FIMA 40053 – RISK MANAGEMENT

Week 2 – 3 Introduction and Overview of Risk Management

Nowadays, people and organizations rely way less on traditions and superstition than they did
in the earlier days, and this may not be due to mankind being more rational itself, but rather
because of our ability to understand risk, which allows us to make more informed and rational
decisions.

The opportunity to manage risk, including here the amount and type of risks that the
organizations accept to pursue or retain in order to make forward-looking choices, are key
ingredients that catalyze the progress of the economic system.

Risk is an inseparable part of any business which affects its operations and activities, leading
them to implement proper risk management processes to effectively manage and treat such
risks. Successful organizations are those that have the ability to identify and manage risks,
before those risks become destructive actualities that impair the organization’s reputation
and its’ ability to operate. Maybe one of the best ways to understand unexpected
occurrences and the importance of properly responding to them is through the words of
Arthur Rudolph, one of the scientists who developed the Saturn 5 rocket that launched the
first Apollo mission to the moon:

“You want a valve that doesn't leak and you try everything possible to develop one, but the
real world provides you with a leaky valve. You have to determine how much leaking you can
tolerate”

THE NOTION OF RISK

The notion of “risk” and its ramifications permeate decision-making processes in each
individual’s life and business outcomes and of society itself. Indeed, risk, and how it is
managed, are critical aspects of decision making at all levels.

The word “risk” is used in many different contexts. Further, the word takes many different
interpretations in these varied contexts. In all cases, however, the notion of risk is
inextricably linked to the notion of uncertainty.

Uncertainty is having two potential outcomes for an event or situation.

- Uncertainty causes the emotional or physical anxiety or excitement felt in uncertain

volatile situations
(ex. gambling and participation in extreme sports)
- Uncertainty causes us to take precautions
(ex. uncertainty causes mortgage issuers to demand property purchase insurance.
The person or corporation occupying the mortgage-funded property must purchase
insurance on real estate if we intend to lend them money)

If we knew, without a doubt, that something bad was about to occur, we would call it
apprehension or dread. It wouldn’t be risk because it would be predictable. Risk will be
forever, inextricably linked to uncertainty.
As we all know, certainty is elusive. Uncertainty and risk are pervasive. While we typically
associate “risk” with unpleasant or negative events, in reality some risky situations can result in
positive outcomes. Take, for example, venture capital investing or entrepreneurial endeavors.
Uncertainty about which of several possible outcomes will occur circumscribes themeaning of
risk. Uncertainty lies behind the definition of risk.

While we link the concept of risk with the notion of uncertainty, risk isn’t synonymous with
uncertainty. Risk isn’t the same as the underlying prerequisite of uncertainty. Risk has to do
with consequences (both positive and negative); it involves having more than two possible
outcomes (uncertainty). Uncertainty also creates opportunities for gain and the potential for
loss. Nevertheless, if no possibility of a negative outcome arises at all, even remotely, then
we usually do not refer to the situation as having risk (only uncertainty)

DEFINITION OF RISK

Risk

- the “effect of uncertainty on objectives” and an effect is a positive or negative deviation

from what is expected (ISO 31000)

All of us operate in an uncertain world. Whenever we try to achieve an objective, there’s

always the chance that things will not go according to plan. Every step has an element of risk
that needs to be managed and every outcome is uncertain. Whenever we try to achieve an
objective, we don't always get the results we expect. Sometimes we get positive results and
sometimes we get negative results and occasionally we get both

Components that Characterize the Magnitude of Risk

1. Likelihood – the probability of an event occurring

2. Impact – outcome of an event

BASIC CATEGORIES OF RISK

Pure and Speculative Risk

Pure Risk
- risk in which there is only a chance of loss not gain
- result of uncontrollable circumstances
- example: chance that someone’s home will be destroyed by an earthquake

Speculative Risk
- risk in which there is a chance of loss or gain
- result of choices can be controlled
- example: chance that a small business will not succeed

Fundamental and Particular Risk

Fundamental Risk
- affects the entire economy or large numbers of persons or groups (hurricane)
Particular Risk
- affects only the individual (car theft)

Business/Enterprise Risk
- encompasses all major risks faced by a business firm which include operational risk,
financial risk, strategy risk and hazard risk

Strategic Risk

- The risk that a company’s strategy becomes less effective and the company struggles
to reach its goals as a result
- Risks that affect or are created by an organization's business strategy and strategic
objective

Everyone knows that a successful business needs a comprehensive, well-thought-out

business plan. But it’s also a fact of life that things change, and the best-laid plans can
sometimes come to look very outdated, very quickly. It could be due to technological
changes,a powerful new competitor entering the market, shifts in customer demand, spikes in
the costs of raw materials, or any number of other large-scale changes. History is littered with
examples of companies that faced strategic risk. Some managed to adapt successfully; others
didn’t.

