EGERTON UNIVERSITY

COLLEGE OF OPEN AND DISTANCE LEARNING

E-CAMPUS

AGBM 404: RISK MANAGEMENT

Topic 1 Handout

Copyright
Copyright© Egerton University
Published 2020
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system or transmitted in any form or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior written permission of the
copyright owner.

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 1 of 17
Topic Content

1.1 Definition of risk management

Risk management is the identification, assessment, and prioritization of risks
followed by coordinated and economical application of resources to minimize,
monitor, and control the probability and/or impact of unfortunate events.
Several tools are available to assist in the management of risk in technical areas.
These tools can help the organization/project manager to understand the danger
signals that may indicate that the organizational goal is off track, and prioritize
corrective actions as necessary.
According to the Project Management Institute Body of Knowledge (PMBOK),
there are three definitions of risk management:
• Risk management is the formal process by which risk factors are systematically
identified, assessed, and provided for
• Risk management is a formal, systematic method of managing that
concentrates on identifying and controlling areas or events that have a potential
for causing unwanted change
• Risk management, in the project context, is the art and science of identifying,
analyzing, and responding to risk factors throughout the life of a project and in
the best interest of its objectives.
Risk management is a means of dealing with uncertainty through identifying
sources of uncertainty and the risks associated with them, and then managing
those risks such that negative outcomes are minimized (or avoided altogether),
and positive outcomes are capitalized upon. Risks can come from uncertainty in
financial markets, project failures, legal liabilities, credit risk, accidents, natural
causes and disasters as well as deliberate attacks from adversary
It is essential for effective management control that all significant risks and
uncertainties in an organization, are systematically identified, quantified,
analyzed, owned, acted upon and monitored by the management team to
maximize the likelihood of successful achievement of objectives within budget
and schedule targets.

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 2 of 17
1.2. What is a risk?

What does risk mean to you? Is it anything or event that could stand in the way
of an organization achieving its objectives? Risk is a word that has more than
one meaning. It is a term that can mean different things depending on the
circumstances and the context in which it is used. Here are some of the
meanings it can assume.

1.3. Uncertainty

The primary meaning of risk as applied in risk management and insurance is

that of the uncertainty of an outcome in a given situation. The key word
here is “uncertainty” It is the doubt whether a given event will take place or not.
The greater the doubt or uncertainty, the greater is the risk. When are you
uncertain? When are you in doubt? And so when are you at risk? In this context,
you can only be at risk if you face an event which may or may not occur, if there
are at least two or more possible outcomes from the event, and you cannot
determine in advance which one of the two or more possible outcomes you will
actually experience.

There is no risk, no uncertainty or doubt in a situation where there is only one

possible outcome. Or where we can tell in advance which outcome shall be
experienced because in such cases there will be no uncertainty or doubt about
the expected outcome which is already known.

Uncertainty or risk is only relevant if one of the expected possible outcomes is

a loss. A risk is not significant if it cannot cause us a loss of any kind. Risk
therefore has two main things to it, uncertainty of occurrence of an event and a
possible loss of some kind from the event. Risk management and insurance is
therefore more concerned with those risks capable of causing losses.

So what is a loss? A loss is the unintentional or involuntary parting with

something of value. A loss may be either financial or non financial and could
involve both tangible and intangible assets.
"Transforming Lives through Quality Education"
Egerton University is ISO 9001:2008 Certified
Page 3 of 17
Some situations of uncertainty that could give rise to risk and loss include

(a) The negligence of participants in a certain activity or the negligence of

others.
(b) Events that may be foreseeable or not foreseeable for now.
(c) Hazards or conditions arising out of ownership or operating in premises.
(d) Performing certain activities or participating in certain activities.
(e) Failure to perform certain activities such as proper maintenance,
inspection, supervision, controls, etc.
(f) Failure to provide warnings on existing dangerous conditions.
(g) Poor administrative structures.
(h) Environmental factors such as political instability, socio- cultural practices,
natural calamities, etc.

Sources of risks

1. Company factors Risk that arises from factors actually or potentially under
your control (e.g. poor design, ineffective management systems, and poor
performance by contractors).

2. Industry factors .These are risks that arises from factors in the wider policy
and institutional environments and controllable by decision makers elsewhere
(e.g. poor policy environment, lack of political wills institutional weaknesses).

3. General economic condition: these are risks that are uncontrollable which
influence the general level of organization activities e.g. natural disasters,
political instability, world markets.

