THE RISK

MANAGEMENT
PROCESS.
Department of Auditing and Risk
Management, CAMTEL Yaoundé.
Sama Perri-Roswel Nfosi
 THE RISK MANAGEMENT PROCESS

I- Introduction

The risk management process is a systematic application of management policies,

procedures and practices to the tasks of communicating, establishing the context of,
assessing, monitoring and reviewing risks. There are many applications of the risk
management process within an organization, customized to achieve objectives and to suit
the external and internal context in which they are applied. It can be applied at strategic,
operational, program or project levels.

II- Principles of the risk management System.

 Creates Value
 Integral part of organizational process
 Part of decision making
 Explicitly addresses uncertainty
 Systematic, structured and timely
 Based on the best available information
 Takes human and cultural factors into account
 Transparent and inclusive
 Dynamic, iterative and responsive to change
 Facilitates continuous improvement and enhancement of the organization

Risk generally is the uncertainty inherently related to consequences – either positive that is,
opportunity, or negative i.e. threat – of actions and events. It is measured through a combination
of likelihood and impact, including perceived relevance. ―Inherent risk‖ is the exposure arising
from a specific risk before any action has been taken to manage it, while ―residual risk‖ is the
exposure arising from a specific risk after any action has been taken to manage it, and in case
such an action has proved effective.

1
A. Risk Identification.
i. Purpose.
The purpose of risk identification is to create a complete list of risks based on events that
may create, enhance, prevent, worsen, accelerate or delay the achievement of the
objectives.
ii. Objective.
To apply the tools and techniques best suited to the objectives of risk management, using
the available expertise.

Risk identification may require a multidisciplinary approach, since risks may cover a wide range
of causes and consequences. Risk identification methods can include:

 Evidence based methods, for example, checklists and historical data reviews
 Systematic team approaches (a team of experts systematically identifies risks by means of
a structured set of prompts or questions (structured or semi-structured interviews,
Brainstorming, Delphi method)
 Inductive reasoning techniques (preliminary hazard analysis)
 Scenario analysis (root-cause analysis, scenario analysis)
 Statistical methods (Monte-Carlos analysis, Bayesian analysis)

Factors influencing selection of techniques are:

 Problem complexity and the methods needed to analyze them

 The nature and degree of risk assessment uncertainty, that is based on the amount of
information available and requirements to satisfy objectives
 The extent of resources needed in terms of time and level of expertise, data needs or cost
 Whether the method can provide a quantitative output.

Risk identification requires analyzing several issues:

 Source/root cause event: any activity having a potential to increase a specific risk,
whether or not such an activity is under the control of the organization;
 Areas of impact: dealing with categorization/prioritization of consequences;
Enablers: the organizational features helping a risk-event to occur;

2
  Events: occurrence of a particular set of circumstances; and
 Their potential consequences: potential outcome of an event. A wide range of risk
consequences should be considered, including cascade and cumulative effects.

The above issues can create, enhance, prevent, degrade, accelerate or delay the ability of
either the whole organization, or part of it, to achieve its own objectives

B. Risk analysis
i. Purpose.
To provide input to risk assessment and decisions concerning more suitable
treatment, especially in cases involving different types and levels of risks.
ii. Objective.
Analyzing causes/effects and sources of risks, positive and negative consequences
and their probability of occurrence. Also based on the efficiency and effectiveness
of controls.

Risk analysis involves consideration of risk causes and sources, their positive and negative
consequences and the likelihood of such consequences occurring. It normally includes
estimation of the range of potential consequences that might arise from an event, situation
or circumstance, and their associated probabilities, in order to measure the level of risk.

There are three important principles in assessing risk:

i. Ensuring that there is a clearly structured process, through which both likelihood and
impact are considered;
ii. Recording risk assessment in such a way to facilitates monitoring and identification
of risk priorities
iii. Distinguishing between ―inherent‖ and ―residual‖ risks. The level of risk will depend
on the adequacy and effectiveness of existing controls.