A classic example is Kodak, which had such a dominant position in the film photography
market that when one of its own engineers invented a digital camera in 1975, it saw the
innovation as a threat to its core business model, and failed to develop it.
But if Kodak had analyzed the strategic risk more carefully, it would have concluded that
someone else would start producing digital cameras eventually, so it was better for Kodakto
cannibalize its own business than for another company to do it. Failure to adapt to a strategic
risk led to bankruptcy for Kodak. It’s now emerged from bankruptcy as a much smaller
company focusing on corporate imaging solutions, but if it had made that shift sooner, it could
have preserved its dominance.

Facing a strategic risk doesn’t have to be disastrous, however. Think of Xerox, which became
synonymous with a single, hugely successful product, the Xerox photocopier. The development
of laser printing was a strategic risk to Xerox’s position, but unlike Kodak, it was able to adapt
to the new technology and change its business model. Laser printing became a multi-billion-
dollar business line for Xerox, and the company survived the strategic risk.

Common Strategic Risks

Operational Risk

- The prospect of loss resulting from inadequate or failed procedures, systems or

policies.
In some cases, operational risk has more than one cause. For example, consider the risk that
one of the employees writes the wrong amount on a check, paying out P100,000 instead of
P10,000 from the company’s account.

That’s a “people” failure, but also a “process” failure. It could have been prevented by having
a more secure payment process, for example having a second member of staff authorize
every major payment, or using an electronic system that would flag unusual amounts for
review.

In some cases, operational risk can also stem from events outside the company’s control
such as a power cut or a problem with a website host. Anything that interrupts the company’s
core operations comes under the category of operational risk.

While the events themselves can seem quite small compared with the large strategic risks we
talked about earlier, operational risks can still have a big impact on the company. Not only is
there the cost of fixing the problem, but operational issues can also prevent customer orders

from being delivered or make it impossible to contact the company, resulting in a loss of
revenue and damage to its reputation.

Financial Risk

- It generally relates to the odds of losing money

- The unexpected variability or volatility of returns
- The probability of loss, inherent in financing methods which impair the ability to provide
adequate returns
- The existence of uncertainty regarding a company’s ability to meet its financial
obligations, such as interest payments, dividends, and repayment obligations.
 Types of Financial Risk

Market Risk Risk that the value of 'on' or 'off' balance sheet
positions will be adversely affected by
movements in equity and interest rate markets,
currency exchange rates and commodity prices

Liquidity Risk Risk that funds will not be available when needed

Credit Risk Risk that a borrower or counterparty will fail to

meet its obligations in accordance with agreed
terms

Most categories of risk have a financial impact, in terms of extra costs or lost revenue. But the
category of financial risk refers specifically to the money flowing in and out of business, and
the possibility of a sudden financial loss.

For example, let’s say that a large proportion of revenue comes from a single large client, and
he was extended 60 days credit.

In this case, there is a significant financial risk. If that customer is unable to pay, or delays
payment for whatever reason, then the business is in big trouble.
Having a lot of debt also increases financial risk, particularly if a lot of it is short-term debt
that’s due in the near future. And if interest rates suddenly go up, and instead of paying 8% on
the loan, you’re now paying 15%? That’s a big extra cost for your business, and so it’s
counted asa financial risk.

Natural and Man-made Risks (Hazard Risks)

- Include unforeseen events that arise outside of the normal operating environment. -
Poses a level of threat to life, health, property or the environment. Most hazards are
dormant or potential with only a theoretical risk of harm: however, once a hazard becomes
active, it can create an emergency situation

RISK MANAGEMENT

- a coordinated set of activities and methods that is used to direct an organization and to
control the many risks that can affect its ability to achieve objectives.

Effective risk management means attempting to control, as much as possible, future

outcomes by acting proactively rather than reactively. Therefore, effective risk management
offers the potential to reduce both the possibility of a risk occurring and its potential impact.

IMPORTANCE OF RISK MANAGEMENT

By implementing a risk management plan and considering the various potential risks or
events before they occur, an organization can save money and protect their future. This is
because a robust risk management plan will help a company establish procedures to avoid
potential threats, minimize their impact should they occur and cope with the results. This
ability to understand and control risk enables organizations to be more confident in their
business decisions. Furthermore, strong corporate governance principles that focus
specifically on risk management can help a company reach their goals.

