“Without a good risk management practices, government cannot manage its
resources effectively. Risk management means more than preparing for the worst: it
also means taking advantage of opportunities to improve services or lower costs..”
1. What is risk management?
A proactive attempt to recognize and manage internal events and
external threats that affect the likelihood of a project’s success.
- The process involved with identifying, analyzing, and responding to risk. It
includes maximizing the results of positive risks and minimizing the
consequences of negative events.
- Risk management is a process with three phases: (a) risk identification
and assessment, (b) risk response strategies, or what to do about the
risks, and (c) management to reduce the frequency and severity of the
risks through an operational plan.
2. Areas/ types of risk management
3. What is risk assessment?
Risk assessment is a systematic process for identifying and evaluating events (i.e.,
possible risks and opportunities) that could affect the achievement of objectives,
positively or negatively. Such events can be identified in the external environment
(e.g., economic trends, regulatory landscape, and competition) and within an
organization’s internal environment (e.g., people, process, and infrastructure).
When these events intersect with an organization’s objectives—or can be predicted
to do so—they become risks. Risk is therefore defined as “the possibility that an
event will occur and adversely affect the achievement of objectives.”
Risk assessment can therefore be conducted at various levels of the organization.
The objectives and events under consideration determine the scope of the risk
assessment to be undertaken. Examples of frequently performed risk assessments
• Strategic risk assessment. Evaluation of risks relating to the organization’s
mission and strategic objectives, typically performed by senior management teams
in strategic planning meetings, with varying degrees of formality.
• Operational risk assessment. Evaluation of the risk of loss (including risks to
financial performance and condition) resulting from inadequate or failed internal
processes, people, and systems, or from external events. In certain industries,
regulators have imposed the requirement that companies regularly identify and
quantify their exposure to such risks. While responsibility for managing the risk lies

currency risk. Evaluation of the potential that a borrower or counterparty will fail to meet its obligations in accordance with agreed terms. • Market risk assessment. policies and procedures.. procurement. and involves subject matter experts from key business functions where fraud could occur (e.with the business. Evaluation of potential instances of fraud that could impact the organization’s ethics and compliance standards. materiality and susceptibility of the underlying accounts. and commodity risk. This considers credit risk inherent to the entire portfolio as well as the risk in individual credits or transactions. and other objectives. The assessment considers the impact of risks to shareholder value as a basis to define the audit plan and monitor key risks. Evaluation of market movements that could affect the organization’s performance or risk exposure. typically performed by the finance function. option risk. Evaluation of risks related to a material misstatement of the organization’s financial statements through input from various parties such as the controller. • Credit risk assessment. financial. an independent function often acts in an advisory capacity to help assess these risks. and the resultant impact). • Internal audit risk assessment.g. internal audit. with clear and explicit linkage to strategic drivers for the organization. and operations. • Financial statement risk assessment. as well as strategic voluntary standards and best practices to which the organization has committed. and sales) as well as forensic specialists. Evaluation of risk factors relative to the organization’s compliance obligations. This is typically performed by market risk specialists. considers the characteristics of the financial reporting elements (e. and is typically performed by credit risk specialists. This evaluation. financial reporting integrity. • Compliance risk assessment. likelihood that a control might fail to operate as intended. and contracts.g.. ethics and business conduct standards. This top-down approach enables the coverage of internal audit activities to be driven by issues that directly impact shareholder and customer value. Evaluation of risks related to the value drivers of the organization. • Fraud risk assessment. covering strategic.. This is typically performed as part of Sarbanes-Oxley compliance or during a broader organizationwide risk assessment. or related support to material misstatement) and the effectiveness of the key controls (e. This type of assessment is typically performed by the compliance function with input from business areas. and compliance objectives.g. transactions. considering laws and regulations. . operational. considering interest rate risk. business practice requirements. accounting.

