Dospueblos, Dej Y.

Risk Management
What Is Risk Identification?
Imagine yourself as a project manager working on a new website for
your company. Even though the project is quite small, it's necessary for
you to carry out a thorough risk management analysis to ensure that the
website is delivered by an agreed deadline and at an agreed cost. Risk
management will ensure that the core functionalities of the website will
be delivered and that
the design standards will not be compromised.

Traditional approach
• Observe those past events that caused losses, and then find out
measures to prevent their occurence
• Modern approach
• Identify the possibility of losses or reasons for the occurrence of
the losses before the losses actually occur
• Modern approach
• Brainstorming- When objectives are stated clearly and
understood by the participants, a brainstorming session drawing
on the creativity of the participants can be used to generate a list
of risks
• Flowchart Method- d is used to graphically and sequentially
depict the activities of an operation or process to identify
exposures, perils and hazards.
• SWOT Analysis-a technique often used in the formulation of
strategy. The strengths and weaknesses are internal to the
company and include the company’s culture, structure, and
financial and human resources. The major strengths of the
company combine to formRisk analysis questionnaire and items
preview
• the core competencies that provide the basis for the company to
achieve a competitive advantage.
The risk management process on a project consists of four steps:
• Risk identification
• Risk assessment
• Risk response development, and
• Risk response control

Risk identification is the process of listing potential project risks and

their characteristics. The results of risk identification are normally
documented in a risk register, which includes a list of identified risks
along with their sources, potential risk responses, and risk categories.
This information is used for risk analysis, which in turn will support
creating risk responses. Identified risks can also be represented in a
risk breakdown structure, a hierarchical structure used to categorize
potential project risks by source. Though the major work on risk
identification is usually done in the beginning of a project, it'simportant
to remember that risk identification is an iterative process; new risks
can be identified throughout the project life cycle as the result of
internal or external changes to a project.
risk Identification provides the foundation for risk management.

The various methods of risk identification are:

• preparing checklist of risk or various losses which may arise due to
risks.
• On-site inspection and risk assessment.
• Financial statement analysis.
• Flowchart preparation and identification of risky activities.
• Interaction with employees for their views about risk exposure of
business based ontheir knowledge and experience.
• Statistical records of occurrence of losses related to various categories
of risks.

Risk Exposure
Risk is everywhere and is part of all activities. We have all had to deal
with risk in our ownlives. In general terms, risk is the possibility of loss.
Sometimes, we discuss risk in terms ofexposure. Risk exposure is a
measure of possible future loss (or losses) which may result from an
activity or occurrence. In business, risk exposure is often used to rank
the probability of different types of losses and to determine which
losses are acceptable or unacceptable. These losses may include legal
liability, property loss or damage, unexpected employee turnover, or
changes inconsumer demand -- to name a few.

Identification of Risks Exposures

1. Physical Asset Exposures
• Tangible assets such as warehouse and intangible assets such as
politicalsupport are exposed to risk
• Damage of the assets
• Cause of the firm cannot use the assets for some time
• Money loss

2. Financial Asset Exposures

• Creditors have their financial assets such as bonds exposed to
risk (e.g., interest rate risk and exchange risk)
• The issue of shares or bonds will transfer part of the financial
risk from user to3rd party (investor), but the issuer have certain
obligations (e.g., repay the loans)

3. Liability Exposure
• Existence of legal system/contracts
• a firm has to act in accordance with the terms of the contract it
entered,otherwise it will suffer a loss
• different from asset exposures
• Liability exposure is only a pure risk

4. Human Asset exposure

• Human resources is an asset
• The injury or death of employee will affect the management of
HR and also the internal operation of a firm

Risk Identification Tools

What is Risk Identification?

Risk identification is the process of listing potential project risks and
their characteristics. The results of risk identification are normally
documented in a risk register, which includes a list of identified risks
along with their sources, potential risk responses, and risk categories.
Types of Risk Identification Tools

SWOT Analysis
 Commonly used as a planning tool for analyzing a business, its
resources and its environment by looking at internal strengths
and weaknesses; and opportunities and threats in the external
environment.

Process Flowcharts
 Focusing on project processes such as the schedule network
diagram, communications, information flows, decision making,
Intranet usages, documentation, e-mail, manufacturing, coding,
testing, etc., will inevitably disclose potential project threats.

Analogous Project Comparisons

 Previous similar projects, that have experienced certain problems,
can be invaluable to the new project. Project managers of these
previous projects can become a fountain of information regarding
similar risks to be faced by those on the new project.

Ishikawa Diagrams
 The Ishikawa diagram (or fishbone diagram or also cause-and-
effect diagram) are diagrams, that show the causes of a certain
event. A common use of the Ishikawa diagram is in identifying
potential factors that might present unfavorable events or
conditions.

Brainstorming
 The convenient practice of brainstorming can also aid in the
identification of project risks. Any possible condition or event that
might prevent reaching project goals should be presented without
evaluation. It is the combination of ideas that often generate new
ideas and views.

Assumption Analysis
  Identification of different assumptions of the project and
determining their validity, further helps in identifying risks for the
project.

Expert Judgement
 Individuals who have experience with similar project in the not
too distant past may use their judgment through interviews or
risk facilitation workshops

Risk Checklists
 With project schedules becoming increasingly shorter, project
managers must find ways to identify project risks rapidly. One
means of accomplishing this is by developing a checklist of project
aspects that might present risks. This checklist should be very
generic and can be carried from project to project.

Affinity Diagram
 A business tool used to organize ideas and data. The tool is
commonly used within project management and allows large
numbers of ideas to be sorted into groups for review and analysis.

Risk breakdown structure

 A hierarchically organized depiction of identified project risks
arranged by risk category and subcategory that identifies the
various areas and causes of potential risks.

Work Breakdown Structure (WBS)

 A decomposition of project elements it can also enable project risk
teams to focus on specific smaller areas within the project.

Best Practices and Lessons Learned

Operational Risk. Understand the operational nature of the capabilities
you are supporting and the risk to the end users, their missions, and
their operations of the capabilities. Understanding of the operational
need/mission (see the Concept Development topic of the Systems
Engineering Guide) will help you appreciate the gravity of risks and the
impact they could have to the end users. This is a critical part of risk
analysis—realizing the real-world impact that can occur if a risk arises
during operational use. Typically operational users are willing to accept
some level of risk if they are able to accomplish their mission (e.g.,
mission assurance), but you need to help users to understand the risks
they are accepting and to assess the options, balances, and alternatives
available.

Technical maturity. Work with and leverage industry and academia to

understand the technologies being considered for an effort and the
likely transition of the technology over time. One approach is to work
with vendors under a non-disclosure agreement to understand the
capabilities and where they are going, so that the risk can be assessed.