Other important benefits of risk management include:

▪ Creates a safe and secure work environment for all staff and customers. ▪ Increases
the stability of business operations while also decreasing legal liability. ▪ Provides
protection from events that are detrimental to both the company and the environment.
▪ Protects all involved people and assets from potential harm.
▪ Helps establish the organization's insurance needs in order to save on unnecessary
premiums.

LIMITATIONS OF RISK MANAGEMENT

While risk management can be an extremely beneficial practice for organizations, its
limitations should also be considered. Many risk analysis techniques -- such as creating a
model or simulation -- require gathering large amounts of data. This extensive data collection
can be expensive and is not guaranteed to be reliable.

Furthermore, the use of data in decision making processes may have poor outcomes if simple
indicators are used to reflect the much more complex realities of the situation. Similarly,
adopting a decision throughout the whole project that was intended for one small aspect can
lead to unexpected results.

Another limitation is the lack of analysis expertise and time. Computer software programs have
been developed to simulate events that might have a negative impact on the company. While
cost effective, these complex programs require trained personnel with comprehensive skills
and knowledge in order to accurately understand the generated results. Analyzing historical
data to identify risks also requires highly trained personnel. These individuals may not always
be assigned to the project. Even if they are, there frequently is not enough time to gather all
their findings, thus resulting in conflicts.

Other limitations include:

▪ A false sense of stability

Value-at-risk measures focus on the past instead of the future. Therefore, the longer
things go smoothly, the better the situation looks. Unfortunately, this makes a downturn
more likely
.
▪ The illusion of control
Risk models can give organizations the false belief that they can quantify and regulate
every potential risk. This may cause an organization to neglect the possibility of novel
or unexpected risks. Furthermore, there is no historical data for new products, so
there'sno experience to base models on.

▪ Failure to see the big picture

It's difficult to see and understand the complete picture of cumulative risk.

▪ Risk management is immature

 An organization's risk management policies are underdeveloped and lack the history to
make accurate evaluations.

RISK MANAGEMENT PRINCIPLES BASED ON ISO 31000

The ISO 31000-2018 standard, Risk Management–Guidelines, lists the following eight
principles for any solid risk management program (see 31000-2018, Section 4,
Principles):

Integration

An organization should integrate its risk management efforts into all parts and activities of the
organization.

Structured and Comprehensive

Creating and following a comprehensive, structured risk management approach leads to the
most consistent, desirable risk management outcomes.

Customized

An organization’s risk management approach should be customized to their own needs,

including the organization’s objectives and the external and internal context in which the
organization operates.
Inclusive
To be most effective, risk management should involve all stakeholders in appropriate and
timely ways. This allows the different knowledge sets, views, and perceptions of all
stakeholders to be considered and implemented into risk management efforts.

Dynamic

As the organization changes, including its external and internal context, the organization’s risk
management program and efforts should change, too. Change is inevitable and successful
organizations know how to work with change. A risk management program should help the
organization anticipate, identify, acknowledge, and respond to changes in an appropriate and
timely way.

Uses Best Available Information

Effective risk management is done by considering information from the past and present as
well as anticipating the future. Therefore, (1) the information from the past and present must
be as reliable as possible, and (2) risk managers must consider the limitations and
uncertainties with that past and present information. All relevant stakeholders should receive
necessary information in a timely and clear manner.

Considers Human and Culture Factors

Risk management is a human activity and it takes place within one or more culture
(organizational culture, etc.). Risk managers must be aware of the human and culture factors
that the risk management effort takes place in and know the influence that human and culture
factors will place on the risk management effort.

Practices Continual Improvement

Through experience and learning, risk managers must strive to continually improve an
organization’s risk management efforts.
FIMA 40053
Week 4 – 6
Risk Management Process
Systematic application of management policies, procedures and practices to the activities of
communicating and consulting, establishing the context and identifying, analyzing, evaluating,
treating, monitoring and reviewing risk
Communication and Consultation
Stakeholders person or organization that can affect, be affected by, or perceive
themselves to be affected by a decision or activity

Purpose : To assist relevant stakeholders in understanding risk, the basis on which decisions
are made and the reasons why particular actions are required

Communication
Seeks to promote awareness and understanding of risk

Consultation
Involves obtaining feedback and information to support decision-making

