See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/314009129

Business Planning and Risk Management

Chapter · September 2003

CITATIONS READS

3 7,827

1 author:

Stanisław Strzelczak
Warsaw University of Technology
70 PUBLICATIONS   138 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Production Internet View project

“Industry 4.0 in Production and Aeronautical Engineering” (International Academic Partnerships Programme). Project is funded by Polish National Agency for Academic
Exchange under grant no. PPI/APM/2018/1/00047 View project

All content following this page was uploaded by Stanisław Strzelczak on 25 February 2017.

The user has requested enhancement of the downloaded file.

 3
Business Planning and Risk Management

Stanisław Strzelczak
Warsaw University of Technology, Institute of Industrial Management
(Warsaw, Poland)

1. Introduction

This paper looks at a new model – business risk management, within the context of business
planning. The basic idea of this model is to integrate and coordinate the management of risks across
and along the business planning process. The most farsighted corporations, e.g. DuPont and
Microsoft, started to develop risk culture and implement risk management methodologies to gain
another dimension of competitive advantage (a selection of interesting case studies is presented in
[Bart02]. Over time, in the current business environment, a business that cannot effectively manage
its key risk will simply disappear. The following sections briefly introduce basic concepts and a
rough framework of risk management as an entire component of business planning. A guide-style of
communication within this text highly demands for further studies and readings. Numerous
references make it easily possible.
Tom Peters in his famous bestseller very suggestively entitled “Thriving on chaos” [Pete88],
focused the enormous growth of generic uncertainty of business activities. He ridiculously suggested, that
predictability in the context of business management is simply a thing of the past. Too bad, many cases
may be referred as the convincing proofs, for Tom Peter’s prepositions, during recent several years.
Many businesses faced an assortment of risks almost unimaginable several years ago. Just to name the
most common areas of this phenomenon:
 Prices; trends on financial and commodity markets, changing tastes
 Fluidity in global financial markets
 Cross-border mergers, acquisitions, divestitures, de-integration, joint-ventures, strategic alliances
 New competitors
 Technology revolution
 The increasing complexity, interconnectedness and global dimension of the business activities
 Business and bank failures
 Crippling financial debts of many economies
 Dramatic political changes and political volatility
 Falling tariff barriers
 Trade tensions between industrialized and newly industrialized countries; wars of regional trading
blocks (e.g. NAFTA contra EU)
 Shift of many industries to developing countries
 “Green” factors
There are many good reasons to suggest, that the rapid growth of generic uncertainty of business
management is driven by the globalization phenomena [Stone01].
The discussed change of business environment motivates a question about the demanded
qualities of business management. Not surprisingly new management concepts were developed in
1990s, to meet and facilitate these new challenges:

35
 Flexibility [Genu95, Gewi96, Hame98, Volb98]
 Agility [Evans02, Oles98]
 EWRM (Enterprise-Wide-Risk-Management) and BRM (Business Risk Management) [Bart02,
Hayn00, Shime02, Shimp01]
 Adaptability [Fulm00]
 Business intelligence [Sydä02] and learning organization [Garr94, Seng92]
 Fractal organization [Warn93]
 Holonic organizations [McHu95]
Many managers are heralding flexibility as the new hallmark of organizational excellence.
Organizational flexibility deals with dynamic relationships between the necessity of change and targeted
planning and control. Flexible organization adapt smoothly and efficiently to the changing environment
and market needs. Characteristics of such firms seems to include flatter hierarchies, decentralized
decision-making, reduced organizational barriers, strong commitment for collaborativeness,
empowerment of employees, value-stream focusing organizational forms, self-organizing units,
acceptance for ambiguity, flexible resources, capacity for renewal, smooth business processes and short
lead-times. Flexibility is strategically important for many organizations and industries, as strategic
planning is generally insufficient and too slow for firms that operate in turbulent markets and
environments. In such organizations, an unbalanced bias towards rigid planning and control will lead
quickly to lack of innovation and responsiveness. Flexibility also refers to relations between firms. This
perspective places greater emphasis on the inter-organizational processes and seeks to address the
apparent trend towards vertical disintegration, value-stream integration, networking and outsourcing.
Such a view of flexibility is concerned with noting the extent to which individual organizations are
restructuring, divesting, de-merging, so as to return to a core set of limited activities, managed in a less
hierarchical, bureaucratic fashion than in the past.
Agile individuals know how to avoid blows and bruises. Agile organizations are fast moving,
nimble, adaptable and robust. Agility is something beyond flexibility. It is capability of rapid adaptation
in response to unexpected and unpredicted changes and events, market opportunities, and customer
requirements. Agility entails a continual readiness to change, sometimes to change radically. Agile means
dynamic, context-specific, aggressively change embracing, and growth-oriented. Agility is not about
improving efficiency, cutting costs or battening down the business hatches to ride out fearsome
competitive “storms”. It is about succeeding in emerging competitive arenas and winning profits, market
share and customers, in the very center of the competitive storms, many companies now fear. Therefore,
successful agile competitors do not only understand well their current markets, product lines,
competencies, and customers’ requirements. They also exploit the potential for future customers and
markets. This understanding leads to strategic need to acquire new competencies, develop new product-
lines and open up new markets. An agile approach requires ability to change and reconfigure the internal
and external parts of the enterprise - strategies, organization, technologies, people, partners, suppliers,
distributors, and even customers in response to change, unpredictable events and uncertainty in the
business environment. There are four major dimensions of agility-based competition:
 Enriching the value delivery to the customers
 Cooperating to enhance competitiveness
 Mastering change and uncertainty
 Leveraging human resources and information
Agile firm is capable not only to survive, but also operate profitably in the hyper-competitive
environment, characterized by continually and unpredictably changing market opportunities. The primary
drivers and generic features of agility are:
 Integration, virtual structures, dynamic multi-venturing capabilities
 Value-streams, not hierarchy domination
 Focus on core competencies
 Humans-centered and -networked organization, based on natural groups
 Multi-skilled, flexible and empowered employees
 Skills and knowledge valued as an important asset

36
 Vision-based management and organizational culture friendly to experimentation, learning and
innovation; proactive, not reactive attitudes
 Continuous improvement and total quality philosophy
 Change and risk management
 Concurrency in all business processes and activities, short lead-times
 Customer responsiveness and environmental concern
 Accessible and easy-usable information
 Open system architectures
 Technology awareness and leadership
The modern concepts of business risk management (or interchangeably enterprise risk
management) reflect the shift towards a new paradigm of risk management. Traditionally risk
management was viewed as a set of isolated and specialized activities, focusing mostly insurable and
financial risks, e.g.: insurance of assets, factoring of receivables, forfeiting, using on-balance sheet
securities etc. The past risk management was like a collection of fragmented and ad hoc activities,
dominated by effects- not reasons and prevention-oriented thinking. The present approach shifts towards
keeping all managers and employees sensitized to and engaged in risk management. In other words,
everyone in the organization should view risk management as a part of her or his job. Risk management
tends to be one of the many organizational processes.
The present focus of business risk management is the organization’s ability to achieve its
business goals, successfully execute the assumed strategies and to protect and enhance the shareholder’s
value. It is built upon preventive philosophy, like the etiologic therapy. In USA in October 1987, the
Committee of Sponsoring Organizations of the National Commission on Fraudulent Financial Reporting
published the Internal Control – Integrated Framework report, later called COSO. It includes a set of
evaluation tools and discusses the requirements for good practices in risks-oriented internal control. The
tools refer to specific areas that need to be addressed, e.g. risk assessment, adequacy of routines to
identify risk arising external sources.
The COSO framework proposed a simple set of clear guidelines on how to think about risk in
the organization from the perspective of business goals, the risks to achieving the goals, and then the
controls needed to mitigate the risks. This novel document departed from traditional model of internal
accounting-focused control, by proposing a broad scheme of five interrelated components: control
environment, risk assessment, control activities, communication, and monitoring. According to COSO,
control is the responsibility of board, management and other staff within the organization. One the key
advantages of COSO is the identification of risk assessment as the vital component of risk management.
Figure 1 illustrates the COSO model risk management sequence, expanded to show the three-step
approach to assessing risk. The COSO guidelines were followed by other risk management
recommendations and standards: Canadian COCO (1995), German KonTraG (Gesetz zur Kontrolle und
Transparenz im Unternehmensbereich) (1998), Australian and New Zealand joint standard AS/NZS 4360
(1999), UK Combined Code (Turnbull Report) (1999).