Classification of risk

(1) Systematic risk

It arises from economy uncertainties which are beyond individual control. Thus
these risks cannot be reduced through diversification e.g. government changes
on interest rates policies
(2) Unsystematic risk

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 4 of 17
 It arises from unique uncertainties’ of individual securities. These uncertainties’
are diversifiable if large numbers of securities are combined to form well
diversified portfolio.

Components of risk

Risk has three primary components [4]:

1. An event (an unwanted change)

2. A probability of occurrence of that event

3. Impact of that event (amount at stake)

Conceptually, risk for each event can be defined as a function of uncertainty and
damage; that is:

Risk = f (event, uncertainty, damage)

Chance of loss or the probability of occurrence of a loss

The term risk can also mean something else. It can also be defined as the chance
or probability of occurrence of a loss. This is the long run relative frequency of
a loss. The probability or chance of occurrence of a loss varies between 0 and
1. The 0 position says there is no chance of a loss occurring. At the other end
1, the chance of loss is 100 percent because the loss is certain to occur.

The chance or probability of loss may be conveniently expressed as a fraction,

and it indicates the probable number of losses out of a given number of
exposures and expresses it as a percentage. Expressed as a fraction, the
numerator represents the probable number of losses, and the denominator
represents the number of times that the event could possibly occur.

In this context, situations with a high probability of loss are said to be riskier
than those with a low probability of loss. The risk is greater if the probability of
loss is higher.

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 5 of 17
Normally when we say that something is very risky, we are in essence saying
that the probability that it will cause a loss is very high. Qualitatively, risk is
proportional to both the expected losses which may be caused by an event and
to the probability of this event. Greater loss and greater event likelihood result
in a greater overall risk.

Take note that if risk means uncertainty according to our first definition then
risk does not exist where the chance of loss is either 0 or 1. This is because
there is no doubt or uncertainty about the expected outcome in the two
positions. The outcomes in the two positions are already definite and certain.

1.4. The subject matter insured in a contract of insurance.

The term risk can also refer to the object covered or insured in a contract of
insurance. It could be a house, a car, a life, etc. for every contract of insurance
there must be something being insured against loss. This becomes the subject
matter of the contract and can be referred to by the insurers as the risk.

A peril

Risk can also mean a peril. This is the immediate cause of a loss such as a fire
or earthquake. Each loss that occurs must have a cause. These causes such as
accident, illness, theft, fire. Etc. is known as peril or risk. So when we talk of
the risk of fire, or theft, etc. In insurance policies it is common to find a section
dealing with “insured risks” or “insured perils” and then listing the risks or perils.
These would simply be some possible causes of loss which the insurer is
accepting to cover. Note that the insurer is only liable to compensate for a loss
if the loss is caused by a peril or risk covered in the policy.

The dispersion of actual from expected results.

This is the statistical definition of risk as measured by the standard deviation,

which is the most widely accepted measure of risk. It is a figure that more or

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 6 of 17
less measures the degree or the level of in a given situation. It is a measure of
risk that is objective.

In conclusion we have seen that the term risk can mean five different things
depending on the circumstances and the context in which it is applied. You
should now be able to explain the five different meanings.

Risk attitudes
(1) Risk averse – these are investors who prefer less risk to more risk
(2) Risk neutral – these are investors who attach the same utility to increasing
or decreasing wealth. They are indifferent to less or more risk for a given wealth.
(3) Risk seeking – these are investors who attach more utility to the potential
of additional wealth than to the possible loss from the decrease in wealth. I.e.
to earn a given wealth they are prepared to assume higher risk

1.5. Risk Management Process

• Risk Identification
• Risk Quantification
• Risk Response
• Risk Control
Risk Identification
The process of risk identification generally involves the use of qualitative risk
analysis techniques.
• Observation – close examination of a current system may help identify risks
that may also be inherent in an organization;
• Reference to previous documentation/existing databases - past experiences
may be recorded on company files, reports, third-party company analytical
reports, etc;

• Interviews - bringing people with the greatest direct experience of similar

situations or projects, into face-to-face sessions to determine the nature and
extent of the risks;