Communication and consultation with appropriate external and internal stakeholders should
take place within
and throughout all steps of the risk management process

Objectives:
❖ To bring different areas of expertise together for each step of the risk management process
❖ To ensure that different views are appropriately considered when defining risk criteria and
when evaluating risks
❖ To provide sufficient information to facilitate risk oversight and decision-making
❖ To build a sense of inclusiveness and ownership among those affected by risk

Establishing the Scope, Context and Criteria

● Defining the Scope

The organization should define the scope of its risk management activities

When planning the approach, considerations include:

● objectives and decisions that need to be made
● outcomes expected from the steps to be taken in the process o time, location,
specific inclusions and exclusions
● appropriate risk assessment tools and techniques
● resources required, responsibilities and records to be kept
● relationships with other projects, processes and activities

● External and Internal Context

The external and internal context is the environment in which the organization seeks to
define and achieve its objectives
External Context
external environmental parameters
● external stakeholders
● local, national and international environment
● stakeholder values, perceptions and relationships
 ● social, cultural, political, legal, regulatory, technological, economic,
natural and competitive environment

Internal Context
internal environmental parameters
● internal stakeholders
● approach to governance – organizational structure, policies, objectives,
roles, accountabilities and decision-making process
● capabilities - knowledge , human, technological, capital and systemic
resources
● contractual relationships

● Defining Risk Criteria

Risk Criteria are terms of reference and are used to evaluate the significance or
importance of an organization's risks. They are used to determine whether a specified
level of risk is acceptable or tolerable
Risk criteria should
✔ Reflect organization’s values, policies and objectives
✔ Be based on external and internal context
✔ Consider the view of stakeholders
✔ Be derived from standards, laws, policies and other requirements
✔ Be aligned with the risk management framework
✔ Be customized to the specific purpose and scope of the activity under
consideration

The organization should specify the amount and type of risk that it may or may not take relative
to objectives.
While risk criteria should be established at the beginning of the risk assessment process, they
are dynamic and should be continually reviewed and amended, if necessary.

To set risk criteria, the following should be considered:

● Nature and type of uncertainties
● Consistency in the use of measurements
● How consequences and likelihood will be defined and measured
● How the level of risk is to be determined
● The organization’s capacity
● Time-related factors
● How combinations and sequences of multiple risks will be taken into account
Sample Risk Criteria Likelihood

Sample Risk Criteria Impact

 ● Risk Identification
Risk cannot be managed unless it is first identified
Aim
identify possible risks that may affect, either negatively or positively, the
objectives of the business and the activity under analysis

Identifying risks involves considering what, when, why, where and how things can
happen
● What are the sources of risk or threat
● What would be the impact on objectives if the risk was realized
● What parts of the organization might be involved or impacted hat stakeholders
might be involved or impacted
● What controls currently exist to minimize the likelihood and consequences of
each risk
● Where the event could occur
● Where the direct or indirect consequences may be experienced
● When the event is likely to occur and/or the consequences realized
● How the risk event or incident could occur

Risk Identification Two Main Ways to Identify Risk

● Identify Retrospective Risks
● Identify Prospective Risks

Retrospective Risks are those that have previously occurred

● The most common way to identify risk
● Easiest way to identify risk
❑ Easier to believe something if it has happened before
❑ Easier to quantify its impact and to see the damage it has caused

Sources of Information
● Hazard or incident logs or registers
● Audit reports
● Customer complaints
● Accreditation documents and reports
● Past staff or client surveys
● Newspapers or professional media

Prospective Risks are those that have not yet happened but might happen sometime
in the future

Methods for identifying prospective risks include:

❑ Brainstorming with staff or external stakeholders
❑ Researching the economic, political, legislative and operating
environment
❑ Conducting interviews with relevant people and/or organizations
 ❑ Undertaking surveys of staff or clients to identify anticipated issues or
problems
❑ Flowcharting a process
❑ Reviewing system design or preparing system analysis techniques.