Establish Determine
Risk
organisations controls
assessment
objectives required

Risk Risk Risk

identification measurement prioritization

Fig.1. Risk management sequence in COSO model.

37
 The concept of EWRM was proposed by DeLoach [DeLo00]. It is “... a structured and
disciplined approach (that) aligns strategy, processes, people, technology, and knowledge with the
purpose of evaluating and managing the uncertainties the enterprise faces as it creates value. ...It is a truly
holistic, integrated, forward-looking and process-oriented approach managing all key business risks and
opportunities – not just financial ones – with the intent of maximizing shareholder value for the enterprise
as a whole.” EWRM strives to consolidate different exposures, not just across the event-driven risks, but
also between risk and uncertainty, i.e. between financial and business risks. EWRM applies selective
approach to risk management – it seeks to differentiate those risks in which the firm has some perceived
comparative informational advantage from those in which the company perceives itself as no better
informed than other market participants. Another unique characteristic of EWRM is the attempt to
standardize the risk assessment patterns within the enterprise and to apply pro-activeness (skills, routines,
communications etc.), not only reactive measures (e.g. swaps, insurance, trade and financial limits) to
keep the track of company performance within limits that are acceptable to the security holders. Finally,
EWRM stresses the need to align risk management with company systems, processes and human
resources. Although EWRM is not a totally novel approach, it is unquestionably relevant for companies
meeting the challenges of turbulent business environment. The EWRM concept has a relevant analogy in
physiology. It is like an immune system for the organization.
Adaptability is a term often used to express the same as flexibility. However, the adaptability
concept, not like the flexibility concept, applies the proactive approach. It enhances a singular and
permanent adjustment to a new changed environment, whereas flexibility focuses successive, but
temporary approximations to the new state of affairs. Adaptability refers to continuous organizational
renewal. Crisis driven business renewal efforts may be dramatic and reflective lack of adaptability or
inertia. They may result in fundamental and far-reaching strategic and operational change.
Adaptability approach highlights that redirection of business strategy is evolutionary.
The two related concepts of business intelligence and organizational learning explore the idea of
human’s intellect and intelligence. One of the key features of human mind is the ability to acquire
experience, learn, self-develop and anticipate unknown. The word intelligence reflects an ability to
understand a changing environment and adapt accordingly, and to both understand and adapt across a
very large scope of possible circumstances. We relate the degree of intelligence one has, directly to both,
the depth and expanse of understanding, as well as the appropriateness of adaptation. In this light, if we
speak of an intelligent enterprise, we might distinguish it as the one, which understands (knowledge) the
situation it is faced with, learns continuously from it as it changes (learning), and adapts (response ability)
appropriately (decisions) to result in markedly superior achievement of purpose (goals). Organizational
learning is usually seen as a development of cross-functional knowledge, skills and abilities that will be
required for the future. Intelligent and learning organizations systematically learn from mistakes,
experience, experimentation etc., and then diffuse the new knowledge throughout the organization. It
may also refer to the upgrading of practices with regard to the performance of specific tasks in a more
immediate sense. An important aspect of this is the impact of organizational routines. In many
corporations organizational routines become ingrained and condition the ability of individuals and whole
organizations to perceive the need for, and to implement new ways of performing business processes and
activities.
The concept of fractal company was developed by H.-J. Warnecke, who presumed his idea to be
a relevant response to Japanese and American management philosophies adapted to the needs of the
European environment. Its key concern is the development of adaptive enterprises on the premise that
companies are living organisms with a huge employee potential that needs to be unlocked. A fractal
organization is defined as a collection of fractals. A fractal is an autonomously acting corporate entity
(e.g. department, branch) whose goals and performance can be precisely described. This concept was
adopted from geometrical theory of fractals, i.e. the generic entities, which under magnification appear
regular structures. It involves repeating pattern of goals (self-similarity) as one move down from the top
company level through departments to the individual. This techno-speak approach is based on well-
known practices and techniques: company goals deployment to develop local performance measures,
team working, empowerment, process-oriented organization design, self-organization and self-
optimization, self-similarity and re-configurability. Key features of fractal organizational units are:

38
 Self-similarity: Every organizational unit, from employee to the entire business, can be regarded as a
fractal. Fractals can be part of a superior fractal or contain fractal sub-systems. Every fractal can be
described with the same set of attributes, i.e. ‘elements and properties’, ‘relationships’, ‘goals’ and
‘accomplishments’.
 Self-organization: The fractals posses some level of freedom for decision-making and acting. They
are empowered to handle the resources in order to achieve the goals agreed upon. To comply with the
demand for adaptability and speed the organizational units must be able to adapt themselves quickly
to their environment and the process flow. In a fractal organization the continuously changing,
common performance goals are best accomplished through a co-operative structure of relationships.
 Self-optimization: Constantly changing requirements highlight how absurd it is to stick to fixed
structures. Accordingly, employee teams are empowered to improve operations at their own initiative
and on their own authority with regard to the defined goals and objectives. This can be achieved by
adjusting the structures of the fractals or the relationships.
By increasing the autonomy of internal activities of organizational units means to heighten the
complexity of their creative task. This is the focus of fractal organizations concept. It was implemented in
some German corporations, e.g. Volkswagen.
The term holon was proposed the Hungarian philosopher Arthur Koestler, to describe a basic
unit of organization in biological and social systems. Koestler pointed that in living organisms and in
social organizations entirely self-supporting, non-interacting entities do not exist. Every identifiable unit
of biological or social structure, such as a single cell in an animal or a family in a society, comprises more
basic units (nucleus and mitochondria, parents and siblings), while at the same time forming a part of a
larger unit of organization (e.g. a liver or a community). Holon is a combination of two words: the Greek
word holos, meaning whole, and the suffix on, meaning part. A holon as Koestler devised the term, is an
identifiable part of a system that has a unique identity, yet is made up of sub-ordinate parts and in turn is
part of a larger whole. Holons are autonomous, but purposefully cooperating units within a structure.
Holons can be people or projects, or capacities designed to behave as holons, or even whole companies.
Holons can also receive instruction from and, to a certain extent, be controlled by higher-level holons.
Holonic structure called holarchy, to opposite the traditional hierarchy, is not based on physical links or
subordinations but on actions or tasks that need to be undertaken. The subordination to higher-level
holons ensures the effective operation of the larger whole. Application of self-similarity concepts means
that some features of top-level holons are replicated in all component holons. The stability of holons and
holarchies stems from holons being self-reliant units, which have a degree of independence and handle
circumstances and problems on their particular level of existence without asking higher level holons for
assistance. The self-reliant characteristic ensures that holons are stable, able to survive disturbances. The
strength of holonic organization is that it enables the construction of very complex systems that are
nonetheless efficient in the use of resources, highly resilient to disturbances (both internal and external),
and adaptable to changes in the environment in which they exist. All these characteristics can be observed
in biological and social systems. First field implementations of the holarchies principles were undertaken
by the leading Japanese corporations: Toshiba and Hitachi.
It is worth to note, that most of the concepts discussed above, were preceded by the TQM
(Total Quality Management) - Japanese philosophy of business self-development [Zink98]. Some
management techniques and practices, typical for the TQM approach, fit well to the needs of business
risk management. What is more, all concepts address the risk issues, directly or indirectly, as they
focus higher responsiveness to the environmental change. In other words, flexible, agile, adaptive,
intelligent, learning, fractalized or holonized organizations are more capable to avoid or mitigate risk.
It is probably an axiom for today and future well-managed businesses have successful risk
management. Professional risk avoidance and mitigation seems to be one of the most important
imperatives of business planning. Efficient risk management may contribute to the competitive edge.
On the contrary, spectacular business failures around the globe are but examples that demonstrate the
limits of the current approach to the accounting-centered risk control and auditing. Anyway, it is
worth to answer the question why to manage business risk. At least to provide convincing arguments
to those managers who consider business risk management as one more fashion or buzzword. So, let
us name the ten major pros:

