Professional Documents
Culture Documents
MANAGEMENT
PROCESS.
Department of Auditing and Risk
Management, CAMTEL Yaoundé.
Sama Perri-Roswel Nfosi
THE RISK MANAGEMENT PROCESS
I- Introduction
Risk generally is the uncertainty inherently related to consequences – either positive that is,
opportunity, or negative i.e. threat – of actions and events. It is measured through a combination
of likelihood and impact, including perceived relevance. ―Inherent risk‖ is the exposure arising
from a specific risk before any action has been taken to manage it, while ―residual risk‖ is the
exposure arising from a specific risk after any action has been taken to manage it, and in case
such an action has proved effective.
1
A. Risk Identification.
i. Purpose.
The purpose of risk identification is to create a complete list of risks based on events that
may create, enhance, prevent, worsen, accelerate or delay the achievement of the
objectives.
ii. Objective.
To apply the tools and techniques best suited to the objectives of risk management, using
the available expertise.
Risk identification may require a multidisciplinary approach, since risks may cover a wide range
of causes and consequences. Risk identification methods can include:
Evidence based methods, for example, checklists and historical data reviews
Systematic team approaches (a team of experts systematically identifies risks by means of
a structured set of prompts or questions (structured or semi-structured interviews,
Brainstorming, Delphi method)
Inductive reasoning techniques (preliminary hazard analysis)
Scenario analysis (root-cause analysis, scenario analysis)
Statistical methods (Monte-Carlos analysis, Bayesian analysis)
Source/root cause event: any activity having a potential to increase a specific risk,
whether or not such an activity is under the control of the organization;
Areas of impact: dealing with categorization/prioritization of consequences;
Enablers: the organizational features helping a risk-event to occur;
2
Events: occurrence of a particular set of circumstances; and
Their potential consequences: potential outcome of an event. A wide range of risk
consequences should be considered, including cascade and cumulative effects.
The above issues can create, enhance, prevent, degrade, accelerate or delay the ability of
either the whole organization, or part of it, to achieve its own objectives
B. Risk analysis
i. Purpose.
To provide input to risk assessment and decisions concerning more suitable
treatment, especially in cases involving different types and levels of risks.
ii. Objective.
Analyzing causes/effects and sources of risks, positive and negative consequences
and their probability of occurrence. Also based on the efficiency and effectiveness
of controls.
Risk analysis involves consideration of risk causes and sources, their positive and negative
consequences and the likelihood of such consequences occurring. It normally includes
estimation of the range of potential consequences that might arise from an event, situation
or circumstance, and their associated probabilities, in order to measure the level of risk.
i. Ensuring that there is a clearly structured process, through which both likelihood and
impact are considered;
ii. Recording risk assessment in such a way to facilitates monitoring and identification
of risk priorities
iii. Distinguishing between ―inherent‖ and ―residual‖ risks. The level of risk will depend
on the adequacy and effectiveness of existing controls.
3
ii. Semi-quantitative: such methods use numerical ratings for consequence and
probability, and combine them to produce a level of risk using a formula. Scales may
be linear or logarithmic, or have other relationship; the formulae can also vary.
iii. Quantitative: this kind of analysis estimates practical values for consequences and
their probabilities, and produces numerical values for impact, likelihood and level of
risk, using data from a variety of sources.
Impact refers to the extent that a risk event may affect an organization. Impact
assessment criteria may include financial, reputational, regulatory, health, safety,
security, environmental, employee, customer and operational consequences.
Likelihood represents the weak/strong possibility that a given event will actually
occur. Likelihood can be expressed through either qualitative, percent or frequency
terms.
C. Risk Evaluation
i. Purpose.
To contribute to decisions on the selection of the risks that need to be treated and
their implementation priorities, to evaluate whether to initiate further analysis or
treat the risk maintaining existing controls.
ii. Objective.
Comparison between the level of risk measured by the analysis, according with
the criteria set when establishing the context; consider both the risk tolerance and
the duties of compliance.
Risk evaluation involves comparing estimated levels of risk to assessment criteria, in order to
identify the most significant risks, or to exclude minor risks from further analysis. The
purpose is to ensure that use of resources will be focused on the most important risks. Care
should be taken not to screen out low risks which occur frequently and can therefore have
a significant increasing effect.