Non-Developmental Items (NDI). NDI includes commercial-off-the-shelf

and government-off-the-shelf items. To manage risk, consider the
viability of the NDI provider. Does the provider have market share?
Does the provider have appropriate longevity compared to its
competitors? How does the provider address capability problems and
release fixes, etc.? What is the user base for the particular NDI? Can the
provider demonstrate the NDI, preferably in a setting similar to that of
your customer? Can the government use the NDI to create a prototype?
All of these factors will help assess the risk of the viability of the NDI
and the provider. Seek answers to these questions from other MITRE
staff that have worked the area or have used the NDI being assessed.

Acquisition drivers. Emphasize critical capability enablers, particularly

those that have limited alternatives. Evaluate and determine the
primary drivers to an acquisition and emphasize their associated risk in
formulating risk mitigation recommendations. If a particular aspect of a
capability is not critical to its success, its risk should be assessed, but it
need not be the primary focus of risk management. For example, if there
is risk to a proposed user interface, but the marketplace has numerous
alternatives, the success of the proposed approach is probably less
critical to overall success of the capability. On the other hand, an
information security feature is likely to be critical. If only one
alternative approach satisfies the need, emphasis should be placed on it.
Determine the primary success drivers by evaluating needs and designs,
and determining the alternatives that exist. Is a unique solution on the
critical path to success? Make sure critical path analyses include the
entire system engineering cycle and not just development (i.e., system
development, per se, may be a "piece of cake," but fielding in an active
operational situation may be a major risk).

Use capability evolution to manage risk. If particular requirements are

driving implementation of capabilities that are high risk due to unique
development, edge-of-the-envelope performance needs, etc., the
requirements should be discussed with the users for their criticality. It
may be that the need could be postponed, and the development
community should assess when it might be satisfied in the future. Help
users and developers gauge how much risk (and schedule and cost
impact) a particular capability should assume against the requirements
to receive less risky capabilities sooner. In developing your
recommendations, consider technical feasibility and knowledge of
related implementation successes and failures to assess the risk of
implementing now instead of the future. In deferring capabilities, take
care not to fall into the trap of postponing ultimate failure by trading
near-term easy successes for a future of multiple high-risk requirements
that may be essential to overall success.

Key Performance Parameters (KPPs). Work closely with the users to

establish KPPs. Overall risk of program cancelation can be centered on
failure to meet KPPs. Work with the users to ensure the parameters are
responsive to mission needs and technically feasible. The parameters
should not be so lenient that they can easily be met, but not meet the
mission need; nor should they be so stringent that they cannot be met
without an extensive effort or pushing technology—either of which can
put a program at risk. Seek results of past operations, experiments,
performance assessments, and industry implementations to help
determine performance feasibility.

External and internal dependencies. Having an enterprise

perspective can help acquirers, program managers, developers,
integrators, and users appreciate risk from dependencies of a
development effort. With the emergence of service-oriented
approaches, a program will become more dependent on the availability
and operation of services provided by others that they intend to use in
their program's development efforts. Work with the developers of
services to ensure quality services are being created, and thought has
been put into the maintenance and evolution of those services. Work
with the development program staff to assess the services that are
available, their quality, and the risk that a program has in using and
relying upon the service. Likewise, there is a risk associated with
creating the service and not using services from another enterprise
effort. Help determine the risks and potential benefits of creating a
service internal to the development with possibly a transition to the
enterprise service at some future time.

Integration and Interoperability (I&I). I&I will almost always be a

major risk factor. They are forms of dependencies in which the value of
integrating or interoperating has been judged to override their inherent
risks. Techniques such as enterprise federation architecting,
composable capabilities on demand, and design patterns can help the
government plan and execute a route to navigate I&I risks. Refer to the
Enterprise Engineering section of the Systems Engineering Guide for
articles on techniques for addressing I&I associated risks.

Information security. Information security is a risk in nearly every

development. Some of this is due to the uniqueness of government
needs and requirements in this area. Some of this is because of the
inherent difficulties in countering cyber attacks. Creating defensive
capabilities to cover the spectrum of attacks is challenging and risky.
Help the government develop resiliency approaches (e.g., contingency
plans, backup/recovery, etc.). Enabling information sharing across
systems in coalition operations with international partners presents
technical challenges and policy issues that translate into development
risk. The information security issues associated with supply chain
management is so broad and complex that even maintaining
rudimentary awareness of the threats is a tremendous challenge.

Skill level. The skill or experience level of the developers, integrators,

government, and other stakeholders can lead to risks. Be on the lookout
for insufficient skills and reach across the corporation to fill any gaps. In
doing so, help educate government team members at the same time you
are bringing corporate skills and experience to bear.

Cost risks. Programs will typically create a government's cost estimate

that considers risk. As you develop and refine the program's technical
and other risks, the associated cost estimates should evolve, as well.
Cost estimation is not a one-time activity.

Historical information as a guide to risk identification. Historical

information from similar government programs can provide valuable
insight into future risks. Seek out information about operational
challenges and risks in various operation lessons learned, after action
reports, exercise summaries, and experimentation results. Customers
often have repositories of these to access. Government leaders normally
will communicate their strategic needs and challenges. Understand and
factor these into your assessment of the most important capabilities
needed by your customer and as a basis for risk assessments.

Historical data to help assess risk is frequently available from the past
performance assessments and lessons learned of acquisition programs
and contractors. In many cases, MITRE staff will assist the government
in preparing performance information for a particular acquisition. The
AF has a Past Performance Evaluation Guide (PPEG) that identifies the
type of information to capture that can be used for future government
source selections [3]. This repository of information can help provide
background information of previous challenges and where they might
arise again—both for the particular type of development activity as well
as with the particular contractors.

There are numerous technical assessments for vendor products that can
be accessed to determine the risk and viability of various products. One
MITRE repository of evaluations of tools is the Analysis Toolshed that
contains guidance on and experience with analytical tools. Using
resources like these and seeking others who have tried products and
techniques in prototypes and experiments can help assess the risks for a
particular effort.

How to write a risk——a best practice . A best-practice protocol for

writing a risk statement is the Condition-If-Then construct. This
protocol applies to risk management processes designed for almost any
environment. It is a recognition that a risk, by its nature is probabilistic
and one that, if it occurs, has unwanted consequences.
What is the Condition-If-Then construct? The Condition reflects what is
known today. It is the root cause of the identified risk event. Thus, the
Condition is an event that has occurred, is presently occurring, or will
occur with certainty. Risk events are future events that may occur
because of the Condition present. Below is an illustration of this
protocol.

The If is the risk event associated with the Condition present. It is

critically important to recognize the If and the Condition as a dual.
When examined jointly, there may be ways to directly intervene or
remedy the risk event's underlying root (Condition) such that the
consequences from this event, if it occurs, no longer threaten the
project. The If is the probabilistic portion of the risk statement.