39
1. There is a narrow gap between foolishness and acceptable risk. Reasonable risk must be built upon a
good understanding of potential losses and probability for risk occurrence. Is risk a question of
lacking the luck, or maybe lacking the professional skills.
2. Very often business is like a roulette – only one winner grabs the whole pool.
3. Business life is sometimes like a game among villains. There are many powers and enemies working
against business plans. Some may wish, enjoy or simply gain on firm troubles or fall-down.
4. Risk management may be subject of a due diligence. The management might be expected to
prove, that the projects or plans were being fulfilled in a competent way and with relevant
diligence. Or in front of shareholders, authorities or even the court the managers might be
expected to justify, that all reasonable measures against risks have been applied, and the effects of
risks were not been caused by their indolence. There is a cogency of evidence, that many
corporate failures and bankruptcies could be easily mitigated or avoided by systematic and
disciplined risk management practices. What is more, risk issues become a standard component of
organizational audits, both: internal and external.
5. Sometimes the business management requires unlikely decisions, when the unexpected occurs. But
crisis management is not an alternative to risk management.
6. It is not always possible to forecast and program convenient reactions against any risk. But a mark of
good manager is his ability to adapt plans to meet the risks.
7. There are few business plans and projects run smoothly and strictly according to the initial
assumptions and schedules [Fig.2]. There is nothing like a business plan or operational program free
of risks and uncertainties. A part of business challenge arises from the hidden risk behind it.
8. Can business managers be right, when blaming the fate or on unforeseen circumstances outside their
control? Not at all, but they often do so in the media.
9. Risk management may become an issue for the company applying for a bank loan. This is due to
new regulatory documents by Bank of International Settlements (BIS) in Basel (Switzerland). The
new capital adequacy framework (Basel II) introduced by the BIS enforces banks to apply not
only the on-balance-sheet securities against risk. The simply consequence is growth of banks’
expectations to present them relevant risk management system and to undergo external risk rating,
when applying for a loan. Probably many companies, mostly SMEs (Small-Medium Enterprises),
may not afford to meet the requirements driven by the Basel II regulations.
10. Risk management is the central component of corporate governance that aims to protect
stakeholders’ interests in the organization. Although corporate governance focuses the
responsibilities of board, it addresses such risk issues like:
 Clear delineation of responsibility for accepting and managing any risk
 Policies and standards on managing risk
 A model or definition of the types and levels of risk considered unacceptable
 Effective and smooth communication and transparency about risks
 Suitable education to raise the level of risk awareness among the staff
 Appropriate monitoring, recording and reviewing of risk management results.

31%
BREAK DOWN
SUCCESSFUL
53%
UNSUCCESSFUL
16%

Fig.2. Overall business project outcomes [Bish98].

40
The rules of corporate governance (e.g. UK Combined Code) for listed companies are defined in
regulatory frameworks set by security exchange commissions (SEC). Non-compliance with such
guidance may result in a disclosure in the annual report that could attract the attention of the press,
shareholders and institutional investors.

2. Basic concepts

Risk management is not old. Its principles are rooted in the relative young science of probability and
the twentieth century logical constructs of decision-making under uncertainty. Traditional risk
management is referred to insurance against unlikely events (actuarial approach) or commodity
markets, exchange rates, credit risk, receivables, safety issues, and recently to the uncertainty of
financial markets. From the business planning perspective, risk is a concept that managers use to express
their concerns about the probable effects of an uncertain environment, systems, processes and people’s
behavior. Because the future cannot be predicted with certainty, managers and auditors have to consider a
range of possible events and circumstances that could take place. Each of them could have different
effects: material (e.g. damage, delay), financial (e.g. loss) or intangible (loss of reputation), sometimes
causing significant consequences on the company and its objectives. The negative effects are usually
called risks, and reversibly - the positive effects are often called opportunities. In other words, business
risk is a concept used to express uncertainty about events and circumstances and/or their implications that
could have an effect on the objectives of the organization. This definition incorporates the managerial and
strategic elements of risk and opportunity in achieving company goals.
One of the major hurdles in thinking about risk is caused by a lacking distinction between risk
and uncertainty. Less than one hundred years ago the concept of uncertainty was proposed by Francis
Galton, as an exception to regression to the mean. The discovery of discontinuities in the economy made
it perilous to base decisions on trends and extrapolation of past data. The exploration of uncertainty
moved the discussion and research from the mathematicians to the economists. At the bottom of the
uncertainty problem in economics, is the forward-looking vision of the economic process. Economists
were very careful to separate probabilities that could be measured (such as in games of chance) and
probabilities that exist, but cannot be measured (such as future economic events). The latter are usually
called uncertainties. Hence, it is common in the financial sector to consider risk as a measurable
(predictable) concept, in terms of expected value of price or rate movements in assets and liabilities,
assessed by probabilities. It is typical actuarial approach - the application of term risk is restricted to those
situations, where it is possible to assign probability measure. Unfortunately, in most business situations at
the company level, there are no reasonable ways to assess probabilities. The heart of risk management is
to respond to those possibilities in unpredictable ways that are the ultimate sources of uncertainty.
Following the discussion in the previous section, it is worth to note a common misconception
about risk management - that there is some way to see the future. There is no crystal ball, "magic matrix"
or special model that predicts the future. The future is unknowable in any detail. There are useful models
and methods supporting short-term forecasts. These include statistical tools to predict corporate cash
flow, such as the Box-Jenkins’ New Money Requirements used by many corporate treasuries. There are
also a number of industry-specific methodologies that help managers measure the current business impact
of risk, such as [Crou01, Cuth01]: different variations of Value-At-Risk (VAR) model used by financial
institutions to measure complex derivative portfolio positions, like: IVAR, DVAR, Dynamic-VAR etc.;
credit risk oriented methodologies, like: CreditMetrics, CreditRisk+, KMV; RAROC (Risk Adjusted
Return On Capital), Return On Risk Adjusted Capital (RORAC) and Risk Adjusted Return On Risk
Adjusted Capital (RARORAC) methodologies, aiming to develop risk-adjusted performance measures.
There are also many misunderstandings about risk caused by the lack of discipline, when
discussing different issues of risk management. The elaborate analysis of the risk as a term shows that
might be several related terms interchangeably applied when explaining risk [Fig.3]. It is very common to
mix up reasons, factors, trigger events, outcomes and effects. These misconceptions are to the last degree
caused by different perspectives of risk perception. There are many possible parties involved in risk as a
phenomenon – risk stakeholders:

41
 Probability
Uncertainty
Effects

Exposure RISK Outcomes

Trigger
Factor
events
Reason

Fig.3. Risk morphological contexture.

 Company and its owner (shareholders)Board

 Management (including risk managers)
 Employee
 Bank
 Insurer
 Securities house
 Rating agencies and bodies
 Client (product owner) or client’s owner
 Distributor
 Suppliers, subcontractors and other third-parties or infrastructure providers
 Competitors
 Political authorities (e.g., government agencies, EU bodies)
 State and international bodies (e.g. courts, WTO)
 Supervisory bodies (e.g. Security Exchange Commissions)
 Public opinion, media
 Nation, society
 Sponsors
Each risk stakeholders has its own and often very specific perception of risk. Risk triggers sometimes
complicated and unforeseen interactions between them.
Another hurdle in understanding risk is the plethora of definitions and meanings of this term. Risk is
one of those terms seen a dozen times in the media or private discussions with a dozen different meanings
and interpretations. For instance, the following interpretations of risk are very common:
 Risk described in management and strategy as a continuum (risk and opportunity) with pay-offs
(negative or positive) and probabilities (likelihood and consequences).
 Risk in the financial accounting as a quantifiable cost of holding assets.
 Markets risk deals with variations of prices (e.g. commodities, financial instruments).
 Risk in the insurance and risk management industry focuses on probability distributions of material
loss, i.e. is a subject of the Risk Control Engineering.
 Risk in the security and audit professions tends to be protective and negative, focusing on the effects
of material asset loss.