4
Risks are related to objectives, so can easily be prioritized for risk response in relation to such
objectives. Unacceptable risks are ranked and prioritized in relation to other risks. Therefore,
the decision about whether and how to treat the risk may depend on costs and benefits
from taking the risk, and costs and benefits from implementing improved controls.
An upper band, where the level of risk is regarded as intolerable whatever benefit
the activity may bring, and risk treatment is essential whatever its costs;
A middle band, where costs and benefits are taken into account and opportunities
balanced against potential consequences;
A lower band, where the level of risk is regarded as negligible, or so small that no
risk treatment measures are needed.
D. Risk Treatment.
i. Purpose.
To define measures on risk not necessarily exclusive or fitting to all
circumstances; a) avoid; b) take or increase; c) remove the source; d) intervene on
probability; e) change the consequences; f) share; g) maintain.
The purpose of treating risks is to turn uncertainty to the organization‘s benefit,
by constraining threats and taking advantage of opportunities.
ii. Objective.
Treatment evaluation; deciding on the residual risk tolerance, redefining
treatment, if the risk is not tolerable, evaluation of the action effectiveness, to
provide for the selection of one or more mitigating options.
After assigning priority to risks, risk treatment should be identified both for corporate and
operational risks, as well as linked to business planning processes. Risk treatment should comply
with legal requirements, as well as government and organizational policies. Therefore, decisions
concerning whether risk treatment is required may be based on operational, technical, financial,
legal, social, environmental or other criteria.
5
It is worth noting that there is no right response to risk. The response chosen depends on
issues such as the organization‘s ‗risk appetite‘, the impact and likelihood of risk, and
costs and benefits of the mitigation plans.
There are different response action categories which correspond to key general approaches
for risk treatment. These response action categories are:
Risk treatment options are not necessarily mutually exclusive, or appropriate in all
circumstances. Risk treatment involves selecting one or more options for modifying risks, and
implementing those options. Once implemented, treatments provide or modify controls: any
action taken to address a risk forms part of what is known as ―internal control‖.
6
evaluate the treatment, for the purpose of their appreciation or sanction
applications.
Risk management is dynamic, iterative and responsive to change. As risks and priorities change,
risk treatments should be monitored as a part of the risk management process.
Monitoring processes should encompass all the features of risk management to:
Monitoring and review are two different and complementary activities, since monitoring
involves the routine surveillance of actual performance against expected (or required)
performance, while review involves periodic checking of the current situation for changes in
the internal/external context.
Key risk indicators are metrics used to provide an early warning on increasing risk exposures
in different areas within an organization. In some instances, they may represent key ratios that
are tracked by management throughout the organization as indicators of evolving risks, and
potential opportunities, that alert on the need for actions to be taken.
KRIs are typically derived from specific events or root causes, internally or externally identified,
that can prevent performance goals from being achieved. An effective method for developing
KRIs begins by analyzing a risk-event that has affected the organization in the past (or at
present), and then working backwards to pinpoint intermediate and root cause events that led to
the ultimate loss or lost opportunity. The closer the KRI is to the root cause of a risk-event, the
more likely that the KRI will provide management time to take positive action to respond to such
an event.
The development of KRIs that can provide relevant and timely information, to both the board
and senior management, is a significant component of effective risk oversight. When KRIs for
7
root cause events and intermediate events are monitored, management is in the best position to
identify early mitigation strategies to begin to reduce or eliminate the impact associated with an
emerging risk event.
RIs do not manage or treat risk, and can lead to a false sense of safety if poorly designed.
An important feature of any KRI is the quality of the available data used to monitor a specific
risk, and attention must be paid to the source of information, either internal to the organization or
drawn from an external party.
8
CASE STUDY.
Risk Management for a Small Business.
Risk management applies to many aspects of a business. Businesses are subject to internal risks
(weaknesses) and external risks (threats). Generally, you can control internal risks once you
identify them. However, external risks may be out of your control.
Not all risks come from negative sources. Risks may come from positive sources, or
opportunities. Expansion and growth are opportunities, but they also bring additional risk. The
ultimate goal is to minimize the effects of risks on your business.