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 7 of 17
Other common techniques include; cause-and-effect diagrams, decision trees,
critical path analysis, scatter diagrams/radar charts and risk identification
workshops. Workshops have proven to be very effective because they gather
the necessary fields of expertise together, involve relevant stakeholders
throughout the process, and speed up the process of risk identification and
reaching agreement by consensus.
Risk Quantification
Once risks have been identified a simple mathematical approach can be used to
quantify them. This involves assigning each risk two values on an appropriate
scale. One value relates to the likelihood of the risk's manifestation and the
second value relates to its impact on the organization. The first is a measure of
how likely the thing is to go wrong; the second is the effect it will have on the
project. By multiplication of the two values you get a weighting for each risk.
This information can be tabulated to produce what is often called a risk
register. A risk register can cover more ground than the above implies - it can
discuss at length the nature of the risk, the impact and the things that can be
done to prevent or reduce the impact of the risk.
The most common form of qualitative risk rating is as follows
High risk - Likely to cause significant disruption to schedule, cost and
performance, or quality even with additional support.
Moderate risk - Has the potential to cause some disruption even with additional
support. However, potential problems may be overcome.
Low risk - Has little potential to cause disruption to schedule, cost and
performance, or quality. Normal effort by the project team and contractors will
probably overcome most difficulties.
RISK Mitigation/response
A mitigation strategy are plans and means devised in order to reduce the impact
of the risk, prevent its occurrence, avoid it altogether, or to determine whether
or not contingencies need to be put in place to compensate for the risk should
it occur. During project execution, risk mitigation is aimed at the implementation
of the previously identified mitigation strategy. Risk control also includes the

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 8 of 17
estimation and calculation of the risk exposure, in financial terms, caused by
the impact of the risk on the project, with due consideration of the moderating
effect of the mitigation strategy.
Once a risk assessment has been undertaken, or when it is being reviewed, it is
important to develop actions that will be put in place on how to best respond to
risks that have been identified. Responses can be developed in four ways:
1. Transfer the risk or some aspect of risk to the party best placed to manage it.
This might be conventional insurance, or by supporting a third part to take the
risk in another way.
2. Tolerate the risk, because the ability to do anything about some risks may be
limited or nothing can be done at a reasonable cost to mitigate it. This course of
action is common for large external risks, but they must continue to be tracked.
Tolerance levels determining how much risk can be taken need to be set out and
should inform the decisions made.
3. Treat the risk by taking corrective actions to reduce the probability or impact of
the risk. By far the greater number of risks will belong to this category. The
purpose of treatment is not necessarily to obviate the risk, but more to contain
it at an acceptable level.
4. Terminate the risk by doing things differently thus removing the risk where it
is feasible to

Risk control
It involves:
(a) Creating a risk management plan
The risk management plan should propose applicable and effective security
controls for managing the risks. For example, an observed high risk of computer
viruses could be controlled by acquiring and implementing antivirus software. A
good risk management plan should contain a schedule for control
implementation and responsible persons for those actions.
(b) Implementation of the plan
Implementation of the risk management plan implies following all of the planned
methods for controlling the effect of the risks: purchase insurance policies for
the risks that have been decided to be transferred to an insurer, avoid all risks
"Transforming Lives through Quality Education"
Egerton University is ISO 9001:2008 Certified
Page 9 of 17
that can be avoided without sacrificing the entity's goals, reduce others, and
retain the rest.
(c) Review and evaluation of the plan
Initial risk management plans will never be perfect. Practice, experience, and
actual loss results will necessitate changes in the plan and contribute
information to allow possible different decisions to be made in dealing with the
risks being faced.
Risk analysis results and management plans should be updated periodically.
There are two primary reasons for this:
(i) To evaluate whether the previously selected security controls are still
applicable and effective,
(ii) To evaluate the possible risk level changes in the business environment. For
example, information risks are a good example of rapidly changing business
environment.