42
 Risk in the environmental safety and occupational health industry focus on hazards and perils and
defined probabilities of chemical and physical properties and events, with reference to materials,
processes, facilities and people.
 Risk in the quality management looks at the possibility that some measures of product or process goes
outside specified limits, called usually quality standards.
Consequently, we can find a wide variety of definitions of specific risks. Unfortunately, some terms are
defined in a very different way depending on the industry-specific understanding or just perspective. E.g.
business risk defined by the financial sector is the risk that the cash flow of an issuer will be impaired
because of adverse economic conditions, making it difficult for the issuer to meet its operating expenses.
This is really different approach from those assumed in the definition given at the beginning of this
section.
Stock markets define business risk as the risk of an entity failing to achieve the expectations of
owners with respect to their expectations of the financial performance of the entity. An increased
business risk will very often results in an increased inherent risk as an increase in business risk means that
there is an increased risk that losses may be concealed by using incorrect or inappropriate accounting
practices. Some of the factors auditors consider when evaluating business risk include the sensitivity of
the business of the entity to unexpected changes in the economy, the degree of dependence on major
suppliers and customers, and the nature of the entity's industry and product.
A twin term to the business risk is the operational risk [Hoff02]. Operational risk is concerned
with adverse deviation of a company’s performance due to how it is operated as opposed to how the
company is financed. It is a measure of the link between business activities and the variation in business
results. One of the final objectives of this approach is to reduce variability in company performance,
hence the risk adjustment for valuation. It concurs such modern techniques as Balanced Scorecard and
Value Based Management [Fig.4].
Nevertheless, the most common definition of operational risk was developed by the financial
sector. According to ISDA, BBA and ARMA (International Swaps and Derivatives Association, British
Bankers’ Association and Risk Management Association) operational risk is the risk of loss resulting
from inadequate or failed internal processes, people, and systems or from external events. But another
definition operational risk that is common among the financial professionals is: “risk associated with the
unique circumstances of a particular company, as they might affect the price of that company's
securities”. Forbes Financial Glossary calls the operational risk as a term interchangeable to business risk:
„The inherent or fundamental risk of a firm, without regard to financial risk. The risk that is created by
operating leverage”. The colloquial understanding of operational risk associates it to the potential for
systems or management failure or disruption, faulty controls, errors, fraud and misdeeds, human errors
etc. A very special form of operational risk is the human factor risk. It relates to the losses that may result
from human errors, e.g. entering wrong data into the document.

Performance
Business management
Risk adjustments

Company
Business Risk management
value

Value management
Valuation

Fig.4. Relationship between profit and value creation and business valuation.

43
 Among other types of risk exposures, important from the business planning perspective there
are:
 Actuarial risk: the risk from changes to assumptions used to value contingent liabilities based on
probabilities.
 Availability risk: the risk that new funds will not be made available.
 Completion risk: the risk that a project will not be brought into operation successfully.
 Country risk [Risk01]: risk related to political, financial and economic uncertainty in a particular
country affecting the value of payments, loans or investments.
 Credit risk: the risk that an issuer of debt securities or a borrower may default on his obligations,
or that the payment may not be made on a negotiable instrument.
 Cross-border risk: refers to the volatility of payments or returns on investments caused by events
associated with particular country-to-country transactions.
 Default (counter-party) risk: the risk that the other party (e.g. debtor, option writer, counter-
party) to an agreement will default.
 Delivery risk: the risk that a supplier will not provide delivery as contracted.
 Economic risk (in project financing): the risk that the projects output will not be saleable at a
price that will cover the projects operating and maintenance costs and its debt service
requirements.
 Event risk: the risk that a rare, discontinuous, and very large change in the borrower's or issuer's
situation will reduce his ability to make interest and principal payments (e.g. accident, regulatory
change, takeover, corporate restructuring).
 Fiduciary risk: the risk of loss from actions taken on behalf of clients.
 Foreign exchange risk: risk from changes in the rate at which two currencies are exchangeable.
 Fraud risk: the misappropriation of funds and other dishonest deception.
 Industry risk: the risk associated with a firm within a particular industry or industrial
classification.
 Inherent risk: in broad terms the risk of a material misstatement in the un-audited information
(e.g. financial statement).
 Inflation risk: also called purchasing-power risk, the risk that changes in the real return the
investor will realize after adjusting for inflation will be negative.
 Insolvency risk (bankruptcy risk): the risk of disability of a firm to satisfy its debts.
 Interest rate risk: the risk that a securities value changes due to a change in interest rates. For
example, a bonds price drops as interest rates rise.
 Inventory risk: the possibility that inventory will become obsolescent or un-realizable at the book
price.
 Legal risk: risk arising from legal challenge or from changes in the law.
 Liquidity risk: relates to the ability to raise necessary cash to cover expenses or to roll over debt.
 Market (price risk): the risk that the value of goods or securities (or a portfolio) will decline or
increase in the future.
 Model risk: risks arising from inappropriate pricing or hedging model.
 Natural risk (Act of God): fires, flood, earthquakes and s forth
 Operations risks: risks arising from undertaking transactions, engaging in business, otherwise
occurred in activities.
 Physical risk: the risk of loss through damage to the firm's properties or loss to physical property
or assets owned by firm or for which firm is responsible.
 Political risk: possibility of the expropriation of assets, changes in tax policy, restrictions on the
exchange of foreign currency, or other changes in the business climate of a country.
 Pricing risk: the risk of too low or too high contractual price. Often affected by the delay of
pricing and payments.
 Product risk: a type of mortgage-pipeline risk that occurs when a lender has an unusual loan in
production or inventory but does not have a sale commitment at a prearranged price.

44
 Rate risk: in banking, the risk that profits may decline or losses occur because a rise in interest
rates forces up the cost of funding fixed-rate loans or other fixed-rate assets.
 Regulatory risk: risk arising from changes in regulations.
 Relationship risk: intangible loss to a firm generated through the relationship with client,
distributor, subcontractor or third party.
 Reputation risk [Lank03]: the risk of damaged company image, resulting in diminish or even loss
of goodwill and credibility (e.g. case of Arthur Andersen). Cognate to the reputation risk.
 Settlement risk: the risk that one party will deliver and the counter-party will not be able to pay,
and vice versa.
 Social risk: changes in social mores, attitude or perceptions.
 Systemic risk: resulting from the possibility that an entire financial market or system could fail
catastrophically.
 Technology risk: the risk of loss by failure, breakdown, or other disruption in business process. It
includes loss from piracy or theft of data and information, and loss from technology that fails to
intended business needs.
 Transaction risk: risk from buying and selling in a foreign currency.
 Translation risk: risk from converting assets and liabilities in a foreign currency back to the base
currency.
 Transfer risk: the risk of imposition of controls on remittances of interest, dividends, fees, and/or
capital to foreign contractors, investors or lenders.
 Transport risk: the risk of damage or loss of goods when shipped.
A shareable framework of business risk can provide a common ground for managers, auditors and other
stakeholders to establish effective and efficient risk management for their purposes. Such a framework
might be useful also as a template or tool to stimulate the imagination about how the organization
achieves its goals in an uncertain environment. With a common language, imagination and a thorough
knowledge of the business process, the organization is more likely to achieve its business goals and to
satisfy expectations of all risk stakeholders.

3. What is Business Risk Management about ?

Risk management is a misleading phrase. Risk is not directly manageable, since risk is only a conceptual
property used to express the effects of an uncertain environment. The difference in perspective is
important. It is the organization, which is managed in anticipation of the uncertainty related to risk. The
challenge to the organization is managing the organization to continue fulfilling its purpose in the face of
turbulent business environment. Managers modify business plans and operations to respond to current
and future states of the uncertain environment. That means that managers must permanently change the
way they manage and take responsibility for results. Once risk managers toiled away in the middle ranks
of companies cataloguing business properties and buying insurance. Not any more. The modern risk
management includes the traditional role of financing risk through insurance within a broader role of
advising on general business risk. Typically, risk management has been related to financial loss or fraud.
It has also been associated with doing something wrong. As a result, there has been a preoccupation with
administrative processes and controls, rather than outcomes and performance. The various reforms of
regulations during the past decade have attempted to tilt the balance more towards the latter, by
highlighting the lack of performance in many areas, as well as “good” or “bad” outcomes. Risk
management's real value in predicting the future is the ability to think laterally about business decisions.
Risk managers help pry the blinders off the managers that suffer from too narrow perspective.
Risk management is the next wave of solutions to the challenges of governing modern business.
Risk is among the most common latest management buzzwords. Some companies are elevating risk
managers to the ranks of board members or senior management to give risk management visibility and
influence. Like so many other business decisions in an uncertain environment, some of these changes
have been successful, others have had unintended consequences. Avoiding or mitigating most of these
unlikely consequences is possible with the right understanding of the new role of risk management.

