WA SE
Risk Management | Step by Step
Tahsinur Rahim, CRMA
EVP & Head of Audit & Compliance
Guardian Life Insurance Limited
‘The Inlernational Professional Practices Framework
(IPPF) defines Risk as “The possibility of an event
‘eccurting that will have an impact onthe achievernent of
objectives.....”. The Standards Australia and Standards
[New Zealand {AS/NZS 4360:2008) defines sk as“. the
chance of something happening that will have an impact
‘on objectives". Similarly, ISO 31000 [Risk Management
Standard] defines tsk as “..the effect of uncertainty on
objectives nn.”
‘Three common elementsivords are found in all ofthese
Firstly, “uncertainty” (A
‘possbilty’and AS/NZS uses “chance” to. express
uncertainty), secondly, “impact” (ISO uses “effect” in
place of impact") and finally, “objective", Taking all
these in consideration, we may define Risk as an
uncertain event (which may or may not occur) in future
{not already happened) which may {not obvious) impact
cour objectives
definitions, uses
‘An Organization runs nan uncertain and ever-changing
environment thus risk has a constant presence in the
business world. Ignoring risk does not make it go away.
Fisk Management soften an afterthought and Managers
pay attention to it only when something has gone wrong.
‘The concept of Risk Management has not been widely
practiced in Bangladesh, Management tends to focus on
short-term elements of business rather than assessing
risks that may impact future business. Seldom do
companies in Bangladesh include Risk Management as
part of its overall business strategy in an disciplined
‘The risk management
namely
process consists of 4 steps,
Step 1 : Identify the risks
‘Step 2 : Analyze the risks
‘Step 3 : Evaluate the risks (ranking the risks)
‘Step 4 : Response to the risks (treat the risks)
1°" IAB ANNUAL CONFERENCE 2019
Step 1: Identify the risks
The fist step of risk management is tsk identification,
This step reveals what, where, when, why, and how
something could happen that may have potential effects
fon organization's objectives. It is not an easy task to
identify risks as it requires a wide span of knowledge of
‘he organization's business environment, regulations,
competitions, technologies ete. including logical
prediction of any future change thereof that can generate
{hveats of loss or create obstacles on achieving objective,
‘An organization may have hundzeds of risks, however, i
is important to bear in mind that all risks should not fall
Under the purview of rk management. Please reall the
definition of “Risk” at the beginning of this article as
potential events that may impact a company’s objective.
Obviously, the event considered for tsk management
should be of a magnitude that can impact an
organization's objective
How to identify risk:
There is no quaranteed scientific method that can ensure
identifying all the risks of an organization, Different
‘organizations uses different approaches to identity risks,
for example, SWOT analysis, PESTLE, Scenario
‘Analysis, Brainstorming, Surveys) Questionnaires,
(One-on-one interviews, Stakeholder analysis ete, For an
organization intending to stat risk management exercise
for the first time, Brainstorming could be one of the
easiest and most effective rsk identification methods. Its
2 free, open and creative approach that is conducted by
selective members of an organization having vast
knowledge on business and its environment. This
technique provides the opportunity for members to build
fon each other's ideas in its simplest form, in
brainstorming sessions, risks proposed by any member
are evaluated by other members. Upon thorough
discussion, potential risks for the organization are
Identified.
n sks
‘There are many challenges in identifying risks through a
brainstorming exercise. Members in a brainstorming
session may tend to get trapped into identifying too manyfi A ‘he sete of
risks [PPP's definition of “Risk” indicates that Risks will
have an impact on the achievement of organization's
objectives; and obviously not all risk impacts an
organization's objective. Therefore, risks identified for
risk management should be very selective and fact
oriented. Further, risk management needs to be
costbenefit driven and that the effort expended in
identifying, analyzing and responding to all sks will not
be cost justified
‘Apart from this in a Brainstorming session, other facts
like undefined contexts(the scope of risk management),
lack of focus, unstructured discussion, presence of
dominant participants, non-partcipation of members
ue to fear of being wrong or ridiculed etc. may hinder a
brainstorming session to achieve its intended objective
‘All the identified risks through brainstorming (or
‘whatever method is used) need to be captured in a Rsk
Register
Let's observe a few examples of risk
1° LIAB ANNUAL CONFERENCE 2019
Srengeing Maral Au plein eau IA Cateatong
Impact (Consequence):
Cbviously no ll threats will have the same impact on an
organization's objectives. Risk associated with the
‘most important systern/process of an organization should
have a higher impact than the risk associated with
relatively less important systemiprocess. For example,
Impact of an inventory server being down ina
pharmaceutical company could be much higher than the
impact arising from the server going down of the fleet