1.6. Risk Management Planning

Risk management planning is the process of deciding how to approach, plan and
execute the risk management activities for a project. The risk management
approach may include decisions about the organization, staffing of the risk
management activity, selection of the appropriate methodology, the sources of
data to identify risk, and the time frame for the analysis. It is important to plan
for the remaining processes of risk management so the level, type, and visibility
of risk management are commensurate with both the risk and importance of the
project to the organization.
A risk management plan involves risk identification, risk analysis, response
planning, and monitoring and control. Risk management planning are
documented in a risk management plan which indicates the following.
Methodology – defines the approaches, tools and data sources that may be used
to perform risk management on the project.
Roles and responsibilities – defines the lead, support, and risk management
team membership for each type of action in the risk management plan, assigns
people to those roles, and clarifies their responsibilities.
"Transforming Lives through Quality Education"
Egerton University is ISO 9001:2008 Certified
Page 10 of 17
Budgeting – assigns resources and estimates costs needed for risk management
for inclusion in the project cost baseline.
Timing – defines when and how often the risk management process will be
performed throughout the project life cycle, and establishes risk management
activities to be included in the project schedule. Scoring and interpretation
methods appropriate for the type and timing of the risk assessment and
quantification being formed. Methods and scoring must be defined in advance
to ensure consistency.
Risk categories – Provides a structure that ensures a comprehensive process of
systematically identifying risk to a consistent level of detail and contributes to
the effectiveness and quality of risk identification.
A definition of probability and impact – the quality and credibility of the
qualitative risk analysis process requires that different levels of the risks’
probabilities and impacts be defined.
Probability and impact matrix – Risks are prioritized according to their potential
implications for meeting the project’s objectives.
Revised stakeholders’ tolerances – stakeholders’ tolerances may be revised as
they apply to the specific project
Reporting formats – describes the content and format of the risk register as well
as any other risk reports required. Defines how the outcomes of the risk
management processes will be documented, analyzed, and communicated.
Tracking – documents how all facets of risk activities will be recorded for the
benefit of the current project, future needs, and lessons learned. Documents
whether and how risk management
processes will be audited.
Why risk management is critical
 Management’s job
 Reduce earnings volatility
 Maximize shareholder’s value
 Promote job and financial security

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 11 of 17
1.7. THE IMPACT OF RISK

In the previous sections, we looked at the different meanings that the terms risk
and hazards can assume. We now need to examine the effect of risks and
hazards on enterprises.

Businesses always face the uncertainty of losses that may never occur. Each
day, risks and hazards threaten business enterprises affecting them both
positively and negatively in the some ways. Risks can also create opportunities
for a business enterprise. But now we examine the negative impacts of risks on
a business enterprise. The following are some of the negative consequences of
risk on a business.

(1) Cost to business

(i) Causing losses. Risks cause actual losses. The actual losses may serious and
crippling to a business or cause great financial hardship. The losses caused by
risk may direct losses resulting from the occurrence of the risk or indirect losses
such as loss of profits, loss of life, and disability.

(ii) Interrupting business operations

(iii) Reducing profits

(iv.) Limiting ability to compete and slowing growth.

(v) Uncertainty. Most businesses face threats of losses that may never occur.
This causes uncertainties in regard to the possibility of a loss.

(vi.) Fear and worry. Even if no loss ever occurs as anticipated, at least two
factors add to the cost of uncertainty. These are fear and worry. The time spent
thinking about real or imagined chances of loss is expensive considering the
many other things that could be done if there were no fear of loss. The cost of
loss of peace of mind is great indeed.

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 12 of 17
Fear and worry may stop a business from engaging in certain profitable activities
and otherwise alter how it conducts its operations.

(vii) Less than optimal use of resources. Investments are frequently influenced
by the risks to which they are exposed. Some activities or investments are
completely avoided because the exposure to loss is very high.

The amount of money “put away for a rainy day” is not readily available for
investment and cannot be invested in a much more productive capacity.

Investments may be diverted to more liquid or safer types of assets than are
really necessary. This results in reduced earnings which is an additional cost of
risk.

(vii) short- term planning. Risk causes the tendency to concentrate planning in
the near future, rather than on the significant benefits of long range planning.

1.8. Benefits of risk management

There is certainly a strong case for implementing risk management due to the
benefits that are obtained from it. These include

1. Achievement of organizational objectives.

The organization is better able to focus on business priorities. It also enables

managers to focus their resources on the primary objectives. Resources are not
re-directed to deal with problems. Taking action to prevent and reduce losses,
rather than cleaning up after the losses have occurred is in fact an effective risk
strategy that results in increased confidence of shareholders and managers.

2. Risk management leads to a cultural change that supports open discussion

about risks and potentially damaging information. The new culture tolerates
mistakes but does not tolerate hiding errors. Also, the culture emphasizes

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 13 of 17
learning from the mistakes which leads to improved financial and operational
management by ensuring that risks are adequately considered in the decision-
making process.

3. Improved operational management will result in more effective and efficient

service delivery. By anticipating problems, managers may have more
opportunity to react and take action. The organization will be able to deliver on
its service promise by strengthening its planning process and helping
management identify opportunities.

4. Proper risk management enables a business to handle better its exposures to

accidental losses in the most economical and effective way.