Methods used in analyzing risks can be:

i. Qualitative: such methods define consequence, probability and level of risk,

according to descriptive scales, may combine consequence and probability, and
evaluate the resulting level of risk against qualitative criteria.

3
 ii. Semi-quantitative: such methods use numerical ratings for consequence and
probability, and combine them to produce a level of risk using a formula. Scales may
be linear or logarithmic, or have other relationship; the formulae can also vary.
iii. Quantitative: this kind of analysis estimates practical values for consequences and
their probabilities, and produces numerical values for impact, likelihood and level of
risk, using data from a variety of sources.

The level of risk is a function of factors, in particular probability and impact.

 Impact refers to the extent that a risk event may affect an organization. Impact
assessment criteria may include financial, reputational, regulatory, health, safety,
security, environmental, employee, customer and operational consequences.
 Likelihood represents the weak/strong possibility that a given event will actually
occur. Likelihood can be expressed through either qualitative, percent or frequency
terms.

C. Risk Evaluation
i. Purpose.
To contribute to decisions on the selection of the risks that need to be treated and
their implementation priorities, to evaluate whether to initiate further analysis or
treat the risk maintaining existing controls.
ii. Objective.
Comparison between the level of risk measured by the analysis, according with
the criteria set when establishing the context; consider both the risk tolerance and
the duties of compliance.

Risk evaluation involves comparing estimated levels of risk to assessment criteria, in order to
identify the most significant risks, or to exclude minor risks from further analysis. The
purpose is to ensure that use of resources will be focused on the most important risks. Care
should be taken not to screen out low risks which occur frequently and can therefore have
a significant increasing effect.

4
 Risks are related to objectives, so can easily be prioritized for risk response in relation to such
objectives. Unacceptable risks are ranked and prioritized in relation to other risks. Therefore,
the decision about whether and how to treat the risk may depend on costs and benefits
from taking the risk, and costs and benefits from implementing improved controls.

A common approach to prioritizing risks is to divide them into three bands:

 An upper band, where the level of risk is regarded as intolerable whatever benefit
the activity may bring, and risk treatment is essential whatever its costs;
 A middle band, where costs and benefits are taken into account and opportunities
balanced against potential consequences;
 A lower band, where the level of risk is regarded as negligible, or so small that no
risk treatment measures are needed.
D. Risk Treatment.
i. Purpose.
To define measures on risk not necessarily exclusive or fitting to all
circumstances; a) avoid; b) take or increase; c) remove the source; d) intervene on
probability; e) change the consequences; f) share; g) maintain.
The purpose of treating risks is to turn uncertainty to the organization‘s benefit,
by constraining threats and taking advantage of opportunities.
ii. Objective.
Treatment evaluation; deciding on the residual risk tolerance, redefining
treatment, if the risk is not tolerable, evaluation of the action effectiveness, to
provide for the selection of one or more mitigating options.

After assigning priority to risks, risk treatment should be identified both for corporate and
operational risks, as well as linked to business planning processes. Risk treatment should comply
with legal requirements, as well as government and organizational policies. Therefore, decisions
concerning whether risk treatment is required may be based on operational, technical, financial,
legal, social, environmental or other criteria.

5
 It is worth noting that there is no right response to risk. The response chosen depends on
issues such as the organization‘s ‗risk appetite‘, the impact and likelihood of risk, and
costs and benefits of the mitigation plans.

There are different response action categories which correspond to key general approaches
for risk treatment. These response action categories are:

 Tolerate, in case the level of risk is below the Risk Appetite;

 Treat, aiming at constraining risks to an acceptable level by removing the risk
source and/or reducing likelihood or effects
 Transfer, reducing the exposure of the organization leaving the risk to another
organization considered more capable of effectively managing such risks.
 Terminate, in case the risk is only treatable, or reducible to acceptable levels, by
terminating the activity, especially at project level.
 Take the opportunity, which is not an alternative whenever tolerating,
transferring or treating a risk.

