Professional Documents
Culture Documents
Week 2 - 3
Week 2 - 3
Nowadays, people and organizations rely way less on traditions and superstition than they did
in the earlier days, and this may not be due to mankind being more rational itself, but rather
because of our ability to understand risk, which allows us to make more informed and rational
decisions.
The opportunity to manage risk, including here the amount and type of risks that the
organizations accept to pursue or retain in order to make forward-looking choices, are key
ingredients that catalyze the progress of the economic system.
Risk is an inseparable part of any business which affects its operations and activities, leading
them to implement proper risk management processes to effectively manage and treat such
risks. Successful organizations are those that have the ability to identify and manage risks,
before those risks become destructive actualities that impair the organization’s reputation
and its’ ability to operate. Maybe one of the best ways to understand unexpected
occurrences and the importance of properly responding to them is through the words of
Arthur Rudolph, one of the scientists who developed the Saturn 5 rocket that launched the
first Apollo mission to the moon:
“You want a valve that doesn't leak and you try everything possible to develop one, but the
real world provides you with a leaky valve. You have to determine how much leaking you can
tolerate”
The notion of “risk” and its ramifications permeate decision-making processes in each
individual’s life and business outcomes and of society itself. Indeed, risk, and how it is
managed, are critical aspects of decision making at all levels.
The word “risk” is used in many different contexts. Further, the word takes many different
interpretations in these varied contexts. In all cases, however, the notion of risk is
inextricably linked to the notion of uncertainty.
If we knew, without a doubt, that something bad was about to occur, we would call it
apprehension or dread. It wouldn’t be risk because it would be predictable. Risk will be
forever, inextricably linked to uncertainty.
As we all know, certainty is elusive. Uncertainty and risk are pervasive. While we typically
associate “risk” with unpleasant or negative events, in reality some risky situations can result in
positive outcomes. Take, for example, venture capital investing or entrepreneurial endeavors.
Uncertainty about which of several possible outcomes will occur circumscribes themeaning of
risk. Uncertainty lies behind the definition of risk.
While we link the concept of risk with the notion of uncertainty, risk isn’t synonymous with
uncertainty. Risk isn’t the same as the underlying prerequisite of uncertainty. Risk has to do
with consequences (both positive and negative); it involves having more than two possible
outcomes (uncertainty). Uncertainty also creates opportunities for gain and the potential for
loss. Nevertheless, if no possibility of a negative outcome arises at all, even remotely, then
we usually do not refer to the situation as having risk (only uncertainty)
DEFINITION OF RISK
Risk
Pure Risk
- risk in which there is only a chance of loss not gain
- result of uncontrollable circumstances
- example: chance that someone’s home will be destroyed by an earthquake
Speculative Risk
- risk in which there is a chance of loss or gain
- result of choices can be controlled
- example: chance that a small business will not succeed
Fundamental Risk
- affects the entire economy or large numbers of persons or groups (hurricane)
Particular Risk
- affects only the individual (car theft)
Business/Enterprise Risk
- encompasses all major risks faced by a business firm which include operational risk,
financial risk, strategy risk and hazard risk
Strategic Risk
- The risk that a company’s strategy becomes less effective and the company struggles
to reach its goals as a result
- Risks that affect or are created by an organization's business strategy and strategic
objective
A classic example is Kodak, which had such a dominant position in the film photography
market that when one of its own engineers invented a digital camera in 1975, it saw the
innovation as a threat to its core business model, and failed to develop it.
But if Kodak had analyzed the strategic risk more carefully, it would have concluded that
someone else would start producing digital cameras eventually, so it was better for Kodakto
cannibalize its own business than for another company to do it. Failure to adapt to a strategic
risk led to bankruptcy for Kodak. It’s now emerged from bankruptcy as a much smaller
company focusing on corporate imaging solutions, but if it had made that shift sooner, it could
have preserved its dominance.
Facing a strategic risk doesn’t have to be disastrous, however. Think of Xerox, which became
synonymous with a single, hugely successful product, the Xerox photocopier. The development
of laser printing was a strategic risk to Xerox’s position, but unlike Kodak, it was able to adapt
to the new technology and change its business model. Laser printing became a multi-billion-
dollar business line for Xerox, and the company survived the strategic risk.
Operational Risk
That’s a “people” failure, but also a “process” failure. It could have been prevented by having
a more secure payment process, for example having a second member of staff authorize
every major payment, or using an electronic system that would flag unusual amounts for
review.