Encourage teams to identify risks. The culture in some government

projects and programs discourages the identification of risks. This may
arise because the risk management activities of tracking, monitoring,
and mitigating the risks are seen as burdensome and unhelpful. In this
situation, it can be useful to talk to the teams about the benefits of
identifying risks and the inability to manage it all in your heads (e.g.,
determine priority, who needs to be involved, mitigation actions). Assist
the government teams in executing a process that balances
management investment with value to the outcomes of the project. In
general, a good balance is being achieved when the project scope,
schedule, and cost targets are being met or successfully mitigated by
action plans, and the project team believes risk management activities
provide value to the project. Cross-team representation is a must; risks
should not be identified by an individual, or strictly by the systems
engineering team (review sources of risk above).

Consider organizational and environmental factors. Organizational,

cultural, political, and other environmental factors, such as stakeholder
support or organizational priorities, can pose as much or more risk to a
project than technical factors alone. These risks should be identified and
actively mitigated throughout the life of the project. Mitigation activities
could include monitoring legislative mandates or emergency changes
that might affect the program or project mission, organizational changes
that could affect user requirements or capability usefulness, or changes
in political support that could affect funding. In each case, consider the
risk to the program and identify action options for discussion with
stakeholders. For additional information, see the Risk Mitigation
Planning, Implementation, and Progress Monitoring article.

Include stakeholders in risk identification. Projects and programs

usually have multiple stakeholders that bring various dimensions of risk
to the outcomes. They include operators, who might be overwhelmed
with new systems; users, who might not be properly trained or have
fears for their jobs; supervisors who might not support a new capability
because it appears to diminish their authority; and policy makers, who
are concerned with legislative approval and cost. In addition, it is
important to include all stakeholders, such as certification and
accreditation authorities who, if inadvertently overlooked, can pose
major risks later in the program. Stakeholders may be keenly aware of
various environmental factors, such as pending legislation or political
program support that can pose risks to a project that are unknown to
the government or MITRE project team. Include stakeholders in the risk
identification process to help surface these risks.

Write clear risk statements. Using the Condition-If-Then format helps

communicate and evaluate a risk statement and develop a mitigation
strategy. The root cause is the underlying Condition that has introduced
the risk (e.g., a design approach might be the cause), the If reflects the
probability (e.g., probability assessment that the If portion of the risk
statement were to occur), and the Then communicates the impact to the
program (e.g., increased resources to support testing, additional
schedule, and concern to meet performance). The mitigation strategy is
almost always better when based on a clearly articulated risk statement.

Expect risk statement modifications as the risk assessment and

mitigation strategy is developed. It is common to have risk statements
refined once the team evaluates the impact. When assessing and
documenting the potential risk impact (cost, schedule, technical, or
timeframe), the understanding and statement of the risk might change.
For example, when assessing a risk impact of software schedule slip, the
risk statement might be refined to include the need-by date, and/or
further clarification of impact (e.g., if the xyz software is not delivered
by March 2015, then there will not be sufficient time to test the
interface exchanges prior to Limited User Test).
Do not include the mitigation statement in the risk statement. Be
careful not to fall into the trap of having the mitigation statement
introduced into the risk statement. A risk is an uncertainty with
potential negative impact. Some jump quickly to the conclusion of
mitigation of the risk and, instead of identifying the risk that should be
mitigated (with mitigation options identified), they identify the risk as a
sub-optimal design approach. For example, a risk statement might be: If
the contractor does not use XYZ for test, then the test will fail. The
concern is really test sufficiency. If the contractor does not conduct the
test with measurable results for analysis, then the program may not
pass limited user test. Use of XYZ may be a mitigation option to reduce
the test sufficiency risk.

Do not jump to a mitigation strategy before assessing the risk

probability and impact. A risk may be refined or changed given further
analysis, which might affect what the most efficient/desired mitigation
may be. Engineers often jump to the solution; it is best to move to the
next step discussed in the Risk Impact Assessment and Prioritization
article to decompose and understand the problem first. Ultimately this
will lead to a strategy that is closely aligned with the concern.
Risk Evaluation
Risk Evaluation

The process of identifying and measuring risk. It is a fundamental

business
practice that can be applied to investments, strategies, projects and
operations.

Basic steps of a risk evaluation process:

1. Identification- helps to improve acceptance of an initiative as

everyone is given
an opportunity to express all the things that can go wrong.

2. Probability and Impact- estimating the probability and impact of

each identified
risk through rough estimate such as high, medium, or low.

3. Moment of risk-listing out the specific conditions that cause the risk
to be more
likely to occur.

4. Treatment-when risk is mitigated or shared the probability and

impact typically
need to reevaluated.

5. Secondary risk

6. Residual risk- calculating the probability and impact of remaining

risk after treatment.

7. Monitoring and Review-regularly identifying new risks that become

clear as a program or project progresses.
Importance of Risk Exposures

Risk Exposure
The measure of potential future loss resulting from a specific activity or
event.

Two categories of risks:

1. Pure risks are unexpected risks that cannot be controlled, such as
unexpected death and natural disasters.

2. Speculative risks are voluntary risks that have an uncertain outcome,

such as business investments or new product introductions.
To calculate risk exposure, analysts use this equation: (probability of
risk occurring) X (total loss of risk occurrence) = risk exposure.

Risk measurement: Evaluation of the likelihood and extent (magnitude)

of a risk. It provides fundamental support to decision making process
within the company.

In financial mathematics, a risk measure is used to determine the

amount of an asset or set of assets to be kept in reserve. The purpose of
this reserve is to make the risks taken by financial institutions, such as
banks and insurance companies

Goals of Risk Measurement

-Uncovering known risks (Risks that can be identified and understood)
-Making different “known” risks easy to understand and compare
-Trying to understand and compare the unknown risk.

Value-at-risk (VAR) is a statistical measure of the riskiness of financial

entities or portfolios of assets.
7 steps of Risk Evaluation

Identification
All stakeholders are asked to identify risk. This helps to improve
acceptance of an initiative as everyone is give opportunity to express all
the things that can go wrong. Sophisticated entities may also identify
risks by lookin databases of issues that occurred with similar programs,
strategies or projects.

Probability & Impact

Estimating the probability and impact of each identified risk. This can be
done as a rough estimate such as high low. In reality, most risks don't
have a single cost but a probability distribution of possible costs. For
example, traffic accident isn't a single cost but a range of costs each with
an associated probability estimate. Sophisticate such as insurance
companies will model risks with probability distributions. Projects may
estimate risks with a impact matrix.

