WA SE Risk Management | Step by Step Tahsinur Rahim, CRMA EVP & Head of Audit & Compliance Guardian Life Insurance Limited ‘The Inlernational Professional Practices Framework (IPPF) defines Risk as “The possibility of an event ‘eccurting that will have an impact onthe achievernent of objectives.....”. The Standards Australia and Standards [New Zealand {AS/NZS 4360:2008) defines sk as“. the chance of something happening that will have an impact ‘on objectives". Similarly, ISO 31000 [Risk Management Standard] defines tsk as “..the effect of uncertainty on objectives nn.” ‘Three common elementsivords are found in all ofthese Firstly, “uncertainty” (A ‘possbilty’and AS/NZS uses “chance” to. express uncertainty), secondly, “impact” (ISO uses “effect” in place of impact") and finally, “objective", Taking all these in consideration, we may define Risk as an uncertain event (which may or may not occur) in future {not already happened) which may {not obvious) impact cour objectives definitions, uses ‘An Organization runs nan uncertain and ever-changing environment thus risk has a constant presence in the business world. Ignoring risk does not make it go away. Fisk Management soften an afterthought and Managers pay attention to it only when something has gone wrong. ‘The concept of Risk Management has not been widely practiced in Bangladesh, Management tends to focus on short-term elements of business rather than assessing risks that may impact future business. Seldom do companies in Bangladesh include Risk Management as part of its overall business strategy in an disciplined ‘The risk management namely process consists of 4 steps, Step 1 : Identify the risks ‘Step 2 : Analyze the risks ‘Step 3 : Evaluate the risks (ranking the risks) ‘Step 4 : Response to the risks (treat the risks) 1°" IAB ANNUAL CONFERENCE 2019 Step 1: Identify the risks The fist step of risk management is tsk identification, This step reveals what, where, when, why, and how something could happen that may have potential effects fon organization's objectives. It is not an easy task to identify risks as it requires a wide span of knowledge of ‘he organization's business environment, regulations, competitions, technologies ete. including logical prediction of any future change thereof that can generate {hveats of loss or create obstacles on achieving objective, ‘An organization may have hundzeds of risks, however, i is important to bear in mind that all risks should not fall Under the purview of rk management. Please reall the definition of “Risk” at the beginning of this article as potential events that may impact a company’s objective. Obviously, the event considered for tsk management should be of a magnitude that can impact an organization's objective How to identify risk: There is no quaranteed scientific method that can ensure identifying all the risks of an organization, Different ‘organizations uses different approaches to identity risks, for example, SWOT analysis, PESTLE, Scenario ‘Analysis, Brainstorming, Surveys) Questionnaires, (One-on-one interviews, Stakeholder analysis ete, For an organization intending to stat risk management exercise for the first time, Brainstorming could be one of the easiest and most effective rsk identification methods. Its 2 free, open and creative approach that is conducted by selective members of an organization having vast knowledge on business and its environment. This technique provides the opportunity for members to build fon each other's ideas in its simplest form, in brainstorming sessions, risks proposed by any member are evaluated by other members. Upon thorough discussion, potential risks for the organization are Identified. n sks ‘There are many challenges in identifying risks through a brainstorming exercise. Members in a brainstorming session may tend to get trapped into identifying too manyfi A ‘he sete of risks [PPP's definition of “Risk” indicates that Risks will have an impact on the achievement of organization's objectives; and obviously not all risk impacts an organization's objective. Therefore, risks identified for risk management should be very selective and fact oriented. Further, risk management needs to be costbenefit driven and that the effort expended in identifying, analyzing and responding to all sks will not be cost justified ‘Apart from this in a Brainstorming session, other facts like undefined contexts(the scope of risk management), lack of focus, unstructured discussion, presence of dominant participants, non-partcipation of members ue to fear of being wrong or ridiculed etc. may hinder a brainstorming session to achieve its intended objective ‘All the identified risks through brainstorming (or ‘whatever method is used) need to be captured in a Rsk Register Let's observe a few examples of risk 1° LIAB ANNUAL CONFERENCE 2019 Srengeing Maral Au plein eau IA Cateatong Impact (Consequence): Cbviously no ll threats will have the same impact on an organization's objectives. Risk associated with the ‘most important systern/process of an organization should have a higher impact than the risk associated with relatively less important systemiprocess. For example, Impact of an inventory server being down ina pharmaceutical company could be much higher than the impact arising from the server going