In some cases, operational risk can also stem from events outside the company’s control
such as a power cut or a problem with a website host. Anything that interrupts the company’s
core operations comes under the category of operational risk.
While the events themselves can seem quite small compared with the large strategic risks we
talked about earlier, operational risks can still have a big impact on the company. Not only is
there the cost of fixing the problem, but operational issues can also prevent customer orders
from being delivered or make it impossible to contact the company, resulting in a loss of
revenue and damage to its reputation.
Financial Risk
Market Risk Risk that the value of 'on' or 'off' balance sheet
positions will be adversely affected by
movements in equity and interest rate markets,
currency exchange rates and commodity prices
Liquidity Risk Risk that funds will not be available when needed
Most categories of risk have a financial impact, in terms of extra costs or lost revenue. But the
category of financial risk refers specifically to the money flowing in and out of business, and
the possibility of a sudden financial loss.
For example, let’s say that a large proportion of revenue comes from a single large client, and
he was extended 60 days credit.
In this case, there is a significant financial risk. If that customer is unable to pay, or delays
payment for whatever reason, then the business is in big trouble.
Having a lot of debt also increases financial risk, particularly if a lot of it is short-term debt
that’s due in the near future. And if interest rates suddenly go up, and instead of paying 8% on
the loan, you’re now paying 15%? That’s a big extra cost for your business, and so it’s
counted asa financial risk.
- Include unforeseen events that arise outside of the normal operating environment. -
Poses a level of threat to life, health, property or the environment. Most hazards are
dormant or potential with only a theoretical risk of harm: however, once a hazard becomes
active, it can create an emergency situation
RISK MANAGEMENT
- a coordinated set of activities and methods that is used to direct an organization and to
control the many risks that can affect its ability to achieve objectives.
By implementing a risk management plan and considering the various potential risks or
events before they occur, an organization can save money and protect their future. This is
because a robust risk management plan will help a company establish procedures to avoid
potential threats, minimize their impact should they occur and cope with the results. This
ability to understand and control risk enables organizations to be more confident in their
business decisions. Furthermore, strong corporate governance principles that focus
specifically on risk management can help a company reach their goals.
▪ Creates a safe and secure work environment for all staff and customers. ▪ Increases
the stability of business operations while also decreasing legal liability. ▪ Provides
protection from events that are detrimental to both the company and the environment.
▪ Protects all involved people and assets from potential harm.
▪ Helps establish the organization's insurance needs in order to save on unnecessary
premiums.
While risk management can be an extremely beneficial practice for organizations, its
limitations should also be considered. Many risk analysis techniques -- such as creating a
model or simulation -- require gathering large amounts of data. This extensive data collection
can be expensive and is not guaranteed to be reliable.
Furthermore, the use of data in decision making processes may have poor outcomes if simple
indicators are used to reflect the much more complex realities of the situation. Similarly,
adopting a decision throughout the whole project that was intended for one small aspect can
lead to unexpected results.
Another limitation is the lack of analysis expertise and time. Computer software programs have
been developed to simulate events that might have a negative impact on the company. While
cost effective, these complex programs require trained personnel with comprehensive skills
and knowledge in order to accurately understand the generated results. Analyzing historical
data to identify risks also requires highly trained personnel. These individuals may not always
be assigned to the project. Even if they are, there frequently is not enough time to gather all
their findings, thus resulting in conflicts.
The ISO 31000-2018 standard, Risk Management–Guidelines, lists the following eight
principles for any solid risk management program (see 31000-2018, Section 4,
Principles):
Integration
An organization should integrate its risk management efforts into all parts and activities of the
organization.
Creating and following a comprehensive, structured risk management approach leads to the
most consistent, desirable risk management outcomes.
Customized
Dynamic
As the organization changes, including its external and internal context, the organization’s risk
management program and efforts should change, too. Change is inevitable and successful
organizations know how to work with change. A risk management program should help the
organization anticipate, identify, acknowledge, and respond to changes in an appropriate and
timely way.
Risk management is a human activity and it takes place within one or more culture
(organizational culture, etc.). Risk managers must be aware of the human and culture factors
that the risk management effort takes place in and know the influence that human and culture
factors will place on the risk management effort.