Moment Of Risk
Listing out the specific conditions that cause the risk to be more likely to
occur. For example, the risk of a type construction site may be
associated with a particular activity or construction stage.

Treatment
Risk treatment options include acceptance, mitigation, transfer, sharing
and avoidance. When a risk is mitigate the probability and impact
typically need to be re evaluated.

Secondary Risk
Evaluation of risks caused by treatments. For example, avoiding or
mitigating a risk can result in new risks.

Residual Risk
Calculating the probability and impact of remaining risk after treatment.
For example, the risk that remains after including secondary risk.
What is Risk Evaluation?
Risk evaluation is the process to determine the significance of each risk.
There are two ways to evaluate risks:

Qualitative Risk Analysis. Qualitative analysis such as rating

probability and impact should always be performed. This allows you to
quickly prioritize and rank your risks.
Quantitative Risk Analysis. Quantitative analysis is not always
performed. This analysis requires more time but provides more data to
aid in making decisions.

Why Evaluate/Prioritize Project Risks?

You cannot respond to all risks, neither should you. Prioritization is a
way to deal with competing demands. This aids in determining where
you will spend your limited time and effort.
We evaluate in order:
 To have the greatest impact. Eighty percent of the impact will
come from twenty percent of the risks. What are the vital few
things that we should do that will have the greatest impact on
minimizing threats and maximizing opportunities?

 To respond wisely and appropriately. The goal of evaluating

risks is to discriminate between one risk and another. This aids us
in determining the amount of effort to invest in developing
response plans.

 To assign resources suitably. Assign your most skilled,

knowledgeable resources to the projects with the greatest risk.

How Do I Perform Qualitative Risk Analysis?

Let’s look at two qualitative risk evaluation methods: 1. the KISS Method,
and 2. the Probability/Impact Method.
Be sure to specify your risk analysis technique(s) in your Risk
Management Plan as you assess your risks, capture and maintain your
Risk Ratings in your Risk Register.
Check with your organization to determine whether there is a definition
of risk scales. If not, define the criteria for your scale.
Two Methods for Qualitative Risk Analysis
1. KISS Method
I use the KISS (Keep It Super Simple) Method on smaller projects and
with teams that lack maturity in assessing risks. This one-dimensional
technique involves rating risks as:
 Very Low
 Low
 Medium
 High
 Very High

2. Probability/Impact Method
I normally use this technique with larger, more complex projects and
with teams that have experience with risk assessments.

This two-dimensional technique is used to rate probability and impact.

Probability is the likelihood that a risk will occur. The impact is the
consequence or effect of the risk, normally associated with impact to
schedule, cost, scope, and quality. Rate probability and impact using a
scale such as 1 to 10.

Program Management
The Probability/Impact Method also helps in programs. I total the risk
scores within each project to calculate the Project Risk Score and
compare the scores between projects. This helps me understand which
projects have the greatest risk exposure and where I need the most
skilled people.
Risk control
Risk control is the set of methods by which firms evaluate potential
losses and take action to reduce or eliminate such threats. It is a
technique that utilizes findings from risk assessments, which involve
identifying potential risk factors in a company's operations, such as
technical and non-technical aspects of the business, financial policies
and other issues that may affect the wellbeing of the firm.

How Risk Control Works

Modern businesses face a diverse collection of obstacles, competitors,
and potential dangers. Risk control is a plan-based business strategy
that aims to identify, assess, and prepare for any dangers, hazards, and
other potentials for disaster—both physical and figurative—that may
interfere with an organization's operations and objectives. The core
concepts of risk control include:

 Avoidance is the best method of loss control. For example, after

discovering that a chemical used in manufacturing a company’s
goods is dangerous for the workers, a factory owner finds a safe
substitute chemical to protect the workers’ health.

 Loss prevention accepts a risk but attempts to minimize the loss

rather than eliminate it. For example, inventory stored in a
warehouse is susceptible to theft. Since there is no way to avoid it,
a loss prevention program is put in place. The program includes
patrolling security guards, video cameras and secured storage
facilities. Insurance is another example of risk prevention that is
outsourced to a third party by contract.

 Loss reduction accepts the risk and seeks to limit losses when a
threat occurs. For example, a company storing flammable material
in a warehouse installs state-of-the-art water sprinklers for
minimizing damage in case of fire.

 Separation involves dispersing key assets so that catastrophic

events at one location affect the business only at that location. If
all assets were in the same place, the business would face more
serious issues. For example, a company utilizes a geographically
 diverse workforce so that production may continue when issues
arise at one warehouse.

 Duplication involves creating a backup plan, often by using

technology. For example, because information system server
failure would stop a company’s operations, a backup server is
readily available in case the primary server fails.

 Diversification allocates business resources for creating multiple

lines of business offering a variety of products or services in
different industries. A significant revenue loss from one line will
not result in irreparable harm to the company’s bottom line. For
example, in addition to serving food, a restaurant has grocery
stores carry its line of salad dressings, marinades, and sauces.

No one risk control technique will be a golden bullet to keep a company

free from potential harm. In practice, these techniques are used in
tandem with one another to varying degree and change as the
corporation grows, as the economy changes, and as the competitive
landscape shifts.

Example of Risk Control

As part of Sumitomo Electric’s risk management efforts, the company
developed business continuity plans (BCPs) in fiscal 2008 as a means of
ensuring that core business activities could continue in the event of a
disaster. The BCPs played a role in responding to issues caused by the
Great East Japan earthquake that occurred in March 2011. Because the
quake caused massive damage on an unprecedented scale, far
surpassing the damage assumed in the BCPs, some areas of the plans did
not reach their goals.

Based on lessons learned from the company’s response to the

earthquake, executives continue promoting practical drills and training
programs, confirming the effectiveness of the plans and improving them
as needed. In addition, Sumitomo continues setting up a system for
coping with risks such as outbreaks of infectious diseases, including the
pandemic influenza virus.
Common examples of Risk Management

Business risk comes in a variety of tangible and intangible forms over the
course of the business life cycle. Some risks occur during the ordinary
course of corporate operations, while others are due to extraordinary
circumstances that are not easily identified. Regardless of a
company's business model, industry or level of earnings, business risks
must be identified as a strategic aspect of business planning.

Once risks are identified, companies take the appropriate steps to manage
them to protect their business assets. The most common types of risk
management techniques include avoidance, mitigation, transfer, and
acceptance.

Avoidance of Risk
The easiest way for a business to manage its identified risk is to avoid it
altogether. In its most common form, avoidance takes place when a
business refuses to engage in activities known or perceived to carry a risk
of any kind. For instance, a business could forgo purchasing a building for
a new retail location, as the risk of the venue not generating
enough revenue to cover the cost of the building is high.