5. It also enables a business to handle better its ordinary business risks. Freed
from concern about the accidental losses, a business can pursue more
aggressively and effectively its regular activities.

6. If a business has successfully managed its pure risks, the peace of mind this
brings about allows the managers to undertake new attractive speculative risks
that they would otherwise seek to avoid. This peace of mind is made possible
by sound management of pure risks may by itself be a valuable non economic
asset because it improves the physical and mental health of the owners,
managers and the employees who would be affected by losses to the firm.

7. The quality of its decisions is improved by considering how these decisions

would affect the firm’s exposure to accidental losses. By alerting the managers
to the risk aspects of ventures, risk management improves the quality of the
decisions regarding such ventures.

8. Proper risk management may make the difference between survival and
failure. Some losses such as the destruction of a company’s factory may so
cripple the company that without proper advance preparation for such an event,
the firm may be forced to close down.

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 14 of 17
9. Proper risk management can contribute directly to business profits through
preventing or reducing accidental losses as a result of taking certain low cost
measures to handle minor losses, through transferring potentially serious losses
to others at the lowest possible fee, through electing to take a chance on small
losses unless the transfer fee is a bargain, and through preparing the firm to
meet most economically those losses that it has decided to retain.

10. Proper risk management can reduce the fluctuation in profits and cash flows.
Wild fluctuations in cash flows can cause a big challenge in carrying out business
activities. Stable profits make it easy for a firm to raise capital as investors
prefer a company with stable earnings record than one whose earnings are
unstable.

11. Through advance preparations, risk management can in many cases make
it possible to continue operations following a loss, thus enabling a firm to retain
its customers and suppliers who might otherwise turn to competitors.

12. Professional risk managers and insurers contribute significantly by stabilizing

businesses through the indemnities they provide, the accidents they either
prevent or reduce in severity, the long term projects which they invest in, and
the security, they provide by reducing uncertainty.

Topic Summary
In this topic, you have learned that Risk management involves identification,
assessment, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor, and control the probability and/or
impact of unfortunate events.
In summary, you learned that;

 Risks could arise from Company factors(factors actually or potentially

under ones control), Industry factors (factors in the wider policy and
institutional environments and controllable by decision makers
elsewhere), and General economic condition (these are risks that are
"Transforming Lives through Quality Education"
Egerton University is ISO 9001:2008 Certified
Page 15 of 17
 uncontrollable which influence the general level of organization activities)
Classification of risk

 Risk has three primary components; An event (an unwanted change), A

probability of occurrence of that event and Impact of that event (amount
at stake)

 The term risk can also refer to the object covered or insured in a contract
of insurance. It could be a house, a car, a life, etc. for every contract of
insurance there must be something being insured against loss. This
becomes the subject matter of the contract and can be referred to by the
insurers as the risk.

 Risk can also mean a peril. This is the immediate cause of a loss such as
a fire or earthquake. Each loss that occurs must have a cause. These
causes such as accident, illness, theft, fire. Etc.

 The most widely accepted measure of risk is standard deviation, It is a

figure that more or less measures the degree or the level of in a given
situation. It is a measure of risk that is objective.

 There are three types Risk attitudes; Risk averse (these are investors
who prefer less risk to more risk), Risk neutral (these are investors who
attach the same utility to increasing or decreasing wealth), and Risk
seeking (these are investors who attach more utility to the potential of
additional wealth than to the possible loss from the decrease in wealth

 Risk Management Process involves; Risk Identification, Risk

Quantification, Risk Response and Risk Control

 Risk management planning is the process of deciding how to approach,

plan and execute the risk management activities for a project. The risk
management approach may include decisions about the organization,
staffing of the risk management activity, selection of the appropriate

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 16 of 17
 methodology, the sources of data to identify risk, and the time frame for
the analysis.

Further Reading

Mandatory Reading
1. Arthur C. W., Smith M.L. and Young (1998). Risk Management and Insurance,
Irwin/ McGraw- Hill
2. Mark R.Greene: Risk and Insurance: South Western publishing Co.
Cincinnati,Ohio 1988
3. E.Vaughan and T.vaughan:Essentials of insurance: satitya Bhawa publisher
Ltd.Agra-India,1997

Optional Reading

a) Institute of Risk Management A Risk Management Standard (2002),

www.theirm.org.
b) International Standard ISO 31000 (2009) Risk management – Principles and
guidelines, www.iso.org.

"Transforming Lives through Quality Education"

Egerton University is ISO 9001:2008 Certified
Page 17 of 17