Risk treatment options are not necessarily mutually exclusive, or appropriate in all
circumstances. Risk treatment involves selecting one or more options for modifying risks, and
implementing those options. Once implemented, treatments provide or modify controls: any
action taken to address a risk forms part of what is known as ―internal control‖.

E. Monitoring & Review.

i. Purpose.
The purpose of monitoring and reviewing is to check the effectiveness and
efficiency of the controls considered by the system design and by the process, to
gather information to improve the assessment, to detect changes of context,
parameters and risks, to review the treatment and priorities and to identify
emergency risks.
ii. Objective.
The objectives of monitoring and review is analyze the events, changes, successes
and failure, to periodically check the framework, the process and results; to

6
 evaluate the treatment, for the purpose of their appreciation or sanction
applications.

Risk management is dynamic, iterative and responsive to change. As risks and priorities change,
risk treatments should be monitored as a part of the risk management process.

Monitoring processes should encompass all the features of risk management to:

 Ensure that controls are effective and efficient;

 Detect any changes in existing risks reviewing risk treatments and priorities;
 Identify emerging risks.

Monitoring and review are two different and complementary activities, since monitoring
involves the routine surveillance of actual performance against expected (or required)
performance, while review involves periodic checking of the current situation for changes in
the internal/external context.

Key risk indicators

Key risk indicators (KRIs) are used for monitoring risk treatment actions.

Key risk indicators are metrics used to provide an early warning on increasing risk exposures
in different areas within an organization. In some instances, they may represent key ratios that
are tracked by management throughout the organization as indicators of evolving risks, and
potential opportunities, that alert on the need for actions to be taken.

KRIs are typically derived from specific events or root causes, internally or externally identified,
that can prevent performance goals from being achieved. An effective method for developing
KRIs begins by analyzing a risk-event that has affected the organization in the past (or at
present), and then working backwards to pinpoint intermediate and root cause events that led to
the ultimate loss or lost opportunity. The closer the KRI is to the root cause of a risk-event, the
more likely that the KRI will provide management time to take positive action to respond to such
an event.

The development of KRIs that can provide relevant and timely information, to both the board
and senior management, is a significant component of effective risk oversight. When KRIs for

7
root cause events and intermediate events are monitored, management is in the best position to
identify early mitigation strategies to begin to reduce or eliminate the impact associated with an
emerging risk event.

RIs do not manage or treat risk, and can lead to a false sense of safety if poorly designed.
An important feature of any KRI is the quality of the available data used to monitor a specific
risk, and attention must be paid to the source of information, either internal to the organization or
drawn from an external party.

A well-designed KRI should:

 Be based on established practices or benchmarks;

 Be consistently developed across the organization;
 Provide an unambiguous and intuitive view of the highlighted risk;
 Allow for measurable comparisons across time and business units;
 Provide opportunities to assess the performance of risk owners on a timely basis;
 Consume resources efficiently.

8
 CASE STUDY.
Risk Management for a Small Business.

Risk management applies to many aspects of a business. Businesses are subject to internal risks
(weaknesses) and external risks (threats). Generally, you can control internal risks once you
identify them. However, external risks may be out of your control.

Not all risks come from negative sources. Risks may come from positive sources, or
opportunities. Expansion and growth are opportunities, but they also bring additional risk. The
ultimate goal is to minimize the effects of risks on your business.

I- Risk Identification.

One of the most important investments you can make in your business is creating a business
plan, especially when identifying risks. Creating a business plan will help you assess risk
areas, those areas impacting your ability to continue business and to grow.

We‘re going to consider the identification of risks internally and externally.