Similarly, a hospital or small medical practice may avoid performing certain

procedures known to carry a high degree of risk to the well-being of
patients. Although avoiding risk is a simple method to manage potential
threats to a business, the strategy also often results in lost revenue
potential.

Risk Mitigation
Businesses can also choose to manage risk through mitigation or
reduction. Mitigating business risk is meant to lessen any negative
consequence or impact of specific, known risks, and is most often used
when those risks are unavoidable. For example, an automaker mitigates
the risk of recalling a certain model by performing research and detailed
analysis of the potential costs of such a recall. If the capital required to pay
buyers for losses incurred through a faulty vehicle is less than the total
cost of the recall, the automaker may choose to not issue a recall.

Similarly, software companies mitigate the risk of a new program not

functioning correctly by releasing the product in stages. The risk of capital
waste can be reduced through this type of strategy, but a degree of risk
remains.
Transfer of Risk
In some instances, businesses choose to transfer risk away from the
organization. Risk transfer typically takes place by paying a premium to an
insurance company in exchange for protection against substantial financial
loss. For example, property insurance can be used to protect a company
from the costs incurred when a building or other facility is damaged.
Similarly, professionals in the financial services industry can
purchase errors and omissions insurance to protect them from lawsuits
brought by customers or clients claiming they received poor or erroneous
advice.

Risk Acceptance
Risk management can also be implemented through the acceptance of
risk. Companies retain a certain level of risk brought on by specific projects
or expansion if the anticipated profit generated from the activity is far
greater than its potential risk. For example, pharmaceutical
companies often utilize risk retention or acceptance when developing
a new drug. The cost of research and developmentdoes not outweigh the
potential for revenue generated from the sale of the new drug, so the risk
is deemed acceptable.

5 ways to manage risk

Let’s face it, however confident you are that your project will be a success,
there is always a chance that something might go wrong. The things that
might go wrong are called project risks, and a wise project manager
identifies them early at the beginning of the project so that he or she can do
something about them. Of course, risk management is an ongoing activity,
so you should carry on identifying and recording new risks as they come up.

Creating a list of risks is a good starting point, but it isn’t enough in

itself. You also need an action plan per risk in order to be able to
manage them effectively.
There are 5 main ways to manage risk: acceptance, avoidance,
transference, mitigation or exploitation. Here’s a detailed look at each of
them.

1. Accept The Risk

Accepting the risk means that while you have identified it and logged it
in your risk management software, you take no action. You simply
accept that it might happen and decide to deal with it if it does.
This is a good strategy to use for very small risks – risks that won’t have
much of an impact on your project if they happen and could be easily
dealt with if or when they arise. It could take a lot of time to put
together an alternative risk management strategy or take action to deal
with the risk, so it’s often a better use of your resources to do nothing
for small risks.

2. Avoid The Risk

You can also change your plans completely to avoid the risk. avoid
riskThis is a good strategy for when a risk has a potentially large impact
on your project. For example, if January is when your company Finance
team is busy doing the corporate accounts, putting them all through a
training course in January to learn a new process isn’t going to be a
great idea. There’s a risk that the accounts wouldn’t get done. It’s more
likely, though, that there’s a big risk to their ability to use the new
process, since they will all be too busy in January to attend the training
or to take it in even if they do go along to the workshops. Instead, it
would be better to avoid January for training completely. Change the
project plan and schedule the training for February when the bulk of the
accounting work is over.

3. Transfer The Risk

Transference is a risk management strategy that isn’t used very often
and tends to be more common in projects where there are several
parties. Essentially, you transfer the impact and management of the risk
to someone else. For example, if you have a third party contracted to
write your software code, you could transfer the risk that there will be
errors in the code over to them. They will then be responsible for
managing this risk, perhaps through additional training.
Normally transference arrangements are written up into project
contracts. Insurance is another good example. If you are transporting
equipment as part of your project and the van is in an accident, the
insurance company will be liable for providing new equipment to
replace any that was damaged. The project team acknowledges that the
accident might happen, but they won’t be responsible for dealing with
sourcing replacement kit, moving it to the right location or paying for it
as that is now the responsibility of the insurance company.
4. Mitigate The Risk
Mitigating against a risk is probably the most commonlymitigation of
risk used risk management technique. It’s also the easiest to understand
and the easiest to implement. What mitigation means is that you limit
the impact of a risk, so that if it does occur, the problem it creates is
smaller and easier to fix.
For example, if you are launching a new washing machine and the Sales
team then have to demonstrate it to customers, there is a risk that the
Sales team don’t understand the product and can’t give good
demonstrations. As a result, they will make fewer sales and there will be
less revenue for the company.
A mitigation strategy for this situation would be to provide good
training to the Sales team. There could still be a chance that some team
members don’t understand the product, or they miss the training
session, or they just aren’t experts in washing machines and never will
be, but the impact of the risk will be far reduced as the majority of the
team will be able to demonstrate the new machine effectively.
You can mitigate against the impact, like in this example, and you can
also mitigate against the likelihood of it happening. Sometimes the
actions will be broadly the same; sometimes you’ll have to have some
tasks to reduce the chance that the risk happens and some separate
tasks to make the impact of the risk smaller if it happens.

5. Exploit The Risk

Acceptance, avoidance, transference and mitigation are great to use
when the risk has a negative impact on the project. But what if the risk
has a positive impact? For example, the risk that the new washing
machines are so popular that we don’t have enough Sales staff to do the
demonstrations? That’s a positive risk – something that would have a
benefit to the project and the company if it happened. In those cases, we
want to maximize the chance that the risk happens, not stop it from
happening or transfer the benefit to someone else!
Exploitation is the risk management strategy to use in these situations.
Look for ways to make the risk happen or for ways to increase the
impact if it does. We could train a few junior Sales admin people to also
give washing machine demonstrations and do lots of extra marketing, so
that the chance that there is lots of interest in the new machine is
increased, and there are people to do the demos if needed.
These are the 5 risk management strategies that you can use to manage
risk on your project. You’ll probably find yourself using a combination
of techniques, choosing the strategies that best suit the risks on your
project and the skills of your team. However you decide to approach
risk, make sure that you log the action plan in your risk log and keep it
up to date with the latest progress towards managing your risks.

Risk Control Tools

The best project managers identify, evaluate, and respond to risks.
Additionally, they regularly perform the control activities to keep the
project healthy.

Monitor Risks is the process of monitoring the implementation of

agreed-upon risk response plans, tracking identified risks, identifying
and analyzing new risks, and evaluating risk process effectiveness
throughout the project.

1. Hazard Recognition – if you don’t know what the hazards or

obstacles are, then you can’t avoid them. It’s better to be proactive
rather than being reactive to situations.