and disposal. It may be broad but high level: e. Evaluation of the risk profile of customers that could potentially impact the organization’s reputation and financial position. Assessments may also be broad and deep. up-front due diligence to qualify the supplier.. and other key considerations. and people. This assessment weighs the customer’s intent. • Project risk assessment.g.. creditworthiness. • Product risk assessment. dependencies. • Information technology risk assessment. Evaluation of potential for technology system failures and the organization’s return on information technology investments. and can be used to drill down further into a specific area of concern. operations. cost. distribution. This considers infrastructure. data protection. but also the impact on the brand. from design and development through manufacturing. and other relevant factors. and ongoing quality assurance reviews to assess any changes that could impact the achievement of the organization’s business objectives). This assessment would consider such factors as processing capacity. interrelationships with other products. • Supply chain risk assessment. timelines. as in some of the examples above. and other relevant factors. considering stakeholders. including selection and management of suppliers (e. captures a high-level view of related risks. This type of assessment is typically performed by product management groups. as necessary. applications. Evaluation of the risks associated with identifying the inputs and logistics needed to support the creation of products and services.g. considering the . Evaluation of the risk factors associated with an organization’s product. This is typically performed by account managers. and compliance objectives. reporting. The examples described above are illustrative only. dependency on third parties. operational. This assessment aims to understand not only the revenue or cost impact. using a common set of criteria and a central repository for the assessment data. Every organization should consider what types of risk assessments are relevant to its objectives. • Security risk assessment. access control. use. This is typically performed by an organization’s information technology risk and governance specialists. The scope of risk assessment that management chooses to perform depends upon priorities and objectives. affiliations. and cyber crime. This is typically performed by project management teams. and is typically performed by an organization’s information security function. Evaluation of the risk factors associated with the delivery or implementation of a project.• Customer risk assessment. Evaluation of potential breaches in an organization’s physical assets and information protection and security. as with an enterprise-wide risk assessment or an integrated top-down and bottom-up view. It may be narrow and specific to a particular risk. an enterprise-level risk assessment or a top-down view that considers the broad strategic.

an analysis of strengths. How to conduct quantitative risk assessment? Essential steps for performing a risk assessment Performing a risk assessment requires defining and consistently applying an approach that is tailored to the organization. 4. Responsibilities in the risk assessment process are assigned to those parties that can provide meaningful perspective on relevant risks (e. and ensure the resulting risk assessment and management plan is relevant to the critical objectives of the organization.g. location. the organization’s critical success factors are identified. and management documents. stockholders. loss data. It is important to begin by understanding the relevant business objectives in scope for the risk assessment. regulators. geographies) and associated risks. KRIs. the execution of the risk assessmentprocess should include the following essential steps: 1. Such underlying analysis helps illuminate not only the objectives but also key considerations from the perspective of stakeholders. considering objectives. senior management. . or a strategy map is developed depicting the cause-and-effect relationships underpinning the organization’s creation of shareholder value.g. responsibilities.. compliance. business unit strategic plans. division. presentations to analysts. and input and output requirements. weaknesses. the board. project/ investment plans..g. and it is important to understand how they are developed. not only line management but also cross functional representation). Identify relevant business objectives. opportunities. Once the scoping and planning are agreed. and threats (SWOT) is performed. These will provide a basis for subsequently identifying potential risks that could affect the achievement of objectives. prior assessments.g. functional unit charters.. Sources of input are determined based on available information (e.. such as customers and regulators. Typically. Objectives are defined at various levels of the organization (e. timing. lessons learned).g. Output requirements are established based on the specifi c requirements of sponsors and other stakeholders (e. business units. Any risk assessment exercise should begin with the establishment of a scope and plan. and reporting objectives of the organization and its subsets (e. Objectives are typically laid out in annual reports. operational. or business partners). enterprise-wide)..strategic.