A. Internal Risks.
i. Human Risks.
 Illness and death
 Theft and fraud
 Low employee morale
ii. Equipment and Information Technology Risks
iii. Other internal Risks (cash flow, faulty products)
B. External Risks.
i. Competition and Market Risks
 Market changes
 Employees may leave to go to a competitor
 Rent increase
ii. Business Environment Risks
 Federal, state, county, and city laws and ordinances
 Weather and natural disasters

9
  Structural changes in the community
 Your community may change
II- Risk Analysis.
Most small businesses might not have enough time or money to take action in each
risk that has been identified. Risks are analyzed according of their likelihood of
occurrence. In this case managers and the team need to analyze and prioritize the
risks by either using two different approaches which are qualitative approach or
quantitative approach.
Performing an analysis of a business‘s internal strengths and weaknesses and your
business‘s opportunities and threats may uncover overlooked risks. To be effective,
a strengths, weaknesses, opportunities, threats (SWOT) analysis should be a very
candid and honest assessment of the business. Remember, some risks can also be
opportunities.
III- Risk Evaluation.
In this stage, all the risks identified are put on the table and evaluated.This is done in
order to later provide a solution and make a decision of what should be done about
them.
IV- Risk Treatment.
It might be a bit challenging for small businesses to take action on each risk that has
been identified. This is due to the natural feature of a start-up company: limited
resources of time, money and other issues. But the quantification tools provide a way
of arranging risks in order of position, basically according to their level of severity.
For the identified risks above, below are some proposed solutions to them..
i. Equipments.
Equipment that needs to be repaired may interrupt the business, but insurance
or service plans may minimize the costs.
ii. Vendors
Vendors have risks, too—some of the same risks the business might face.
Relying on only one vendor may be risky for the business. We may be able to
avoid problems with our vendors by following these suggestions:
 Have more than one supplier for products.

10
  Shop for vendors with the best price and service.
 Maintain relationships with multiple vendors by buying from each of them.
iii. Business Continuity
The operations manuals should include a business continuity plan. The plan
should provide steps to take for short- and long-term situations. Create a set of
standard operating procedures for completing tasks. Backup computer
systems and keep copies in a secured offsite location.
iv. Information Technology Systems
Special risks are connected to information technology (IT) systems. Review
the following risk prevention tips for IT systems:
 Safeguard login information
 Protect systems with firewall
 Institute levels of access
 Generate system reports
 Conduct scheduled and surprise audits
v. Competition
While the competition cannot be controlled, we can at least know what they
are doing; investigate what products they are carrying and how they are
priced, note how your competitor‘s staff interacts with your competitor‘s
customers.
The cost to retain employees may be less than to train new employees.
vi. Accounting and Cash Control
 Cash payments and arriving mail should be logged or verified by two
people
 Job duties should have differing levels of authority. Some duties may
require recorded supervisor approval.
 Conduct periodic audits of cash to insure that it balances with all
income records and bank statements
 Monthly budget projections should include a reserve amount for each
month.

11
 vii. Employee Management
Employees are important to the success of the business. These tips can be
reviewed for managing the employees:
 Use pre-employment screening
 Provide job descriptions and lists of duties
 Provide performance evaluations.
 Be involved.
 Audit payroll.
 Reward safe performance.
viii. Business Work Strategy
How and when you and your employees work, impacts your business.
 Set work hours
 Plan work with a balance
 Set realistic goals
 Train support staff or an assistant
 Develop a support system.
V- Risk monitoring and Review.
Monitoring and controlling phases are defined in ambiguous way in literature.
The first stage is monitor the status of the risk, the second stage is to ensure that risk
response plan is suitable. The third stage is to monitor the business environment in
order to detect emerging risks and the last stage is to ensure the proper execution of
the risk management plan in general.
Risk management plan should be done regularly and it should be reviewed and
updated in every couple of month. A good way to monitor and control risk
management in small businesses is to involve all team members together and discuss
all different kind of risk which might occur in the business. This process has to be
done regularly.

12
 Conclusion.

With the help of well-defined risk management strategies it is possible to

ensure that all resources – money, time, and people – in the company are made
the best use of. That is the reason, why attention to risk management processes
should be paid and formalized steps should be formed.

13