down of the fleet management system, Therefore, the impacts of all the risks in risk register need to be assessed in order to prioritize risks to establish 2 most-to-leastcitical importance ranking, Other factors like time, magnitude, impacted areas, legal consequences, customer experience, brand image, ‘human consideration etc, are considered while asessing the impact of arsk In the table below we will try to determine the likelihood ‘and impact of the rsksidentified in Step 1 using some aa] Rae ara ot hypothetical factors [1° indicates the factors. that + [oat Secu cacameany, ht hstoresl dt) increase the likeihoodimpact and * 1" indicates the Frme’ employees can continue to| factor that decrease the likelihood/impact] aces sacle ea tte el — = Risks [Risks] Hypothetical actos [Risks] Hypothetical factors] 2 [occoain | Shon one spion proacion| |) Data —| ane] -Provous | sg] Uneutoraed rere Ones py ean security | "9"! pagent 1 | M9" acoess to “Abeanes of 7 [isang owe ]oe w utie_ramiar a parr Sa | scores emt conta eoalen penalty, Lansnchiahsal into legal risk t 7 [nse yal [Poy enh tp nw a Travan Dalyed ceca | tocar isan + aan|° ‘yo pity ‘Stock E | -stockis 1 High) supply ouae | $ [ramanes hampers 3 [eres production Step 2: Risk analysis td stock aut | [A this stage the Litethood and Impact of each comm | eee Individual risks determined, acing | Hi eterna Leh an cae] liemied "| & lee Likelihood: using umber of | S| Ree cave ash) Reyne | $ |rmeae cess Leno fn eth bey tte eet ik Cy event can occ, Several actors need to be consider Fear rae for determining the leihood tke previous incident | | pips] g |Goeed Gra | Low langurtct history, vulnerability, existing controls, source of the aay 3 = Secunty fnaintained | threat themotinion behind he estand'meny more. | | 28° | 2 [aul The lkelhoods can be categorized as High, Medium, or ee Low. Altematively they can be ranked on a scale of 1 5 or 10 whereby 1 represents a risk that is extremely tunlikely 40 occur and 5 or 10 represents the risk extremely likely to occur,HABE ‘Step 3: Risk evaluation (ranking the risks) In this stage, all individual risks are evaluated or ranked considering the risk magnitude, which is usually the combination of likelihood and impact (consequence) assessed in step 2, A risk with a high likelihood and high impact is ranked high and demands priority attention, Letsteview the following witha score 5 for “High” rating +3 for “Moderate” rating and 1 for “Low” rating. 1°" IAB ANNUAL CONFERENCE 2019 fe] Rite [amie nec OR] I + [baa Seay spe] | [Sock otk apse |e TJissng debe] 8] 3] 5] 2 stein canrc oooh, 7 Jnaseaute ysis! |S [7 | 3 | 2 seury of ty cash From this exercise, we identity "Data Security” is the top risk (rank 1) for the organization and thus demands In contrast, being ranked 3, “Inadequate physical security of petty cash” risk demands less priority highest priority attention/action ‘Step 4: Response to the Risk (treat the risks) At this stage risk responses are determined for each risk to bring the risk exposure down to an acceptable level Response Owner (also called Action Owner) for each risk is determined at this stage who remains responsible and accountable for risk response. Risk response should be specific and time bound. There could be different strategies for risk responses: ‘Avoid: Eliminating the cause and thus eliminating the ‘heat. In other words, organization do not perform any activity that may cary risk, Avoiding a risy investment is an example of risk avoidance. Mitigate: Many risks cannot be eliminated rather their Impact and likelihood can be reduced to an acceptable level by taking appropriate risk mitigation actions. For example, an organization may install security rewalls to reduce its unauthorized access risk Transfer: Risks could be transferred to some other party «. insurance companies ‘Accept: Risk Accepting strategy is followed by an organization when the potential loss from a risk seems to bbe not great enough to warrant risk mitigation costs. Usually this strategy is fllowed for smal risks that do not potentially lead to catastrophic of expensive outcomes hat require avoiding Jn continuation of the 4 risks identified, analyzed and evaluated ear, Risk responses could be as below’ 3 Taret = ks Risk Response Fisk owner | target Tp ata sear 7 Frewal tobe nstalea 2 ire Fre poly fr T systems tobe developed andiplemented a ee 2 Perosie mentoring & reorting 7 | Swoekoutrse 7 Onboardingalternate vendor 2 Charging penalty on vendor for delayed svpaly enft2de | sone 2019 3. Maintain adequate level of stock or ucidng stock ot 3 | wasng detvery T Procure 20 new aeiveny vans feaor schedule causing | 2. Asanintrim solution, rent 10 vans oftadet | soAapnt2019 penalty 3. Outsourcing customer delivery 7 | inadequate prysieal | 1. sal Closed Cri carera and buriar secuntyof petty cash | alain paty cash room 2.1mplement daily cash reconciliation Head of | 39 april 2019 procedure ears) 3.0 rotation Conclusion [isk assessment is a continuous process. The steps indicated in this article are not a one off exercise rather they need to be performed at regula intervals in order to keep the 1sk register updated and relevant Continuous monitoring and periodie reporting of risk and risk response are keys for a successful risk management process