45
 Managers put assets at risk to achieve objectives. This relationship is a fundamental planning
problem for managers. Prudent management takes risks with assets - otherwise they cannot gain any
objective. Managers must plan, organize, direct, and control the optimum mix of assets to achieve their
objectives given the risks, which are present. It is not enough to assemble the right staff to do the job.
Managers must also consider how risks will affect the assets. The assets at risk include:
 Financial assets, such as cash and investments.
 Physical assets, such as land, buildings, and equipment.
 Human assets, including knowledge and skills.
 Intangible assets, such as reputation and information.
A decade ago, risk management focused on the hard assets of the business - the financial and physical
assets that appear on the balance sheet. The new risk management addresses both, hard and soft assets.
The risks to soft assets such as human resources and intangibles are often more important to the company
than the risks to the hard assets (e.g. the case of Arthur Andersen). As modern business becomes more
knowledge-based, intangibles like information and the humans that create it and use it become more
important than the computer or building that houses them. Reputation and trust, two of the most fragile
assets of any business, outweigh all that exists on the balance sheet. Behavioral risks in the workplace
threaten to drive up costs and drive down productivity.
Risks today are different from what they were once, and the new risk management is different
from traditional risk management. Traditional risk management focused on loss prevention and recovery.
The new risk management focuses on the positive side of business decisions. The modern risk manager
seeks to understand the contingent liabilities and the possible rewards of strategic decisions and to share
these insights with the senior management team. Risk and opportunity are values on a continuum of
variation and the optimum decision ensure that risk is commensurate with the expected reward. The
traditional middle management risk manager buying insurance is clearly not up to that task in most today
companies.
Traditional risk management was a reactive function. The risk managers were responding to
changes in the asset base and to changes in the insurance market. The new risk manager works with
others in the organization to seek out situations, where they can apply advice and insight and add value to
business decisions and processes. Managing risk means ensuring sensitivity to detect risk, ensuring
flexibility to respond to risk, and ensuring capability of resources to avoid or mitigate risk. Managing risk
must therefore come from within and act to change the organization and its response to changes in the
environment. Rather than try to guess what risks will affect the organization, the organization builds in
certain characteristics to improve its ability to respond to change. The key characteristics that improve the
organization’s abilities to respond to risk are:
 The organization applies principles of learning organization that is it actively seeks to monitor
change in the environment and learn from it.
 The organization is process-centered instead of ego-centered. The focus is on value-added
delivery, instead of serving the egos of management or employees.
In other words, the modern business risk management tends to be proactive, not reactive, like it was in
the past. It is changing from static command-and-control strategies, towards more flexible responses to
business risks.
The corporate culture or management style has a bearing on risk management. Those companies
that reinforce an individual accountability are likely to get it wrong. Individual accountability can be
distorted. It is one of the paradoxes of business reality, that by designating a risk manager everyone
assumes that this one person is accountable for managing risk. Everyone else can go about her/his normal
day-to-day jobs believing that the risk manager is at post and all is well with the world. The next step is
that the risk manager takes this misplaced accountability as a signal to build up stuff to take on the risks
of the business. The results are usually less than spectacular.
The framework of business risk management includes: concepts, recommendations, regulations
and methodologies, systems, routines, methods and techniques and contingencies that may reduce or
eliminate the effects of risks. To cover the full range of exposures an integrated business risk
management is necessary. This implies the need to apply a variety of risk-oriented measures. The most
common are:

46
 Avoid (prevent): redesign the processes and/or reengineer resources to avoid particular risks with
the plan of reducing overall risk.
 Diversify: spread the risk among different assets or processes to reduce the overall risk of loss or
impairment (e.g. parallel transactions in foreign trade, operations load balancing).
 Control: design activities and routines to prevent, detect or contain adverse events or to promote
positive outcomes.
 Contingencies: providing back-up resources (and applying them quickly to bring business
operations back online) or similar reserves.
 Share (compensate): distribute a portion of the risk by a contract with another party, such as
insurer or securities provider (e.g. derivatives: forwards, futures, options).
 Transfer: distribute the risk through a contract with third party (factoring, forfeiting, outsourcing).
 Accept: no reaction - allow minor risks to exist to avoid spending more effort on managing the
risks than the potential harm.
The most common contingencies protecting against various risks are:Balance sheet (capital) reserves
 Budget (cost) reservesPrice margin
 Cash-flow reserves
 Reserve materialsReserve capacities (active or passive)
 Lead-time offsetAll risk management techniques may be found in all domains; however there are
some primary risk policies. Many ownership-related risks are insurable, and the primary risk policy is to
transfer risk or to establish risk sharing through insurance. Process risks are primarily managed through
an active system of internal controls, including management supervision. Behavioral risks are the most
varied and difficult to handle. Primary risk management techniques to treat the behavioral risks are:
avoidance (redesign the workplace to reduce the level of risk, e.g. by implementation of the well-known
Poka-Yoke method developed in Japanese corporations [Imai97]) and risk transfer (factoring, workers
compensation).
The integrated business risk management process is built-around ten generic concurrent
activities [Fig.5]. The key developing (ex-ante) activities are: identification, analysis and prevention. The
key reacting (ex-post) activities are: escalation (bottom-to-top communication of detected treats),
aggregation (consolidation) and servicing (treatment). The first attempt to develop a consistent
framework for business risk management was done jointly by governments of Australia and New
Zealand. It has resulted in the AS/NZS 4360 risk management standard, set in 1995. Later the
governments of both countries adopted AS/NZS 4360 as the basis for public policies and procedures. The
standard defines five-major steps of risk management process:

Escalation Identification
Monitoring

Reporting
Aggregation Analysis
Control and audit

Planning
Servicing Prevention

Fig.5. Primary elements of business risk management process.

1. Establish the context (strategic, organizational, managerial).
2. Identify the risks.
3. Analyze the risks.
4. Assess and prioritize the risks.

47
5. Treat (manage) the risks.
Furthermore, a six-step scheme of the risk management implementation process was defined:
1. Support of senior management.
2. Develop the organizational policy.
3. Communicate the policy.
4. Manage risks at organizational level.
5. Manage risks at the program, project and team level.
6. Monitor and review.
This AS/NZS 4360 standard is the first of its kind in the world. Another support to the
implementation of structured and disciplined business risk management may be provided by use of
general or industry-specific methodologies. They establish a consistent, structured and disciplined
framework offering ready-to-implement or customize aids like:
 Checklist of risks, useful for risk identification
 Systematic and structured methods for risk assessment
 Control recommendations, reference organizational routines
 Records, databases, consistent reporting and documentationBenchmarking checklists
Risk management is not just one more management function. The effective risk management
programs demand for a culture of collective accountability for producing results. The risk manager, if
exists, acts as a catalyst and a resource for extending the thinking processes of the management team.
The successful risk manager is above else a facilitator, often with a very small staff (banks and
financial institutions tend to have larger staffs, others may get along fine with one person). The
expectation is that the risk manager will operate closely with other managers in ad hoc teams to
improve the organization's business processes. Risk managers must rather plan, organize, direct, and
control to reflect both risk and opportunity. The key internal parties of risk management are:
 Board and top management, line managers, project managers
 Risk managers (in big corporations even risk officers)
 Financial manager, chief accountant, treasurer
 Lawyer
 Analysts
 Process engineers
 Operational staff
Risk manager is the owner of the risk problem; the typical collection of his responsibilities includes:
 Coordination and/or performance of risk analysis
 Development of risk management systems and infrastructure
 Programming of risk treatment, contingencies planningImplementation of risk-escalation
procedures
 Supervision of risk monitoring process and risk records (milestones!)
 Control and supervision of risk management activities
 Supervision of risk related schedules, budgets, resources etc.
Although the Parkinson law should be never forgotten by any manager, business risk
management means to some extent an unavoidable bureaucracy. The specific risk management
documentation is one of the basic components of its infrastructure. In unlikely circumstances it may
assure due diligence proofs. The variety of risk documentation includes:Working documents:
o Lists and maps of risks
o Scenarios, CEDAC diagrams
o Financial assessments
 Risks records, escalation reports and memos
 Control and audit reportsDocumentation of safety budget, funds and contingencies
 Insurance and securities documentsRisk-related organizational routines, responsibility statements
etc.
 Schedules

48
Process of reporting risk usually focuses: major risks and their escalation, exposures or risk measures
distribution (significant changes of the level of risks), control and auditing, costs and consumption of
risk budgets.
Lessons from those corporations that are leaders in the world of risk indicate the ten
following principles as the benchmarks of corporate business risk management:
 There is a company-wide strong commitment to the risk management, particularly at the board
level
 Risk management is to reasonably extent formalized and documented, including non-financial
risks maintenance; preventive and corrective activities as well as facilitating resources are
programmed
 Risk management is integrated with (incorporated into) the business management; risk
considerations are essential part of decision-making; risk monitoring is using as its input the
results of business processes and environment monitoring
 Risk management, particularly risk identification, is an integrated, continuous and dynamic
process; established solutions are subject to permanent re-evaluation
 Smooth escalation routines exist for the major risks
 Financial risks are measured with relevant sophisticated, but practical tools, like: VAR, stress
testing, EAR (Earnings-At-Risk) [Bart02]
 Risk audits are incorporated into the company audits
 Performance measurement is risk-adjusted
 Risk related standards are established to assure relevant risks’ ranks (e.g. scales of importance and
frequency)
 A variety of appropriate risk treatment methods is applied
Otherwise, a company might become like a baby surfing in a hyper-competitive, nasty and turbulent
environment. The EWRM methodology distinguishes four grades of business risk management, to
oppose the traditional base line – informal treatment of risk. They are:
 Personnel are appointed with operational risk-specific responsibilities. The ownership of risk is
clearly defined.
 Monitoring stage: the notion of explicit and formal risk tolerances for operational risk begins to
emerge, albeit on a largely qualitative basis.
 A firm finally develops a quantitative system of some kind for the formal measurement of
operational risks.
 A firm matures into an integration stage where business risks become a fully integrated part of a
comprehensive EWRM process.