2. and insurance broker assessments. For example. and/or reporting. the designated owners of the risk assessment should develop a preliminary inventory of events that could impact the achievement of the organization’s objectives. Different strategies create exposure to different risks. a “risk/reward” measure can be derived to understand how levels of volatility affect operating income. The focus on business objectives helps ensure relevance and facilitates the integration of risk assessments across the organization. upon the achievement of the organization’s stated objectives or the implementation of its strategy and objectives. compliance. consider the external disclosure snapshot in Figure 3. “Events” refers to prior and potential incidents occurring within or outside the organization that can have an effect. which can be identified through external sources such as media articles. which illustrates the percentage of average quarterly operating income by business unit and region in relation to volatility of earnings as a percentage of operating income. analyst and rating agency reports. Various taxonomies or libraries of common event types can help initiate the identification process.The scope of the risk assessment may focus on objectives that are related to strategy. political. Drivers to consider include economic. technological. Once the scope has been agreed and the relevant objectives identified. and different levels of risk appetite guide different levels of resource allocation to respond to those risks. A review of the external environment helps identify outside events that may have impacted the organization’s shareholder value in the past or may impact it in the future. as previously discussed. This measure helps the organization pinpoint relative risk in earnings potential and target dependencies within lines of business. it is important to understand how these fi t in with the strategy and how much risk the organization is willing to assume in pursuit of these objectives. and natural environmental events. either positive or negative. Identify events that could affect the achievement of objectives. an internal audit risk assessment that is most effective and maximizes value aligns internal audit activities to key organizational objectives. To illustrate the value of such external research. social. operations. Based on the organization’s objectives. From this information. .


Risk tolerance considers the relative importance of objectives and aligns with risk appetite. Risk tolerance is the acceptable level of variation relative to the achievement of a specific objective.3. . Risk appetite must be clearly defined and reflected in risk tolerances and risk limits to help ensure that organizational objectives can be achieved. Determine risk tolerance. and should be weighed using the same unit of measure applied to the related objective. Risk tolerances should be defined for each key risk type.

On an inherent basis. upward or downward trend of risks. Additionally.For example. 4. management is better able to allocate resources to ensure reasonable likelihood of achieving outcomes across multiple objectives. it would consider the likelihood and impact of a flood by considering external data (such as the historical and projected frequency of floods) and internal data (such as the estimated damage to its physical assets if a flood were to occur). a risk map can allow analysis over time (e. and operational factors to determine its risk tolerance.g. The airline may also find that the cost to achieve more than 87% on time arrival is prohibitive and cannot be passed through in ticket prices. a concentration of certain risks that potentially creates a greater overall risk exposure —for example. which enables an analysis of risks not only on an individual level (e. as an airline considers its objective of superior on-time service. as risk assessments are refreshed over time. an organization with headquarters on the banks of a river may seek to assess its exposure to the risk of flooding. The airline’s pre-existing target of 85% on-time flight arrival may have generally been achieved over the years and be in line with messages in its marketing program. yet it may find that the industry average for ontime arrival has been around 80% and that there is minimal effect on customer flight bookings when on-time arrival statistics temporarily decrease to this level.g. . medium. An impact and probability rating should then be assigned using defined risk rating scales. with a tolerance of between 82% and 86%.. With the added pressure to keep costs down and based on this information. For example. Events identified as potentially impeding the achievement of objectives are deemed to be risks and should be evaluated based on the likelihood of occurrence and the significance of their impact on the objectives. management may therefore maintain the objective of 85% average on-time arrival. customer service.g. Assess inherent likelihood and impact of risks. and extent of positive or negative correlations between certain risks). low) but also in relation to one another (e. Looking at the tolerances for multiple objectives such as customer retention and cost containment.. without consideration of existing risk responses and control activities. high. reputational damage—than the sum of the individual risk exposures). These individual risk ratings should then be brought together in the form of an inherent risk map (see Figure 5). It is important to first evaluate such risks on an inherent basis—that is.. it should include various marketing.