Involves the following activities:

▪ Identifying new risks
▪ Evaluating current risks
▪ Evaluating the risk management processes
▪ Closing risks

2. Anticipating and expecting change – things change all the time.

Things can change either into a positive one or a negative one. If things
are changing, there is room for
growth/improvement.

3. Knowing your own limitations – it is wise to know one’s own

capability, specifically its strengths and weaknesses. Expectations will
be accurate enough if these are known, limiting the possibility of
disappointments and negative feelings. This is a very important tool to
be kept in mind because this will guide the team on how to avoid and
handle risks properly.

The main types of Business risks

Businesses face all kinds of risks, some of which can cause serious loss
of profits or even bankruptcy. But while all large companies have
extensive "risk management" departments, smaller businesses tend not
to look at the issue in such a systematic way.
So in this four-part series of tutorials, you’ll learn the basics of risk
management and how you can apply them in your business.
In this first tutorial, we’ll look at the main types of risk your business
may face. You’ll get a rundown of strategic risk, compliance risk,
operational risk, financial risk, and reputational risk, so that you
understand what they mean, and how they could affect your business.
Then we’ll get into the specifics of identifying and dealing with these
risks in later tutorials in the series.

1. Strategic Risk
Everyone knows that a successful business needs a comprehensive,
well-thought-out business plan. But it’s also a fact of life that things
change, and your best-laid plans can sometimes come to look very
outdated, very quickly.

This is strategic risk. It’s the risk that your company’s strategy becomes
less effective and your company struggles to reach its goals as a result. It
could be due to technological changes, a powerful new competitor
entering the market, shifts in customer demand, spikes in the costs of
raw materials, or any number of other large-scale changes.

History is littered with examples of companies that faced strategic risk.

Some managed to adapt successfully; others didn’t.
A classic example is Kodak, which had such a dominant position in the
film photography market that when one of its own engineers invented a
digital camera in 1975, it saw the innovation as a threat to its core
business model, and failed to develop it.

It’s easy to say with hindsight, of course, but if Kodak had analyzed the
strategic risk more carefully, it would have concluded that someone else
would start producing digital cameras eventually, so it was better for
Kodak to cannibalize its own business than for another company to do
it.

Failure to adapt to a strategic risk led to bankruptcy for Kodak. It’s now
emerged from bankruptcy as a much smaller company focusing on
corporate imaging solutions, but if it had made that shift sooner, it could
have preserved its dominance.

Facing a strategic risk doesn’t have to be disastrous, however. Think of

Xerox, which became synonymous with a single, hugely successful
product, the Xerox photocopier. The development of laser printing was
a strategic risk to Xerox’s position, but unlike Kodak, it was able to
adapt to the new technology and change its business model. Laser
printing became a multi-billion-dollar business line for Xerox, and the
company survived the strategic risk.

2. Compliance Risk
Are you complying with all the necessary laws and regulations that
apply to your business?

Of course you are (I hope!). But laws change all the time, and there’s
always a risk that you’ll face additional regulations in the future. And as
your own business expands, you might find yourself needing to comply
with new rules that didn’t apply to you before.

For example, let’s say you run an organic farm in California, and sell
your products in grocery stores across the U.S. Things are going so well
that you decide to expand to Europe and begin selling there.

That’s great, but you’re also incurring significant compliance risk.

European countries have their own food safety rules, labeling rules, and
a whole lot more. And if you set up a European subsidiary to handle it
all, you’ll need to comply with local accounting and tax rules. Meeting all
those extra regulatory requirements could end up being a significant
cost for your business.
Even if your business doesn’t expand geographically, you can still incur
new compliance risk just by expanding your product line. Let’s say your
California farm starts producing wine in addition to food. Selling alcohol
opens you up to a whole raft of new, potentially costly regulations.

And finally, even if your business remains unchanged, you could get hit
with new rules at any time. Perhaps a new data protection rule requires
you to beef up your website’s security, for example. Or employee safety
regulations mean you need to invest in new, safer equipment in your
factory. Or perhaps you’ve unwittingly been breaking a rule, and have to
pay a fine. All of these things involve costs, and present a compliance
risk to your business.

In extreme cases, a compliance risk can also affect your business’s

future, becoming a strategic risk too. Think of tobacco companies facing
new advertising restrictions, for example, or the late-1990s online
music-sharing services that were sued for copyright infringement and
were unable to stay in business. We’re breaking these risks into
different categories, but they often overlap.

3. Operational Risk
So far, we’ve been looking at risks stemming from external events. But
your own company is also a source of risk.
Operational risk refers to an unexpected failure in your company’s day-
to-day operations. It could be a technical failure, like a server outage, or
it could be caused by your people or processes.

In some cases, operational risk has more than one cause. For example,
consider the risk that one of your employees writes the wrong amount
on a check, paying out $100,000 instead of $10,000 from your account.
That’s a “people” failure, but also a “process” failure. It could have been
prevented by having a more secure payment process, for example
having a second member of staff authorize every major payment, or
using an electronic system that would flag unusual amounts for review.

In some cases, operational risk can also stem from events outside your
control, such as a natural disaster, or a power cut, or a problem with
your website host. Anything that interrupts your company’s core
operations comes under the category of operational risk.
While the events themselves can seem quite small compared with the
large strategic risks we talked about earlier, operational risks can still
have a big impact on your company. Not only is there the cost of fixing
the problem, but operational issues can also prevent customer orders
from being delivered or make it impossible to contact you, resulting in a
loss of revenue and damage to your reputation.

4. Financial Risk
Most categories of risk have a financial impact, in terms of extra costs or
lost revenue. But the category of financial risk refers specifically to the
money flowing in and out of your business, and the possibility of a
sudden financial loss.

For example, let’s say that a large proportion of your revenue comes
from a single large client, and you extend 60 days credit to that client
(for more on extending credit and dealing with cash flow, see our
earlier cash flow tutorial).

In that case, you have a significant financial risk. If that customer is

unable to pay, or delays payment for whatever reason, then your
business is in big trouble.

Having a lot of debt also increases your financial risk, particularly if a lot
of it is short-term debt that’s due in the near future. And what if interest
rates suddenly go up, and instead of paying 8% on the loan, you’re now
paying 15%? That’s a big extra cost for your business, and so it’s
counted as a financial risk.

Financial risk is increased when you do business internationally. Let’s

go back to that example of the California farm selling its products in
Europe. When it makes sales in France or Germany, its revenue comes
in euros, and its UK sales come in pounds. The exchange rates are
always fluctuating, meaning that the amount the company receives in
dollars will change. The company could make more sales next month,
for example, but receive less money in dollars. That’s a big financial risk
to take into account.

5. Reputational Risk
There are many different kinds of business, but they all have one thing
in common: no matter which industry you’re in, your reputation is
everything.