4. Business risk analysis

The primary subject of risk analysis is to examine the kinds of risks the firm considers acceptable, the
likelihood of their materializing, and the ability to reduce their impact if they do occur. The first difficulty
in implementation of business risk management is the plethora of risks. As companies develop risk
management systems, they find they need a common language throughout the group to describe similar
risks, and common categories to classify them, so that the cumulative exposure in any given area can be
properly assessed. Furthermore, different sources of information on existing or possible exposures may
apply different names of the same risks or may put their attention to different points of the risk contexture
[Fig.3]. There are internal and external sources of knowledge on risks. Among the latest the most
common are:
 Risk consultancy providers
 Rating agencies
 Publications
 Professional organizations
 Regulators
 Government agencies

49
 Intelligence services providers
In determining the firm's risk profile very often the major source of information on risk are managers and
other staff. A robust internal process for identifying risks is the foundation of an effective business risk
management.
Many significant risks are easily identified within organization from a "bird's eye" view at the
top management level, others from more detailed operational knowledge further down the organization.
When identifying risks, firms should avoid selection of potential candidates from a generic list - the risks
should be specific to the market sectors in which the business operates and to the company's
circumstances at a given time. It is usually very helpful to consider the possible obstacles standing in the
way of the company achieving its business objectives. It is worth to look at how change, whether within
the corporation or in the external business environment, is affecting the company's risk profile, as this can
introduce new or increased risks. It is also important to consider problems or near misses that the firm or
its competitors have experienced recently, but managers should also address the types of risk that have
yet to crystallize. Further considerations should be addressed to those business probity issues, including
ones related to fraud, where the company might be especially vulnerable. With the development of global
markets and worldwide brands, as well as the increased prominence of international pressure groups,
many corporations now find reputation risk a focal point of concern. In this context, environmental risks
are substantial and growing for many sectors of business. These can lead to large direct costs, in terms of
remedial expenditure and fines, and can severely damage corporate reputation.
The recent experience of the leaders of business risk management suggests some simply, but
practical management techniques for firm’s self-identification of risks:
 Open and structured questionnaires
 Checklists
 Brainstorming sessions
 Staff self-assessment
Risk identification may be also supported by some risk modeling tools (see next sub-section).
Risk identification by polling is usually a very efficient path. Questionnaires may be more or
less structured, but too rigid structuring may reduce the attention and creativity of polled participants. The
structured open questionnaires make easier to name the unknown risks. The structured questionnaires
usually apply a conceptual framework of the universe of possible risks. The typical order of self-
questionnaire is built around the following distinctions:
 Business processes, functions and units
 Reasons and factors
 Effects
An example framework for business risk self-questionnaire is exhibited in Fig.6. Its idea may be easy
adopted and developed according to specific requirements. The final stage of risk identification by
polling must resolve the inconsistency of risk naming by different persons, thus providing a common
language for the next steps of risk management implementation.
Risk analysis is a decision-making tool that involves considering the consequences of alternative
company behaviors. Because businesses must function in an ever-changing environment, awareness of
evolving risks is crucial to survival. Risk assessment is the consideration of the probable material and
financial effects of unlikely and uncertain events. Therefore, risk assessment as a component of risk
management is part of modern business planning tools. The link between risk and business management
is the assessment of risk and its consequences on achieving established business planning objectives. The
origins of risk assessment are in management strategic planning. Strategic planning tries to take into
account the long-term view of operations. The longer the view, the more uncertainty that has to be
considered.

50
 BUS INES S RIS K

Internal External

Personnel Systems Resources Act of God Completion

Fraud IS Breakdowns Cotracts Default

Error Routines Damage Legal Delivery

Poor
Incomopetent organisational Bottlenecks Contry Fraud
behavior

M orale M ethods Unavailable Cross-border Inflation

Unavailable Transport M arket

Settlement Transaction

Foreign
Pricing
exchange

Fig.6. Example framework for business risk identification.

The two major pillars of risk analysis are: measurement and modeling. The subject of risk
modeling is to investigate, research and explain the possible interactions between business events,
actions, exposures and risk reasons, outcomes, and effects. Thus, risk modeling provides support for
the risk prioritization as well as enables relevant ranking and appropriateness for risk treatment
estimation. General management techniques or specific tools, depending on the risk type, may
accomplish business risk modeling. The general tools meeting requirements of risk modeling are:
 Scenario analysis [Heij96]
 CEDAC (Cause-and-Effects diagrams) [Nagas90] and other causal modeling tools [King01]
 Synectics [Proc99]
 Delphi method [Armst01]
 Morphological analysis [Proc99]
 Decision trees [Proc99]
 Simulation
 Delta methods [King01]
 Extreme value theory [King01]
 Bayesian-Belief Networks [Alex01]

51
 The specific tools of risk modeling and assessment, like VAR, RAROC, EAR, the worst-case
scenario analysis [Boud95] address mostly financial risks. However, it comes out of the scope of this
publication to discuss in details all methods applicable to the risk modeling purposes.
The simple, but practical tool that enables a systematic and disciplined analysis of risk
morphology is CEDAC. CEDAC diagrams were originally proposed by Kaoru Ishikawa to provide an
efficient research tool for quality assurance problems. They may be easy adapted to the needs of risk
modeling [Fig.7] as alternative to scenario analysis (indeed CEDAC diagrams may be applied to
represent scenarios). There are different types of CEDAC diagrams: variation analysis diagrams, process
classification diagrams and cause enumeration diagrams. CEDAC diagrams may consist the risk
management documentation.
Another tool that systematizes the risk modeling in an easy way is the Delphi method. It was
originally developed as a forecasting method, to support long-term forecasting and those planning
situations, where quantitative approaches are not possible or relevant. It is an anonymous questionnaire
assessment done by a team of several experts. Opinions are agreed by off-line questionnaire reviews run
by a moderator, who distributes information by following questionnaires. First questionnaire includes the
basic question (about probability, effect etc.) and asks for competence self-evaluation. The following
questionnaires usually include:
 Medians and inter-quartile intervals of answers to questions in the recent questionnaire
 Her / his recent answer (optionally)
 “Pros and contras” of her/his previous answer, if was out of the inter-quartile interval
 Most frequent “for and against” answers in the recent questionnaire
Delphi method aims to reduce the inter-quartile intervals. Usually, after four iterations, a
substantial reduction of the inter-quartile intervals is achieved and continuation of the polling does
not provide any advantage. Delphi method is probably the best tool for risk likelihood and effects
estimation, using the existing in-company expertise, for most identified non-financial risks. By the
way, it is worth to underline, that risk assessment, in opposition to the actuarial approach is
dominated by expert methods.
There are two fundamental aspects of risk measurement: probability (likelihood) and effects.
If the direct measures (probability and currency) cannot be applied, and alternative option is the usage
of grading scales, e.g. [Fig.8, 9].

Materials Technology Manpower

Failure

Equipment Measurement

Fig.7. Example CEDAC diagram of interdependencies between risk causes and effects

52
 Grade Category Description Likeli-
hood
A Very This risk should occur > 50 %
probably
B Probably Occurrence of this risk is quiet 20 – 50 %
probable
C Possible This risk may occur 10 – 20 %

D Hardly Small chance of occurrence 1 – 10 %

possible
E Almost impossible This risk may occur under <1%
exceptional circumstances

Fig.8. Example scale for risk likelihood grading.