the risk map can provide focus for management’s risk agenda.. stable. from low to high in dollar values. The risks within each category may be individually rated and summarized to provide an aggregate rating for the risk category. It helps determine which risk areas are most significant and should be the focus of a more detailed assessment or implementation of a specific risk response. . regulatory—coded C7—is the seventh risk category related to the organization’s compliance objectives). An inherent risk map provides a portfolio view of risk that prompts analysis and action. Likelihood is labeled across the x-axis. It also enables analysis of interdependencies and relative prioritization of risks. In short. shows increasing risk exposure. and determination of risk responses. The resulting score is then plotted on the risk map. if this risk event occurred. a number of risk categories are identified and linked to several types of objectives through the alphanumerical coding of the risks (e. These ratings can be used to produce a risk map noting increasing. and an impact. or the risk category may be rated as a whole. Item C7. from low to high in percentages. Impact is labeled over the y-axis.g.In Figure 5. relating to regulatory risk. of between $50 and $100 million. a likelihood of occurrence greater than 50%. or decreasing movement in risk exposure since the prior assessment.

Continuing with the individual risk example given in step 4. Assess residual likelihood and impact of risks. Typical risk response strategies are to accept. increasing an insurance policy may be a means to share the financial impact of damage in the case of a flood. Control activities should be put in place and evaluated to ensure that these responses to risks are operating as intended. depending on the importance to the organization’s key mission. management can determine how to address the identified risks. Risk responses are expected to bring the level of risk exposure down to defined risk tolerance levels. Developing backup plans. Residual risk assessment considers both the risks as previously identified and the related risk response mechanisms and control activities in place to determine the impact and probability of their occurrence. values. Appetite for risk and tolerance for deviation from objectives must form the basis for determining how to address risks. Those risks that fall in between may require measures to reduce the impact and/or likelihood of these risks through strengthening or automation of controls. Figure 6 illustrates typical risk response strategies in relation to risk ratings. as depicted in Figure 6. In other words. Risk tolerance can vary from one risk type to another. All organizations need to take on a certain level of risk when conducting business in order to generate returns for their stakeholders. the organization should have defined risk tolerance levels to be used in relation to risk ratings to determine response strategies. The organization may share the impact of these risks through the use of hedging instruments.5. Accordingly. 6. responses to different “high” risks may vary. Evaluate the portfolio of risks and determine risk responses. acquiring new off-site facilities. as further described below. reduce. providing . considering their expected impact and likelihood of occurrence. and objectives. Risks that present low impact and low likelihood are typically accepted as part of the cost of doing business. No specific action is deemed necessary to further address these risks. For each risk category. While the thresholds vary by risk category. and a portfolio view of risk exposures should be considered to adequately determine risk responses. outsourcing. Responses are often incremental and build on each other. Based on the defined risk tolerance and inherent risk assessment. and training the necessary resources may be a means to reduce identified risk. share. risks that present impact and likelihood are typically to be avoided and risk mitigation actions should be undertaken to halt and exit activities that create such risk. Risk responses may be “quick wins” that yield immediate results and/or longer-term process improvement initiatives to help achieve organizational objectives. or purchasing of insurance. Risk responses therefore often need to be prioritized based on cost/benefit and relative importance to the organization’s objectives and availability of resources. it evaluates the adequacy and effectiveness of the internal checks and balances in place. or avoid.

This residual risk assessment can help management determine whether risks are adequately controlled. Bringing it all together..reasonable assurance that the likelihood and impact of an adverse event is brought down to an acceptable level. creation of an off-site IT and data storage center and an insurance policy to cover any residual damage). they would help reduce the impact to the business if one were to occur.g. with specified milestones and timelines that are documented and tracked for completion. over controlled. Action plans should be assigned to parties with the capability and authority to effect change. Management can then determine any actions necessary to revise its risk responses or address design or effectiveness of controls. or under controlled in relation to the defined risk tolerance. Continuing with the example above. The organization can now bring its individual residual risk ratings together into a portfolio view to identify interdependencies and interconnections between risks. to rate the risk of flood damage on a residual basis. While these measures may not reduce the likelihood of a flood. as well as the effect of risk responses on multiple risks. the likelihood and impact ratings should be assigned considering the risk response measures in place to protect critical systems and data against flooding (e. Successful implementation should translate into reduced risk exposures on the organization’s risk map. IMPORTANT QUANTITATIVE RISK ASSESSMENT (QRA) PREPARATION GUIDANCE .

