANAGEMENT PROCESS
To enhance management's competence in their oversight role on risk management the following steps may be
followed:
1. Set up a separate risk management committee chaired by a board member.
o Creation of a risk management committee as board level will demonstrate the firm's commitment to
adopt an integrated company-wide risk management system
2. Ensure that a formal comprehensive risk management system is in place.
This fully documented formal system will provide a clear vision of the board's desire for an effective
company-wide risk management as well as awareness of the risks, internal and external, that the
company faces.
3. Assess whether the formal system possesses the necessary elements.
o The key elements that the company-wide risk management system should possess are
i. goals and objectives
ii. risk language identification
iii. organization structure and
iv. the risk management process documentation
o The risk organizational structure should include formal charters, levels of authorization reporting
lines and job description.
o The risk management process shall include the following steps:
a. Assessment risks: Identification; Determination of their source
b. Development actions plans: Reduce, avoid, retain, transfer or exploit
c. Implementation of action plans
d. Monitoring and reporting risk management performance.
e. Continuous improvement risk management capabilities.
4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive risks faced by the
business firm.
o Risk assessment step which includes risks identification and determination of their sources and
measurement, represents the foundation for the rest of the procedures. This step is performed by
responsible managers, i.e., finance officers, production managers marketing managers and human
resource managers.
o This process culminates in the presentation of the risk profile or risk map to the board of directors.
5. Assess if management has developed and implemented the suitable risk management strategies and evaluate
their effectiveness.
o The risk profile highlights all the significant possible risks identified, prioritized and measured by
the risk management system.
o Strategies are developed to manage and resolve these identified risks. These will include the
process, people, management feedback methodologies and systems.
o Strategies may include avoidance, reduction, transfer, exploitation and retention of risks.
6. Evaluate if management has designed and implemented risk management capabilities.
o Directors must continue to monitor and assess if management has been implementing designed
risk management capabilities.
o Risk management capabilities include processes, people, reports, methodologies and technologies
needed. These components should be complete, and aligned for the risk management structure to
function effectively.
7. Assess management's efforts to monitor overall company risk management performance and to improve
continuously the firm's capabilities.
o Risk management performance must be monitored on a continuing basis and organization must be
ready to innovate their approaches to be in line with the changing lines.
o Monitoring is done by all concerned parties such as senior managers, process owners and risk
owners.
o
An independent reviewer can also be appointed to validate results.
8. See to it that best practices as well as mistakes are shared by all. • This involves regular communication of
results and feedbacks to all concerned.
o These should be an open communication channel to ensure that all risk management participant
particularly senior management, are informed of risk incidents or threat of risk incident. This will go
a long way towards attaining the company's risk management vision.
9. Assess regularly the level of sophistication of the firm's risk management system.
10. Hire experts when needed.
o