8 Ways to Identify Risk in the Organization

1. Break down the big picture

2. Be pessimistic
3. Consult an expert
4. Use models or softwares
5. Conduct internal research
6. Conduct external research
7. Seek employee feedback
8. Analyze customer complaints

Approaches/ Strategies in Identifying Risks

1. SWOT Analysis
2. PESTLE
3. Brainstorming
4. Flowchart Method
5. Scenario Analysis
6. Surveys/Questionnaires
7. One-on-One Interview
8. Stakeholder Analysis
9. Working Groups
10. Corporate Knowledge
11. Process Analysis
12. Other Jurisdictions

Risk Ownership
Once risks are identified, they should be assigned a risk owner who has responsibility
for ensuring that the risk is being managed and monitored

Risk Categories
Risks during this initial phase of the process should also be allocated a risk category

Risk Register is a tool for documenting risks, and actions to manage each risk
● The Risk Register is essential to the successful management of risk
● As risks are identified they are logged on the register and actions are taken to
respond to the risk
 Keep in Mind that the Risk Register is a Living Thing
● The information you put in it is changing rapidly
● Risks evolve and change attributes
● A Risk Response Plan may not provide the required efficiency
● Threats and opportunities may disappear, or they may become irrelevant

Risk Register

ID DATE RISK LIKELIHOO IMPACT SEVERI OWNER MITIGATING CONTINGEN PROGRESS STATUS
RAISE DESCRIPTIO D TY ACTION T ACTION ON
D N ACTIONS

1 [12/ 12/ [There isa risk [High/ [High/ [High/ [Person [Actions that [What will be [Action taken [Open,
2018] that___ if Medium/ Medium/ Medium/ managing can be taken done if this and date. Waiting,
this happens Low] Low] Low.] the risk] to reduce the Risk does E.g. Closed]
...] Likelihoo likelihood of occur? Update
d the risk Usually 13/12/2019
X occurring. actionsto mitigation
Impact May also be reduce the actions
acceptance impact on the implemented]
of the risk or project]
transference
of the risk

● Risk Analysis
Involves a detailed consideration of uncertainties, risk sources, consequences,
likelihood,events, scenarios, controls and their effectiveness

The risk analysis should answer the following questions:

● What is the likelihood of these risks occurring?
● What will be the consequences of these risks to the organization?

❏ Risk Value = Probability of Event x Cost of Event

Example
You've identified a risk that your rent may increase substantially. You think that
there's an 80 percent chance of this happening within the next year, because your
landlord has recently increased rents for other businesses. If this happens, it will cost
your business an extra P500,000 over the next year.
So, the risk value of the rent increase is:
= 0.80 x P500,000
= P400,000

❏ Risk Impact/Probability Chart

▪ Helps in identifying which risks to focus on
▪ Based on the principle that a risk has two primary dimensions: probability and
impact
▪ Allows to rate potential risks
 Probability
● A risk is an event that "may“ occur
● The probability of it occurring can range anywhere from just above 0
percent to just below 100 percent
● It can't be exactly 100 percent, because then it would be a certainty, not
a risk.
● It can't be exactly 0 percent, or it wouldn't be a risk.

Impact
● The size of the impact varies in terms of cost and impact on health,
human life or some other critical factor

Risk Impact Probability Chart

The corners of the chart have these characteristics:

● Low Impact / Low Probability
○ Risks in the bottom left corner are low level, and you can often ignore
them.
● Low Impact / High Probability
○ Risks in the top left corner are of moderate importance – if these things
happen, you can cope with them and move on. However, you should try
to reduce the likelihood that they'll occur.
● High Impact / Low Probability
○ Risks in the bottom right corner are of high importance if they do occur,
but they’re very unlikely to happen. For these, however, you should do
what you can to reduce the impact they'll have if they do occur, and you
should have contingency plans in place just in case they do.
● High Impact/High Probability
○ Risks towards the top right corner are of critical importance. These are
your top priorities, and are risks that you must pay close attention to.

● Risk Evaluation
The process used to compare the estimated risk against the given risk criteria so
as to determine the significance of the risk
This step is about deciding whether risks are acceptable or need treatment
A risk may be accepted for the following reasons:
❑ The cost of treatment far exceeds the benefit, so that acceptance is the only
option (applies particularly to lower ranked risks)
❑ The level of the risk is so low that specific treatment is not appropriate with
available resource
❑ The opportunities presented outweigh the threats to such a degree that the
risks justified
❑ The risk is such that there is no treatment available

One of the most efficient ways of evaluating risks is to sort them by scoring and
prioritizing

The risks are evaluated and ranked by determining the risk magnitude, which is the
combination of likelihood and consequence

The result of a risk evaluation is a prioritized list of risks that require further action

These risk rankings are also added to the Risk Register

❏ Risk Map
Is a graphical depiction of a select number of a company's risks designed
to illustrate the impact or significance of risks on one axis and the likelihood or
frequency on the other

Risk mapping is used to assist in identifying, prioritizing, and quantifying

(ata macro level) risks to an organization
Sample of Risk Map