with the only difference . an approach which is likely to be limited to comparative risks. most regulators provide strong guidelines on report format and methodologies. the scope of work.Identify Objective of Risk Assessment Before work begins on a QRA. in the European community. two different manufacturing routes may be under consideration. The report is likely to be submitted to the permitting authority and those responsible for preparation of the report may be asked to make depositions and appear at any hearing to give evidence in person. For example. where much of the equipment is identical. • Permitting where the legal process will set particular requirements and the possibility of legal discovery may be an important consideration. the methodologies to be used. it is essential to understand how the results will be used. • Evaluation of alternatives on its own requires a much less detailed assessment than is needed for a fully quantified assessment. Some examples of particular requirements are: • Regulatory requirement where many aspects of the QRA may be clearly defined. Only differences between alternatives need to be explored. and the format of the report. The end use will influence the format of the results. For example. The level of detail provided in the assessment will be decided by the requirements of thelegal process.

or if the systems to be compared are very different. The only requirement is to order the different risks correctly. • Business interruption is caused not only by hazardous events. Absolute risk estimates are generally needed where there is concern over the tolerability of the risk. • Corporate policy may require all operations meeting particular criteria to be subject to QRA. • Risk prioritization is used to rank potential hazards or system deficiencies for possible mitigation. prioritization requires only the identification of potential hazards. This requirement is most often driven by a need to understand the risks facing the company and to manage the full set of risks to a tolerable level. or if alternative supply is available. • Cost/benefit analysis is most commonly used to select risk mitigation measures for potential implementation. when the risks from different studies are to be added. However. Most measures reduce either the likelihood of occurrence or the severity of the hazard. Quite often the need for QRA is driven by results from less rigorous risk studies. The assessment typically only addresses the relevant mitigation. the output may be limited to the duration of any outage and the lost production associated with this outage. This requires a more comprehensive study of initiating events than a “standard” QRA. but also by mechanical and operational break-downs that pose no safety or environmental hazard. This requires as assessment of the reduction in risk if a particular measure is implemented. the study can be limited to the reactor. Specify Output Requirements The format of the results must meet the requirements objective of the assessment. and a qualitative assessment is sufficient. The detail required in the assessment will vary according to the severity of the potential hazards and the size and importance of particular operations. Comparative risk estimates are used to choose between different options when there is no question about the tolerability of the risk. but this will not provide the overall level of risk. In many instances in which only a limited number of hazards are involved. such as risk prioritization or process hazard analyses. . Consequently. Examples of different requirements are: • Absolute or comparative risk. you may have adequate inventory to cover the outage. A risk ranking matrix is a common approach. It is also important to recognize that the impact on the company may be reduced if: your manufacturing capacity is not fully committed. recognizing that to qualify the absolute risk reduction would require a baseline risk assessment.being the reactor itself. In some cases a QRA may be justified when a recommendation from a more qualitative study will be expensive to implement and a more precise level of risk needs to be developed.