If your reputation is damaged, you’ll see an immediate loss of revenue,

as customers become wary of doing business with you. But there are
other effects, too. Your employees may get demoralized and even decide
to leave. You may find it hard to hire good replacements, as potential
candidates have heard about your bad reputation and don’t want to join
your firm. Suppliers may start to offer you less favorable terms.

Advertisers, sponsors or other partners may decide that they no longer

want to be associated with you.

Reputational risk can take the form of a major lawsuit, an embarrassing

product recall, negative publicity about you or your staff, or high-profile
criticism of your products or services. And these days, it doesn’t even
take a major event to cause reputational damage; it could be a slow
death by a thousand negative tweets and online product reviews.

Next Steps
So now you know about the main risks your business could face. We’ve
covered five types of business risk, and given examples of how they can
affect your business.

This is the foundation of a risk management strategy for your business,

but of course there’s much more work to be done. The next step is to
look more deeply at each type of risk, and identify specific things that
could go wrong, and the impact they could have.

It’s not much use, for example, to say, “Our business is subject to
operational risk.” You need to get very granular, and go through every
aspect of your operations to come up with specific things that could go
wrong. Then you can come up with a strategy for dealing with those
risks.

We’ll cover all of that in the rest of the tutorials, so stay tuned for the
rest of the series on how to manage risk in your business. Next up is a
tutorial on measuring and evaluating different risks.
6 fundamental techniques of risk control

Avoidance
Avoidance is the best means of loss control. This is because, as the name
implies, you’re avoiding the risk completely. If your efforts at avoiding
the loss have been successful, then there is a 0% probability that you’ll
suffer a loss (from that particular risk factor, anyway). This is why
avoidance is generally the first of the risk control techniques that’s
considered. It’s a means of completely eliminating a threat.

Loss Prevention
Loss prevention is a technique that limits, rather than eliminates, loss.
Instead of avoiding a risk completely, this technique accepts a risk but
attempts to minimize the loss as a result of it. For example, storing
inventory in a warehouse means that it is susceptible to theft. However,
since there really is no way to avoid it, a loss prevention program is put
in place to minimize the loss. This program can include patrolling
security guards, video cameras, and secured storage facilities.

Loss Reduction
Loss reduction is a technique that not only accepts risk, but accepts the
fact that loss might occur as a result of the risk. This technique will seek
to minimize the loss in the event of some type of threat. For example, a
company might need to store flammable material in a warehouse.
Company management realizes that this is a necessary risk and decides
to install state-of-the-art water sprinklers in the warehouse. If a fire
occurs, the amount of loss will be minimized.

Separation
Separation is a risk control technique that involves dispersing key
assets. This ensures that if something catastrophic occurs at one
location, the impact to the business is limited to the assets only at that
location. On the other hand, if all assets were at that location, then the
business would face a much more serious challenge. An example of this
is when a company utilizes a geographically diversified workforce.
Duplication
Duplication is a risk control technique that essentially involves the
creation of a backup plan. This is often necessary with technology. A
failure with an information systems server shouldn’t bring the whole
business to a halt. Instead, a backup or fail-over server should be readily
available for access in the event that the primary server fails. Another
example of duplication as a risk control technique is when a company
makes use of a disaster recovery service.

Diversification
Diversification is a risk control technique that allocates business
resources to create multiple lines of business that offer a variety of
products and/or services in different industries. With diversification, a
significant revenue loss from one line of business will not cause
irreparable harm to the company’s bottom line.
Risk control is a key component in any sound company strategy. It’s
necessary to ensure long-term organization sustainability and
profitability
Application of Risk Management

Application of risk managemet

▪ Portfolio Risk Management
is the art and science of making decisions about investment mix and
policy, matching investments to objectives, asset allocation for
individuals and institutions, balancing risk against performance.

▪ Subprime Crisis and Risk

Subprime Crisis – A situation starting in 2008 affecting the mortgage
industry due to borrowers being approved for loans they could not
afford. The financial crisis in the mortgage industry also affected the
global credit market resulting in higher interest rates and reduced
availability of credit.

▪ Case Studies Applications

Case studies shows an example of how to assess risks affecting the
realization of different strategic and tactical goals of a company.
Application of Risk Management is the process of identifying potential
threats and implementing improvement efforts to alleviate or prevent
possible negative events resulting to your business – or job.
Risk Management Standards

Risk managemeng standards

▪ Definition of Risk Management Standard
Risk Management Standards set out a specific set of strategic processes
which start with the overall aspirations and objectives of an
organisation, and intend to help to identify risks and promote the
mitigation of risks through best practice. Standards are often designed
and created by a number of agencies who are working together to
promote common goals, to help to ensure that organisations carry out
high-quality risk management processes.

What are Risk management standards like?

Risk management standards are like a guide to help ensure that risk
management is carried out in a proper way. Standards usually include
checkpoints and examples, to make it really easy for organisations to
comply.

What is the purpose of Risk management standards?

Risk management standards have been designed so that those who
must carry out risk management processes have a guide to help them to
work. These standards help to provide an international consensus on
how to deal with certain risks, and they offer best practice advice on
how to deal with others. Risk management standards help organisations
to implement strategies which are tried and tested, and proven to work.

What are the different types of Risk management standards?

The ISO 31000 risk management standards framework includes:
 ISO 31000:2009 – Principles and Guidelines on Implementation
 ISO/IEC 31010:2009 – Risk Management – Risk Assessment
Techniques
 ISO Guide 73:2009 – Risk Management – Vocabulary

These ISO standards are designed to help guide organisations with a

number of different strands of risk management.

As well as the popular ISO standards, FERMA has also produced its own
risk management standard, which offers guidance for the whole
processes, from identifying risks, right through to transferring some of
that risk to another party.
What’s involved with accessing Risk management standards?
Risk management standards are produced by a number of different
organisations worldwide. In order to access their risk management
standards, you will have to visit the websites of these associations, or
get in contact with them some other way. For example, the FERMA risk
management standards are available on the FERMA website, and have
been translated into a number of different languages, for ease of access.

Complying with some standards can earn an organisation an

accreditation.

Where do Risk management standards fit into the risk

management process?
Risk management standards are usually introduced at the beginning of
the risk management process, as they offer guidance on how to best
complete the process. They may also be considered when looking at
existing risk management processes, as they can be used to assess
whether the strategies are sufficient.

How do Risk management standards impact on managing

organisational risk?
Risk Management standards impact on the ways which risk
management processes are created and implemented. They offer
guidance on setting the context of the strategies, as well as providing
ideas about what should and should not be implemented as part of the
risk management strategy. Many standards provide advice on how to
best to quantify and classify risk.

What terms are used in Risk management standards?