Level Category Description Loss

1 Marginal
2 Unimportant
3 Fair
4 Substantial
5 Devastating
[EUR]
No effect on health, public < 100 000
relations, no legal
problems. Minor loss.
No effect on health, public 100 000 – 1 000 000
relations, no legal
problems. Marginal loss.
Limited effect on public 1 000 000 – 10 000 000
relations, some legal
problems. Fair loss.
Substantial damage to 10 000 000 – 50 000 000
company image, major
impact on health.
Ruined company image. > 50 000 000
Substantial impact on
health or life.

Fig.9. Example scale for severity grading.

The business planning process deals with time-distributed quantities. Hence, a question arises
how to adjust series of numbers common in business planning (e.g. earnings, cash-flows etc.) against
risk. Of course, it is possible to apply sophisticated methods, like: EAR, VAR, worst-case scenario
analysis etc. An alternative, but much more easy approach is by use of the three levels method. It is an
analogy to PERT scheduling tool common in project management. For each considered dynamic value
three time-series are built:
 One for most positive circumstances (optimistic, lowest risk exposure)
 One for most negative circumstances (pessimistic, highest risk exposure)
 Third one for the most expected circumstances (most likely risk exposure)
These three series provide rough estimation of possible paths of business processes, thus give basis for
reasonable business planning decisions. Of course there is an open question, who and how should
estimate these three series. The most expert methods suggested above, e.g. Delphi method, decision trees,

53
provide relevant inputs to the three-levels method. Its advantage lies in simplicity and speed, with which
the analysis can be completed. The information sources are usually readily available. It also enables to
avoid assessment of many individual risks, by aggregate assessment of their effects.
Assuming availability of past data on business risk related costs, it is possible to calculate cost of
business risk (COBR). The components of COBR statement include:
 Business loss costs
o By business line
o By risk class
 Plus: Business risk management administrative costs
o Business risk management department
o Other departments and expenses (e.g. internal audit)
 Plus: Insurance and risk finance costs
o Annual self-insurance reserve contributions
o Insurance / reinsurance premiums
 Minus: Insurance and risk finance recoveries
o Investment income on self-insurance reserves
o Incremental residual self-insurance reserves
This approach requires extensive data input to assure reliable assessments for the future values. The
advantage is very simple mathematics. However, the hidden assumption on trend projections relevancy to
project aggregated values may be unjustified for firms facing turbulent environments.
A recent contribution to business risk assessment practices, adapts a popular method favored by
many securities houses and accounting. It is a long lasting tradition among these industries to maintain
risk databases. Financial services providers used to compile risk databases to support risk profiling.
Recently it is a part of their new offer usually called Enterprise Risk Management product line. Reports
can be extracted from the database to look for common risks or to examine all of the risks faced. The
insurance industry method attempts to capture data for individual physical or financial assets or asset
groups. This produces a catalogue of assets and their general risk events and associated financial risk
exposure (the potential loss if the asset is lost or impaired). More progressive risk managers also include
the potential lost revenue for the particular asset or group. For example, a manufacturing plant could be
valued at its replacement cost, or it could be valued at its replacement cost plus the lost profits from lost
production. There are a number of software packages available that aid in summarizing the detail data
and in displaying the total financial exposure by risk category, asset type or in total. One variation
advocated by the banking industry lately is to compile a loss-event database that details all losses. From
this database, advocates claim that risks can be easily identified and then managed. Loss-event databases
focus on past events, and they generally focus only on financial loss. These two characteristics make loss-
event databases a poor choice for a risk assessment process that must include more than just financial and
physical assets and more than just financial loss. All database-based expertise are data-intensive and very
time-consuming, which is a serious consideration when hiring consultants to perform the initial
assessment. The databases are also very time-consuming to maintain, and they are quickly outdated in
any changing environment. A further weakness is that the mass of data is too overwhelming for corporate
governance decisions. However, the detail is also a strong point for giving guidance to smaller companies
to help them manage risk.
Companies need to consider all the types of risks they face, whether strategic, operational,
financial, or related to compliance issues. In assessing their relative importance, several recent studies
showed that financial managers thought the principal risks were generally strategic and operational.
Examples included the failure to manage major projects successfully, especially technological ones; the
failure to be sufficiently innovative; problems arising from lost reputation or damaged brand; and
difficulties with a lack of employee motivation. It should also bear in mind the costs and benefits of
particular risks controls.
Once identified, risks should be prioritized. Priority can be assigned by examining the impact of
any particular risk on company goals. A priority of risk is the probability of an event or situation
occurring leveraged against its estimated impact on company objectives, before taking account of the
application of control strategies. The potential impact of risk should be assessed not merely in direct

54
financial terms, but more broadly, by reference to the potential effects on corporate targets. It is possible
to use for this purpose risk-adjusting methods, like: EAR, VAR, worst-case scenario analysis etc. More
common, but less sophisticated and effort able way is by implementation of risk acceptability scales
[Fig.10]. Typically, such scales are used with reference to adequate types of risk treatment.
The segmentation of risks can be often, especially for groups of similar risks, realized by of
such simple ordering tools, like Pareto analysis or scatter diagrams. Nevertheless, most companies
use few-by-few matrix (risk map) to divide risks [Fig.11]. The two dimensions of the matrix reflect
loss frequency and loss severity (LF/LS segmentation). Risk prioritization of this kind, will be to
some extent subjective, and the degree of uncertainty that surrounds the estimation of the impact of
different kinds of risk is unlikely to be uniform. These forces will affect any decisions about how to
respond to particular risks. Some of the obvious advantages of the approach are its simplicity and
speed of analysis, and the lack of need to exploit empirical data or records - it does not require any
particular database. The risk mapping process fits well together with a qualitative risk assessment
process that entails questionnaire-based polling, Delphi risk assessments and scenario-based
approaches. It can be also linked with control self-assessment.
Little more sophisticated, but similar risk ordering can be offered by TOWS matrix analysis
[Whee02]. Even more advanced, experts knowledge based risks ranking, can be obtained by
analytical hierarchy process (AHP) [Saat80]. This is a mathematical process involving matrices that
produces a ranking through pair-wise comparison by team of experts voting of competing alternatives
and applying different criteria.
Once risks have been prioritized, the management needs to decide in each case their preferred
treatment policy for avoiding or mitigating these risks. They also need to verify if it is possible to design
an early warning system, in other words escalation routines. Such systems can identify problems before
disaster strikes, when corrective action is still possible. Finally, when a risk control strategy is agreed, the
residual risk remaining in the business can be assessed. Efficient risk prioritizing is like an enabler for the
efficient risk management. The positive symptoms of efficient business risk management are:

RISK ACCEPTABILITY RELEVANT APPROACH

Unacceptable Avoid, transfer
Unlikely Share, transfer, contingencies
Acceptable Control, diversify
Minor Accept – ignore

Fig.10. Example scale for risk acceptability grading.

Severity category
Likelihood 5 4 3 2 1

A (10) (8) (6) (4) (3)

B (9) (7) (5) (3) (2)

C (7) (5) (4) (3) (2)

D (6) (4) (3) (2) (1)

E (4) (3) (2) (1) (1)

Fig.11. Example table for risks mapping.