The results of qualitative assessments may determine the need for more rigorous QRA of certain operations. The most common for fixed facilities are: (a) Risk contours. Qualitative assessments are generally used for internal purposes. Selection of the results format or formats is driven by the objective of the study and the target audience. • Results format. many units. Factors that influence the selection include: ♦ ♦ ♦ ♦ ♦ ♦ Focus on individual or societal risk Interest in maximum versus average risk Focus on level of hazard or probability of injury Proximity and nature of surrounding population Fixed facility or transportation activity Regulatory requirements The output requirements have a significant impact on the level of effort and cost required to complete the QRA. • Off-site risk only is used when the focus of thestudy is impact on the surrounding community. which show individual risk on a geographic plot. In many instances a qualitative study will provide sufficient data on which to base a decision. it may be necessary to consider risks at all units to make sure the study includes these . It is important to carefully select results formats that meet your needs. The following are examples of what might be included in the scope: • On-site risk only is used where the hazards are known to be primarily limited to the immediate vicinity of the equipment or there is a “buffer” zone surrounding the facility. such as utility units.• Qualitative or quantitative risk. Risk may be presented in many different formats. For example: the US EPA is responsible for off-site hazards and its regulations focus on off-site risk. Developing fully quantified risk assessments can be very expensive and time consuming. and (b) F/N curves which plot the number of fatalities or injuries against frequency of occurrence. Particularly where the focus is off-site risk. There are many different possible formats. Determine Scope of Assessment The scope of the assessment must meet the objectives of the QRA. However. pose no off-site threat and these may be excluded from the study. • All or selected units at a particular facility may be covered by the QRA. Qualitative (semi-quantitative) assessments rely on the experience and judgment of the assessment team who will draw on their experience in conducting rigorous quantified assessments. because an accident at one unit may impact an adjacent unit causing an off-site hazard.

there is usually sufficient general information available to make a qualitative estimate of potential hazards. Although it is unlikely that a QRA can be conducted of third-party facilities. thus it is important to accurately scope the study so that there is no wasted effort.) ♦ Demographic data ♦ Meteorological data Identify Special Reporting Needs The most obvious special reporting needs are regulatory requirements where the report format and content may be specified. • New or updated assessments generally require quite different levels of effort. Individual units may also be considered if a screening of the units has indicated that some pose higher risks than others and should be considered sooner.) ♦ QRA reports ♦ Company failure rate data and accident data bases ♦ Hazard data (Material Safety Data Sheets.initiating events. Clearly the scope of the assessment has a direct impact on level of effort and cost. In some instances the regulators have coordinated QRA work so that this issue can be adequately addressed. etc. Most commonly. local management. It may include new knowledge of hazard modeling or the likelihood of a failure which will allow a more accurate estimation of risk. Internationally the report may be required in the local language. an updated assessment is required when existing equipment or operations have been modified or new equipment has been added. An example of this is Rijmond in the Netherlands. etc. corporate management. land use planning has resulted in many different companies building facilities in close proximity to one another. others will be the starting point for updating existing work. An updated assessment may be limited to a confirmation that nothing has changed in the design and operation. Third parties are also a significant factor in pipeline transportation risk. event/fault tree studies. hazardous consequence calculations. In many instances the QRA has multiple audiences with different needs: QRA specialists. . Identify Existing Reports/Data Existing data or reports can significantly reduce the level of effort required to conduct the work. FMEA studies. In many industrial areas. • Hazards from third parties operating facilities close to yours may cause damage at your facilities. Some reports will provide data for input to a new QRA. Existing reports/data may include: ♦ Process Hazards Analyses reports (HAZOP reports. In these cases the objective is to estimate the incremental impact of these changes. historical accident data.

regulators. Some of the choices available are described below: Risk Determination . and lawyers all have different interests and levels of expertise. It is common to require two or more different report formats to meet different needs. community interest groups. Select Approaches Once all the requirements outlined above have been defined and existing data reviewed the specific approaches to be used for the QRA can be selected.

These tasks also provide logical breakpoints in the work where it is important for the client to review and accept the findings/results before moving to the next step. Each of the primary tasks is sub-divided into several sub-tasks.Generally. risk determination is now done using risk assessment software. . In this way we minimize the need for rework. These are illustrated in Figure 2. The primary tasks are: ♦ ♦ ♦ ♦ Hazard Identification Frequency Analysis Hazards Analysis Risk Determination For each of these tasks both the company specialists and client staff with whom we will work may vary. The number and detail of simplifying assumptions affects the level of effort. Conducting the QRA In conducting QRA work one must divide the work into four primary tasks and a reporting activity.