Purpose : To assist relevant stakeholders in understanding risk, the basis on which decisions
are made and the reasons why particular actions are required
Communication
Seeks to promote awareness and understanding of risk
Consultation
Involves obtaining feedback and information to support decision-making
Communication and consultation with appropriate external and internal stakeholders should
take place within
and throughout all steps of the risk management process
Objectives:
❖ To bring different areas of expertise together for each step of the risk management process
❖ To ensure that different views are appropriately considered when defining risk criteria and
when evaluating risks
❖ To provide sufficient information to facilitate risk oversight and decision-making
❖ To build a sense of inclusiveness and ownership among those affected by risk
Internal Context
internal environmental parameters
● internal stakeholders
● approach to governance – organizational structure, policies, objectives,
roles, accountabilities and decision-making process
● capabilities - knowledge , human, technological, capital and systemic
resources
● contractual relationships
The organization should specify the amount and type of risk that it may or may not take relative
to objectives.
While risk criteria should be established at the beginning of the risk assessment process, they
are dynamic and should be continually reviewed and amended, if necessary.
Identifying risks involves considering what, when, why, where and how things can
happen
● What are the sources of risk or threat
● What would be the impact on objectives if the risk was realized
● What parts of the organization might be involved or impacted hat stakeholders
might be involved or impacted
● What controls currently exist to minimize the likelihood and consequences of
each risk
● Where the event could occur
● Where the direct or indirect consequences may be experienced
● When the event is likely to occur and/or the consequences realized
● How the risk event or incident could occur
Sources of Information
● Hazard or incident logs or registers
● Audit reports
● Customer complaints
● Accreditation documents and reports
● Past staff or client surveys
● Newspapers or professional media
Prospective Risks are those that have not yet happened but might happen sometime
in the future
1. SWOT Analysis
2. PESTLE
3. Brainstorming
4. Flowchart Method
5. Scenario Analysis
6. Surveys/Questionnaires
7. One-on-One Interview
8. Stakeholder Analysis
9. Working Groups
10. Corporate Knowledge
11. Process Analysis
12. Other Jurisdictions
Risk Ownership
Once risks are identified, they should be assigned a risk owner who has responsibility
for ensuring that the risk is being managed and monitored
Risk Categories
Risks during this initial phase of the process should also be allocated a risk category
Risk Register is a tool for documenting risks, and actions to manage each risk
● The Risk Register is essential to the successful management of risk
● As risks are identified they are logged on the register and actions are taken to
respond to the risk
Keep in Mind that the Risk Register is a Living Thing
● The information you put in it is changing rapidly
● Risks evolve and change attributes
● A Risk Response Plan may not provide the required efficiency
● Threats and opportunities may disappear, or they may become irrelevant
Risk Register
ID DATE RISK LIKELIHOO IMPACT SEVERI OWNER MITIGATING CONTINGEN PROGRESS STATUS
RAISE DESCRIPTIO D TY ACTION T ACTION ON
D N ACTIONS
1 [12/ 12/ [There isa risk [High/ [High/ [High/ [Person [Actions that [What will be [Action taken [Open,
2018] that___ if Medium/ Medium/ Medium/ managing can be taken done if this and date. Waiting,
this happens Low] Low] Low.] the risk] to reduce the Risk does E.g. Closed]
...] Likelihoo likelihood of occur? Update
d the risk Usually 13/12/2019
X occurring. actionsto mitigation
Impact May also be reduce the actions
acceptance impact on the implemented]
of the risk or project]
transference
of the risk
● Risk Analysis
Involves a detailed consideration of uncertainties, risk sources, consequences,
likelihood,events, scenarios, controls and their effectiveness
Impact
● The size of the impact varies in terms of cost and impact on health,
human life or some other critical factor
● Risk Evaluation
The process used to compare the estimated risk against the given risk criteria so
as to determine the significance of the risk
This step is about deciding whether risks are acceptable or need treatment
A risk may be accepted for the following reasons:
❑ The cost of treatment far exceeds the benefit, so that acceptance is the only
option (applies particularly to lower ranked risks)
❑ The level of the risk is so low that specific treatment is not appropriate with
available resource
❑ The opportunities presented outweigh the threats to such a degree that the
risks justified
❑ The risk is such that there is no treatment available
One of the most efficient ways of evaluating risks is to sort them by scoring and
prioritizing
The risks are evaluated and ranked by determining the risk magnitude, which is the
combination of likelihood and consequence
The result of a risk evaluation is a prioritized list of risks that require further action
❏ Risk Map
Is a graphical depiction of a select number of a company's risks designed
to illustrate the impact or significance of risks on one axis and the likelihood or
frequency on the other