management system, Therefore, the impacts of all the
risks in risk register need to be assessed in order to
prioritize risks to establish 2 most-to-leastcitical
importance ranking,
Other factors like time, magnitude, impacted areas, legal
consequences, customer experience, brand image,
‘human consideration etc, are considered while asessing
the impact of arsk
In the table below we will try to determine the likelihood
‘and impact of the rsksidentified in Step 1 using some
aa] Rae ara ot
hypothetical factors [1° indicates the factors. that
+ [oat Secu cacameany, ht hstoresl dt) increase the likeihoodimpact and * 1" indicates the
Frme’ employees can continue to| factor that decrease the likelihood/impact]
aces sacle
ea tte el — =
Risks [Risks] Hypothetical actos [Risks] Hypothetical factors]
2 [occoain | Shon one spion proacion| |) Data —| ane] -Provous | sg] Uneutoraed
rere Ones py ean security | "9"! pagent 1 | M9" acoess to
“Abeanes of
7 [isang owe ]oe w utie_ramiar a parr
Sa | scores emt conta eoalen
penalty, Lansnchiahsal into legal risk t
7 [nse yal [Poy enh tp nw a Travan Dalyed
ceca | tocar isan + aan|°
‘yo pity ‘Stock E | -stockis 1 High) supply
ouae | $ [ramanes hampers
3 [eres production
Step 2: Risk analysis td stock aut |
[A this stage the Litethood and Impact of each comm | eee
Individual risks determined, acing | Hi eterna Leh an
cae] liemied "| & lee
Likelihood: using umber of | S| Ree cave
ash) Reyne | $ |rmeae cess
Leno fn eth bey tte eet ik Cy
event can occ, Several actors need to be consider Fear rae
for determining the leihood tke previous incident | | pips] g |Goeed Gra | Low langurtct
history, vulnerability, existing controls, source of the aay 3 = Secunty fnaintained |
threat themotinion behind he estand'meny more. | | 28° | 2 [aul
The lkelhoods can be categorized as High, Medium, or ee
Low. Altematively they can be ranked on a scale of 1
5 or 10 whereby 1 represents a risk that is extremely
tunlikely 40 occur and 5 or 10 represents the risk
extremely likely to occur,HABE
‘Step 3: Risk evaluation (ranking the risks)
In this stage, all individual risks are evaluated or ranked
considering the risk magnitude, which is usually the
combination of likelihood and impact (consequence)
assessed in step 2, A risk with a high likelihood and high
impact is ranked high and demands priority attention,
Letsteview the following witha score 5 for “High” rating
+3 for “Moderate” rating and 1 for “Low” rating.
1°" IAB ANNUAL CONFERENCE 2019
fe] Rite [amie nec OR] I
+ [baa Seay spe] |
[Sock otk apse |e
TJissng debe] 8] 3] 5] 2
stein canrc oooh,
7 Jnaseaute ysis! |S [7 | 3 | 2
seury of ty cash
From this exercise, we identity "Data Security” is the top
risk (rank 1) for the organization and thus demands
In contrast, being
ranked 3, “Inadequate physical security of petty cash”
risk demands less priority
highest priority attention/action
‘Step 4: Response to the Risk (treat the risks)
At this stage risk responses are determined for each risk
to bring the risk exposure down to an acceptable level
Response Owner (also called Action Owner) for each risk
is determined at this stage who remains responsible and
accountable for risk response. Risk response should be
specific and time bound. There could be different
strategies for risk responses:
‘Avoid: Eliminating the cause and thus eliminating the
‘heat. In other words, organization do not perform any
activity that may cary risk, Avoiding a risy investment is
an example of risk avoidance.
Mitigate: Many risks cannot be eliminated rather their
Impact and likelihood can be reduced to an acceptable
level by taking appropriate risk mitigation actions. For
example, an organization may install security rewalls to
reduce its unauthorized access risk
Transfer: Risks could be transferred to some other party
«. insurance companies
‘Accept: Risk Accepting strategy is followed by an
organization when the potential loss from a risk seems to
bbe not great enough to warrant risk mitigation costs.
Usually this strategy is fllowed for smal risks that do not
potentially lead to catastrophic of expensive outcomes
hat require avoiding
Jn continuation of the 4 risks identified, analyzed and
evaluated ear, Risk responses could be as below’
3 Taret
= ks Risk Response Fisk owner | target
Tp ata sear 7 Frewal tobe nstalea
2 ire Fre poly fr T systems tobe
developed andiplemented a ee
2 Perosie mentoring & reorting
7 | Swoekoutrse 7 Onboardingalternate vendor
2 Charging penalty on vendor for delayed
svpaly enft2de | sone 2019
3. Maintain adequate level of stock or
ucidng stock ot
3 | wasng detvery T Procure 20 new aeiveny vans feaor
schedule causing | 2. Asanintrim solution, rent 10 vans oftadet | soAapnt2019
penalty 3. Outsourcing customer delivery
7 | inadequate prysieal | 1. sal Closed Cri carera and buriar
secuntyof petty cash | alain paty cash room
2.1mplement daily cash reconciliation Head of | 39 april 2019
procedure ears)
3.0 rotation
Conclusion
[isk assessment is a continuous process. The steps indicated in this article are not a one off exercise rather they need
to be performed at regula intervals in order to keep the 1sk register updated and relevant
Continuous monitoring and periodie reporting of risk and risk response are keys for a successful risk management
process