Standard – a rule or principle which is used as the basis for judgment of
the risk management process, a series of checkpoints which an
organisation should strive to achieve.
Risk – a potential consequence of an action. In recent developments in
risk management, a risk can now be considered to be a negative or a
positive consequence. A risk may or may not occur.

▪ Purpose of Risk Management Standard

 • Guide to help them to work
• Provide an international consensus
• Implement strategies which are tried and tested, and proven to
work.

▪ Different Types/Kind
• The ISO 31000 risk management standards framework includes:
ISO 31000:2018 – Principles and Guidelines on Implementation
ISO/IEC 31010:2009 – Risk Management – Risk Assessment Technique
ISO Guide 73:2009 – Risk Management – Vocabulary

ISO 31000
• Help organizations increase the likelihood of achieving objectives
• Improve the identification of opportunities and threats
• Effectively allocate and use resources for risk treatment
• Internationally recognized benchmark
• Provide principles for effective management and corporate
governance

ISO/IEC 31010:2009
• Risk Management – Risk Assessment Technique
Risk identification
Qualitative Analysis
Quantitative Analysis
Decision Making Tree
Risk Resolution

ISO/IEC 31010:2009
• Risk Management – Risk Assessment Technique
Risk identification
Qualitative Analysis
Quantitative Analysis
Decision Making Tree
Risk Resolution

Risk identification
Risk identification is the process that leads to risk assessment.
Using many techniques like the
SWOT Analysis
PESTLE Analysis
Delphi technique
Interviewing
Brainstorming etc.
Qualitative Analysis
A qualitative assessment takes into consideration less tangible factors
and is based more on gut reaction than on hard facts and data.

Quantitative Analysis
Quantitative risk assessment assigns numbers to risks based on various
risk reports and data generated.

Decision Making Tree

Used to quantify the probability and impact of a risk in numerical terms

Risk Resolution
It is a process by which drastic risks can be either diverted or
controlled, and in experienced cases even foreseen.

ISO Guide 73:2009

Risk Management – Vocabulary
Provides the definitions of generic terms related to risk management

It aims to encourage a mutual and consistent understanding of risk

management terminology in processes and frameworks dealing with
the management of risk.

Where do Risk management standards fit into the risk

management process?
They can be used to assess whether the strategies are sufficient.

How do Risk management standards impact on managing

organizational risk?
They offer guidance on setting the context of the strategies
  Providing ideas about what should and should not be
implemented
 Provide advice on how to best to quantify and classify risk.

Summary:
The standards that are designed to help and guide the organization with
a number of different strands of Risk Management. From identifying
risk to transferring some of the risk to another party and promote the
mitigation of risk through best practice.

BASIC CONCEPTS of RISK MANAGEMENT

Basic concepts of risk management

A. Definition of Risk
Risk is defined by the class already with the universal term agreed upon.
As such, risk refers to the
factors or the cause/effect of factors that change the certainty in
achieving an objective.

B. Evolution of Risk
The traditional model of risk management pertained to risk assessment
and analysis, evaluation, and treatment and response. This classical
method of assessing risk is deeply rooted in past experiencesand
history. As time passed, this method began showing signs of being
outdated especially with the state of the markets today. The financial
collapse of 2008 was a major example of the failure of standard risk
assessment methods. As companies evolve, so does the risks involved. A
primary driving element behind the evolution of companies is
technology. The drastic momentum of technological development had
given companies sheer volumes of opportunities, but each said
opportunity also tends to drag in its own unique risks. A major
technological trend that companies are currently adopting is the
transition to cloud connectivity which brought an entirely new method
in handling data. With the increased precedence on the evolution of
technology-driven risk while incorporating recent examples of major
risk assessment failures, measures were gradually taken not only on the
company level such as the trend of hiring Chief Risk Officers and risk
management departments as well as Chief Information Security Officers
concerning cybersecurity but also on the federal level which brought on
directives for increased supervision and regulation.

C. Risk Management Process

As mentioned previously, risk assessment can be divided into three
steps:
1.) Risk assessment & analysis
This is the stage in which an organization's exposure to uncertain
events and their respectiveimpacts are analyzed.

2.) Risk evaluation

After risks are analyzed, this stage compares the estimated risks against
a risk criteria that anorganization has already established.

3.) Risk treatment & response

The last step in the process refers to the implementation of policies and
procedures that will helpminimize said risks.

D. Crisis Management
It is defined as the process by which an organization deals with a
sudden emergency situation. Compared with risk management which is
by nature preventive, crisis management involves reacting to negative
events during and after they have occurred.
The types of crises could either be self-inflicted, such as workplace
crime or accidents, or caused by external forces in the form of natural
disasters, terrorism, etc. As a response, an organization usually would
implement a continuity plan during and in an aftermath of a crisis. This
is done by conducting a risk analysis and running simulations.

E. Role of Risk Management

The role of a Risk Manager is to communicate risk policies and processes
for an organisation. They provide hands-on development of risk models
involving market, credit and operational risk, assure controls are operating
effectively, and provide research and analytical support. Risk Managers
must have excellent quantitative and analytical skills, along with the ability
to apply those skills across a variety of business processes.

Risk Management duties and responsibilities of the job

The duties under a Risk Management job description include the following:
  Designing and implementing an overall risk management process for
the organisation, (which includes an analysis of the financial impact
on the company when risks occur)
 Performing a risk assessment: Analysing current risks and
identifying potential risks that are affecting the company
 Performing a risk evaluation: Evaluating the company’s previous
handling of risks, and comparing potential risks with criteria set out
by the company such as costs and legal requirements
 Establishing the level of risk the company are willing to take
 Preparing risk management and insurance budgets
 Risk reporting tailored to the relevant audience. (Educating the
board of directors about the most significant risks to the business;
ensuring business heads understand the risks that might affect their
departments; ensuring individuals understand their own accountability
for individual risks)
 Explaining the external risk posed by corporate governance to
stakeholders
 Creating business continuity plans to limit risks
 Implementing health and safety measures, and purchasing insurance
 Conducting policy and compliance audits, which will include liaising
with internal and external auditors
 Maintaining records of insurance policies and claims
 Reviewing any new major contracts or internal business proposals
 Building risk awareness amongst staff by providing support and
training within the company

Risk Management job qualifications and requirements

A degree in the following subjects is not vital but can be included in a job
description:

 Risk Management
 Management or Business Studies
 Finance or Economics
 Science
 Statistics
 Engineering
 Law

Postgraduate degrees are not mandatory, but may also be beneficial.

If a candidate does not have a degree, a career in risk management is

certainly still possible, but would mean working up the career path, likely
starting at an administrative level.

When compiling a Risk Management job description, it’s important to also

display the following skills:

 Analytical skills and an eye for detail

 Commercial awareness
 Numerical skills
 Planning and organisational skills
 Ability to understand broader business issues
 Communication and presentation skills