55
 Closed risks
 Risks moving down and to the right on the risk maps
 Low expenses on risk management
 Low losses
5. Risk-adjusted Business Plans

A key concept of business planning with reference to risk management is that risk and opportunity are
part of a continuum of variations and possibilities. This is not new: people have always associated risk
and reward together for some time. However, looking at risk from a business management perspective
demonstrates why this is so. Risk is the potential of negative results (less than expected), and opportunity
is the potential for positive results (greater than expected). Both are variation from system plans. The
results of negative risk are usually not welcomed. The results of positive opportunity can be also
undesirable. The estimation of probable variance of business processes possible paths is one of the focal
points of business planning activities. However, the nature of risk and opportunity change over time. In
the short term, risk is largely due to system variations: errors, omissions, delays and fraud prevent us
from achieving our goals. These threats loom large to the organization. Opportunity in the short run is
small. There is not enough time to exploit fully the opportunities that may exist. The cumulative effect is
a strong negative potential outcome.
An organization creates value throughout its growth cycle, but in different ways. If the
organization manages risk properly, the growth pattern can continue indefinitely. However, many
organizations tend to invest heavily in their value creation model, to enforce growth through command-
and-control hierarchies, and to ignore subtle changes in the environment until they are no longer subtle
and too late to prevent decline. The value-creating model absorbs even more resources as the
organization tries to manage the environment instead of responding to it, then the organization is in
decline. E.g., attempts to revitalize an old product create more value for some customers, but the decline
has usually set in. An overall framework for risk issues inclusive business planning is exhibited at Fig.12.
The three major ways to incorporate risk considerations into the business planning processes
presented at the Fig.12 are, according to top-to-bottom sequence:
1. Risk types or categories driven risk adjustment of separate planning items, e.g. subtasks. Example
model: Risk-Adjusted Performance Measurement (RAPM) [Hoff02]. This approach is relevant to
project-type business plans, balanced scorecards, functional projections (e.g. funds and costs
projections) etc.
2. Risk-adjusted economic pricing for capital, earnings, value and other financial measures. Example
model: RAROC. This approach fits to income and loss statements, capital statements etc.
3. Extreme and expected value risk-adjusted planning. Example model: the Delta methodology
[King01]. This approach is relevant for dynamic values (time-series) planning (e.g. cash-flows, profit-
income statements etc.). It has its roots in the extreme value theory (EVT) [Mars01].
The business risk management framework presented in previous sections may be referred to
the typical business-planning scheme [Table.1]. All common elements of the business plans have
been assigned risk assessment and value-at-risk adjustment models or methods. Whenever relevant,
the most appropriate models and methods have been suggested.

Assign
Identify Assess Assess Assess
resources
risk risk cost recovery
Adjust
Esti mate Add risk Subtract planned
item at risk surcharge hedge value item /
statement
Esti mate
vari ati on
Fig.12. Risk-inclusive business planning framework.

56
 Table.1. Risk management contributions to the business-planning outline.

Risk assessment method / Risk-adjustment

Business planning element
model method / model
Sales projection Delphi, Three-levels, EVT Delphi, Three-levels, EVT
Pricing CEDAC, Delphi Delphi, Three levels
Marketing costs Delphi, Three-levels, EVT Delphi, Three-levels, EVT
Staffing plan Delphi, Three-levels, EVT Delphi, Three-levels, EVT
Investments COBR COBR
Cash injections Delphi, Three-levels, EVT Delphi, Three-levels, EVT
Cash disbursements COBR, EVT COBR, EVT
Contingency costs Delphi, Three-levels Delphi, Three-levels
Insurance EVT EVT
Securities EVT EVT
Cash-flows Delphi, Three-levels, EVT Delphi, Three-levels, EVT
External funds Delphi, Three-levels, EVT Delphi, Three-levels, EVT
Working capital VAR RAROC
Closing costs Delphi, Three-levels Delphi, Three-levels
Balance sheets VAR RAROC
Profit and loss statements EAR EAR
Other performance measures RAPM, EVT REPM, EVT

6. References

[Alex01] Alexander C. (ed.), Mastering Risk. Vol. 2: Applications, Financial Times - Prentice
Hall 2001.
[Armst01] Armstrong M.: A Handbook of Management Techniques, Kogan Page 2001.
[Bart02] Barton T.L., Shenkir W.G., Walker P.L., Making Enterprise Risk Management Pay Off.
How Leading Companies Implement Risk Management, Financial Times – Prentice
Hall 2002.
[Berns98] Bernstein P.L., Against the Gods. The Remarkable Story of Risk, John Wiley & Sons
1998.
[Bish98] Bishop H., Casterton P., First Consulting Group, London 1998.
[Boud95] Boudoukh J., Richardson M., Whitelaw R., Expect the worst, Risk 8(1995)/9.
[Crou01] Crouhy M., Galai D., Mark R., Risk Management, McGraw Hill 2001.
[Cuth01] Cuthberson K., Nitzsche D., Financial Engineering. Derivatives and Risk
Management, John Wiley & Sons 2001.
[DeLo00] DeLoach J.W., Enterprise-Wide Risk Management, Financial Times – Prentice Hall
2000.
[Evans02] Evans N.D., Business Agility. Strategies for Gaining Competitive Advantage Through
Mobile Business Solutions, Financial Times – Prentice-Hall 2002.
[Fulm00] Fulmer W.E., Shaping an Adaptive Organisation, AMACOM 2000.
[Garr94] Garratt R., The Learning Organization, Harper Collins Publishers 1994.
[Genu95] Genus A., Flexible Strategic Management, Chapman & Hall 1995.
[Gewi96] Gewirtz D., The Flexible Enterprise, John Wiley & Sons 1996.
[Hame98] Hamel G., Prahalad C.K., Thomas H., O’Neal D. (eds.): Strategic flexibility. Managing
in a turbulent environment, John Wiley & Sons 1998.
[Hayn00] Haynes-Daniell M., World of Risk. Next Generation Strategy for a Volatile Era, John
Wiley & Sons 2000.

57
 [Heij96] Heijden van der K., Scenarios. The Art of Strategic Conversation, John Wiley and Sons
1996.
[Hoff02] Hoffman D.G., Managing Operational Risk, John Wiley & Sons 2002.
[Imai97] Imai M., Gemba Kaizen, McGraw-Hill 1997.
[King01] King J.L., Operational Risk Measurement and Modelling, John Wiley & Sons 2001.
[Lank03] Lankiny J., Strategic Reputation Risk Management, Palgrave 2003.
[Mars01] Marshall Ch., Mesuring and Managing Operational Risks in Financial Institutions.
Tools, techniques and Other Resources, John Wiley & Sons 2001.
[McHu95] McHugh P., Merli G., Wheeler W., Beyond Business Process Reengineering. Towards
the Holonic Enterprise, John Wiley & Sons 1995.
[Nagas90] Nagashima S., 100 Management Charts, Asian Productivity Organisation 1990.
[Oles98] Oleson J.D.: Pathways to Agility. Mass Customization in Action, John Wiley & Sons
1998.
[Pete88] Peters T., Thriving on Chaos, Pan Books 1988.
[Proc99] Proctor T., Creative Problem Solving for Managers, Routledge 1999.
[Risk01] Risk 2001. A country by country guide, Kogan Page 2001.
[Saat80] Saaty T.L., The Analytic Hierarchy Process, McGraw-Hill 1980.
[Seng92] Senge P.M., The Fifth Discipline. The Art & Practice of The Learning Organization,
Century Business 1992.
[Shime02] Schimell P., The Universe of Risk. How Top Business Leaders Control Risk and
Achieve Success, Financial Times – Prentice-Hall 2002.
[Shimp01] Shimpi P., Integrating Corporate Risk Management, TEXERE 2001.
[Stone01] Stonehouse G. et al., Global and Transnational Business. Strategy and Management,
John Wiley & Sons 2001.
[Sydä02] Sydänmaanlakka P., An Intelligent Organisation. Integrating Performance,
Competence and Knowledge Management, Capstone 2002.
[Volb98] Volberda H.W., Building the Flexible Firm. How to Remain Competitive, Oxford
University Press 1998.
[Warn93] Warnecke H.-J., The Fractal Company, Springer - Verlag 1993.
[Whee02] Wheelen T.L., Hunger J.D., Strategic Management and Business Policy, Prentice-Hall
2002.
[Zink98] Zink K.J., Total Quality Management as a Holistic Management Concept: The
European Model for Business Excellence, Springer-Verlag 1998.

7. Recommended web-sites

 http://www.aeat.co.uk/rail/bus_risk/flyers/index.pdfhttp://www.aeat.co.uk/rail/bus_risk/flyers/turnbull.pdfht
tp://www.aon.com/http://www.beri.com/http://www.bis.org/publ/http://www.business.com/directory/manag
ement/management_consulting/risk_management/reference/http://www.captive.com/http://www.fei.org/rf/d
ownload/Assessment.pdfhttp://www.mc2consulting.com/riskpage.htmhttp://www.lse.ac.uk/Depts/carr/Publi
cations_folder_web_files/Risk_Management_and_Business_Regulation.pdfhttp://www.riskworld.com/http:
//www.rmisweb.com/01birev/01main.htm (overview of risk management information
systems)http://www.rmis.com/http://www.rmlibrary.com/
 http://www.state.gov/documents/organization/3219.pdf
 http://www.state.gov/documents/organization/4356.pdfhttp://www.wachovia.com/pfa/glossary.asp

58

View publication stats