I- Risk Identification.
One of the most important investments you can make in your business is creating a business
plan, especially when identifying risks. Creating a business plan will help you assess risk
areas, those areas impacting your ability to continue business and to grow.
A. Internal Risks.
i. Human Risks.
Illness and death
Theft and fraud
Low employee morale
ii. Equipment and Information Technology Risks
iii. Other internal Risks (cash flow, faulty products)
B. External Risks.
i. Competition and Market Risks
Market changes
Employees may leave to go to a competitor
Rent increase
ii. Business Environment Risks
Federal, state, county, and city laws and ordinances
Weather and natural disasters
9
Structural changes in the community
Your community may change
II- Risk Analysis.
Most small businesses might not have enough time or money to take action in each
risk that has been identified. Risks are analyzed according of their likelihood of
occurrence. In this case managers and the team need to analyze and prioritize the
risks by either using two different approaches which are qualitative approach or
quantitative approach.
Performing an analysis of a business‘s internal strengths and weaknesses and your
business‘s opportunities and threats may uncover overlooked risks. To be effective,
a strengths, weaknesses, opportunities, threats (SWOT) analysis should be a very
candid and honest assessment of the business. Remember, some risks can also be
opportunities.
III- Risk Evaluation.
In this stage, all the risks identified are put on the table and evaluated.This is done in
order to later provide a solution and make a decision of what should be done about
them.
IV- Risk Treatment.
It might be a bit challenging for small businesses to take action on each risk that has
been identified. This is due to the natural feature of a start-up company: limited
resources of time, money and other issues. But the quantification tools provide a way
of arranging risks in order of position, basically according to their level of severity.
For the identified risks above, below are some proposed solutions to them..
i. Equipments.
Equipment that needs to be repaired may interrupt the business, but insurance
or service plans may minimize the costs.
ii. Vendors
Vendors have risks, too—some of the same risks the business might face.
Relying on only one vendor may be risky for the business. We may be able to
avoid problems with our vendors by following these suggestions:
Have more than one supplier for products.
10
Shop for vendors with the best price and service.
Maintain relationships with multiple vendors by buying from each of them.
iii. Business Continuity
The operations manuals should include a business continuity plan. The plan
should provide steps to take for short- and long-term situations. Create a set of
standard operating procedures for completing tasks. Backup computer
systems and keep copies in a secured offsite location.
iv. Information Technology Systems
Special risks are connected to information technology (IT) systems. Review
the following risk prevention tips for IT systems:
Safeguard login information
Protect systems with firewall
Institute levels of access
Generate system reports
Conduct scheduled and surprise audits
v. Competition
While the competition cannot be controlled, we can at least know what they
are doing; investigate what products they are carrying and how they are
priced, note how your competitor‘s staff interacts with your competitor‘s
customers.
The cost to retain employees may be less than to train new employees.
vi. Accounting and Cash Control
Cash payments and arriving mail should be logged or verified by two
people
Job duties should have differing levels of authority. Some duties may
require recorded supervisor approval.
Conduct periodic audits of cash to insure that it balances with all
income records and bank statements
Monthly budget projections should include a reserve amount for each
month.
11
vii. Employee Management
Employees are important to the success of the business. These tips can be
reviewed for managing the employees:
Use pre-employment screening
Provide job descriptions and lists of duties
Provide performance evaluations.
Be involved.
Audit payroll.
Reward safe performance.
viii. Business Work Strategy
How and when you and your employees work, impacts your business.
Set work hours
Plan work with a balance
Set realistic goals
Train support staff or an assistant
Develop a support system.
V- Risk monitoring and Review.
Monitoring and controlling phases are defined in ambiguous way in literature.
The first stage is monitor the status of the risk, the second stage is to ensure that risk
response plan is suitable. The third stage is to monitor the business environment in
order to detect emerging risks and the last stage is to ensure the proper execution of
the risk management plan in general.
Risk management plan should be done regularly and it should be reviewed and
updated in every couple of month. A good way to monitor and control risk
management in small businesses is to involve all team members together and discuss
all different kind of risk which might occur in the business. This process has to be
done regularly.
12
Conclusion.
13