IM 218

INFORMATION SYSTEMS STRATEGY

Lecture 6
RISK MANAGEMENT PROCESS
 RISK MANAGEMENT PROCESS

Lecture Content
Definition of Risk
Categories of Risks
Risk Management Cycle
Risk Management process
Possible pitfall in Risk management Process

H.M 3
 RISK MANAGEMENT

What is Risk Management?

It is a process to .
 Identify all the relevant risk
Assess/rank those risks
Address the risks in order of priority
Monitor risks and report their management
 RISK MANAGEMENT-Why do we need it?
Promote good management
Ay be a legal requirement depending upon industry or sector
Resources available are limited- therefore a focused response to Risk
Management is needed.

H.M 5
 CONT..
What is Risk?
A risk is an uncertain event which may occur in the future
A situation involve exposure to danger.
A risk may prevent or delay the achievement of organization's objectives or
goals. Or
Is the chance of something happening that will impact on the objectives.
A risk is not certain-It is a likelihood can only be estimated.
Note: all risks is bad, some level of risk must be taken in order to progress/
prevent stagnation.
 CATEGORIES OF RISKS
There are multiple ways into which the risks can be categorized.
Financial
Reduction in funding
Failure to safeguard assets
Poor cash flow management
Fraud/ Theft
Poor budgeting
 CATEGORIES OF RISKS
Operational
These risks result from failed or inappropriate policies, procedure or activities
Failure of an IT system
Poor quality of service delivered
Staff skill level
 CATEGORIES OF RISKS
Reputational
Organizational engage in activities that could threaten its good name
Through association with other bodies
Staff/member acting in a criminal or unethical way
Poor stakeholder relations
 CATEGORIES OF RISKS
Strategic
Engage in activity at variance with its stated objectives.
Fails to engage in activity that would support its stated objectives.
 CATEGORIES OF RISKS
Governance and Compliance
Organizational engage in activities that could threaten its good name
Segregation of duties not defined formally
Ensuring compliance with funders terms and conditions.
Compliance with applicable legislation
• Taxation Law
• Data protection
• Health and safety law
 RISK MANAGEMENT CYCLE


H.M 12
 RISK MANAGEMENT PROCESS
Risk management Process consists of a series of steps that when undertaken in
sequence enable the continual improvement in decision making.
The following are five steps of Risks management process.
Risk identification
Risk Analysis
Evaluate or rank the Risk
Treat the risks
Monitor and Review the Risks
 RISK MANAGEMENT
Risk management Cycle- Step1
 CONT…
Risk Management Cycle-Step 2
•Risk Identification- what are the threats and uncertainties associated with my
organization’s objectives.
•Involve identifying the risks that the business or organization is exposed to in its
operating environment.
•There are so many different types of risks, legal risk, market risks, environmental
risks and much more.
•It is important to identify as many as many of these risks a possible.

H.M 15
 CONT…
The aim of risk identification is to identify possible risks that may affect, either
negatively or positively, the objectives of the business and the activity under
analysis.
Answering the following questions identifies the risk:
 CONT…
1. Retrospective risks are those that have previously occurred, such as incidents
or accidents.
Retrospective risk identification is often the most common way to identify risk,
and the easiest. It’s easier to believe something if it has happened before.
It is also easier to quantify its impact and to see the damage it has caused.
 CONT…
There are many sources of information about retrospective risk. These include:
• Hazard or incident logs or registers
• Audit reports
• Customer complaints
• Accreditation documents and reports
• Past staff or client surveys
• Newspapers or professional media, such as journals or websites.
 CONT…
2-Identifying prospective risks
Prospective risks are often harder to identify.
These are things that have not yet happened, but might happen some time in the
future.
Identification should include all risks, whether or not they are currently being
managed.
The rationale here is to record all significant risks and monitor or review the
effectiveness of their control.
 TIP FOR EFFECTIVE RISKS IDENTIFICATION
Involve the right people in risk identification activities
 Take a life cycle approach to risk identification and determine how risks change and evolve
throughout this cycle.
 CONT..
 Analysis of the Risk
Once the risks has been identified it need to be analyzed.
The Scope of the risk must be determined.
It is important to understand the link between the risks and different factors with
in the organization.
It is also important to determine how many business functions the risks affects.
This step will assist in determining which risks have a greater consequence or
impact than other.
 Element of Risks analysis
The elements of risks analysis are as follows
Identify existing strategies and controls that act to minimize negative risks and
enhance opportunity.
Determine the consequences of a negative
impact or an opportunity (these may be positive or negative).
 Determine the likelihood of a negative consequence or an opportunity.
 Estimate the level of risk by combining consequence and likelihood.
Consider and identify any uncertainties in the estimates.
 CONT…
Risk Management Cycle-Step 3
Evaluate the risk
Risk evaluation involves comparing the level of risk found during the analysis process with
previously established risk criteria, and deciding whether these risks require treatment.
The result of a risk evaluation is a prioritized list of risks that require further action.
A risk that may cause some inconvenience is rated lowly and the risks that can results in
catastrophic loss are rated highest.
This step is about deciding whether risks are acceptable or need treatment.
The highest rated risks is enough to require intervention.
The business may be vulnerable to several low level risks, but may not require an intervention.
 CONT..
Risk acceptance
A risks may be accepted for the following
• The cost of treatment far exceeds the benefit, so that acceptance is the only
option (applies particularly to lower ranked risks)
• The level of the risk is so low that specific treatment is not appropriate with
available resources
• The opportunities presented outweigh the threats to such a degree that the risks
justified.
• The risk is such that there is no treatment available.

H.M 24
 CONT..
Risk Management Cycle-Step 4
•Treat the Risk or Take action
• Every risks need to be eliminated.
•This is done by connecting with the experts of the field to which the risks is
belong.
 CONT..
Risk treatment is about considering options for treating risks that were not
considered acceptable or tolerable on the previous step.
Risk treatment involves identifying options for treating or controlling risk, in
order to either reduce or eliminate negative consequences, or to reduce the
likelihood of an adverse occurrence.
Risk treatment should also aim to enhance positive outcomes.
 CONT..
Options for risk Treatment
 Identifies the following options that may assist in the minimization of negative
risk or an increase in the impact of positive risk.
• 1- Avoid the risk
• 2- Change the likelihood of the occurrence
• 3- Change the consequences
• 4- Share the risk
• 5- Retain the risk
 CONT..
Tips for implementing risk treatment
When implementing the risk treatment plan, ensure that adequate resources are
available, and define a timeframe, responsibilities and a method for monitoring
progress against the plan
 Physically check that the treatment implemented reduces the residual risk level
 In order of priority, undertake remedial measures to reduce the risk.
Risk management Cycle: step 5 Monitor and review/report
Monitor and review is an essential and integral step in the risk management
process.
A business owner must monitor risks and review the effectiveness of the
treatment plan, strategies and management system that have been set up to
effectively manage risk.
 RISK REGISTER
What is it?
Components
How to report on it.
 CONT…
Risk register is management tool used to record relevant details relating to risks.
It is database of information on risks.
RISK MANGEMENT- REGISTER Example
CONT…
CONT…
 TIPS FOR SUCCESS
Involve all level of staff and management in the process
Check control that are relevant and effective
Ensure risk owner take responsibility for management of risks under their control
Focus on risks cause and not its symptoms
 Why Risk Management May Fail

 Did not engage to all stakeholder

Failure to share information
Risk management not embedded within planning and management system.
Lack of Top Management system.
Limitation of scope.
END OF LECTURE
THANK YOU