Professional Documents
Culture Documents
4 T's of Risk Management
4 T's of Risk Management
Priority significant risks that an organization encounters are those that possess:
High or very high impact when studied about the benchmark test
High or very high probability of happening at or above the benchmark scale
High or very high possibility for cost-effective control methods for improvement
Only priority significant risks, in general, necessitate attention at the highest levels of the business. It
is also noted that control issues also require major consideration. In the normal course, the board will
want these regulatory risks to be appropriately handled, and the board will only receive annual risk
performance reports or a special report in case a particular problem of concern arises.
Source: depositphotos.com
The standard that is set for significance has to be fixed at a level that indicates a significant influence
on the organization. After identifying priority risks, the company must assess the regulatory measures
currently adopted and determine whether additional measures are required. Numerous responses are
available for hazard risks and are collectively referred to as the 4Ts. Risk response options can be
described using different terminologies. The terms risk treatment is defined in general by British
Standard BS 31100 and ISO 31000.
Risk treatment, for example, is defined by the British Standard as the "process of defining, selecting,
and implementing controls." Similarly, ISO 31000 defines risk treatment as "the creation and
implementation of risk mitigation methods." For the risk response phase of the risk management
process, the terminology used in the Orange Book has been applied. The 4Ts can then be used to
identify risk response alternatives.
Tolerate
Treat
Transfer
Terminate
The figure above shows that there is a significant response about each of the 4Ts and the placement
of the risk in the risk matrix. For low-impact / low-likelihood risks, the major response is
tolerated. For low impact / high likelihood risks, the major response is ‘treat’. In the case of
high impact / low likelihood, the major response is transfer, and concerning high impact / high
likelihood risks, the major response is termination.
An organization will be able to place each risk on a risk matrix after assessing it. The risk position on
the risk matrix will then show the risk's most unlikely response. Typically, the impact of the present
control system would have been assessed as an exercise of risk assessment.
Consider a situation where a theatre is required to respond to booking agents who demand payment
at the time of booking rather than after the play and over and above this, the theatre also recently
suffered a significant financial loss due to an actor's inability to come on the night of the performance.
Due to this, the theatre has reviewed the booking and appearance arrangements for actors and
determined that all 4Ts are apt. The theatre may decide that they need to adjust to the new booking
fee arrangements. It could also determine that in the future, to reduce the risk, it will deal with
recognized agents only and will terminate current agreements with an agency that has previously not
proven to be trustworthy. The theatre may also look into purchasing insurance to facilitate the
transfer of the expense of a performance that is canceled because an actor had not shown up for the
event.
Risk Tolerance
British Standard BS 31100 defines risk tolerance as an organization's willingness to suffer risk after
risk treatments to accomplish the objectives. Risks that are now beyond an organization's
comfort zone and risk appetite may have to be tolerated. A company may have to tolerate
risks that are greater than its actual risk capacity on some occasions. This arrangement, however,
may not be workable, and the organization may stand vulnerable at this time.
Hazard risk may not be accepted before the execution of risk control measures. In general, the risk is
tolerable only when all cost-effective risk reduction measures have been implemented, and the
company accepts or tolerates the risk at its current level. Some of the control measures could have
been implemented because the risk's inherent level was considered to be intolerable. The goal of the
control measure is to transfer the risk to the low-likelihood/low-impact quadrant of the risk matrix.
Risks are often accepted only as a part of a deal in which one risk is balanced in contrast to another.
This is a risk neutralization or hedging, but on a commercial level, it could be a critical strategic
decision. An independent electrical firm functional in the northern states of the United States, for
example, may be forced to accept the impact of temperature on turnover from electricity. A response
to such a situation for the firm in the northern state of the United States would be to set up a joint
venture with an electricity company in the southern state. This could moderate the temperature-
related differences in electricity sales. The outcome of such a measure would be that during cold
weather, when demand in the southern states is low, a combined operation will sell more electricity in
the northern states. On the other hand, during summer, the combined operation will sell more
electricity for air-conditioning equipment in the southern states, when demand for electricity in the
northern states tends to be less.
Risk Treatment
When a hazard risk exposure or likelihood is significant but the potential loss is less, the organization
will want to deal with the risk. Risk treatment is therefore carried out with the risk at its inherent
and/or current level, in the hope that once the risk is treated, the new current level or target level
would be acceptable.
Risk Termination
The organization will want to terminate or remove a risk that has both a high likelihood and a high
potential impact. It's possible that the risks of dealing in a given region of the world, or the
environmental problems of continuing to use specific chemicals, are too much for the organization
and/or its stakeholders to bear. The best course of action in these cases is to eliminate the risk by
ceasing the activity, replacing a new process, or outsourcing the risky activity. Even if an organization
If these controls are implemented, the degree of risk decreases to a point where the organization can
tolerate it. Due to the varying nature of risks, it may not be possible to reduce all risks to a level that
is within the organization's risk appetite. To continue engaging in a specific activity, the organization
may perceive that it must accept risks that are greater than its empirical risk appetite.
Risk Transfer
Risk transfer is adopted when the probability of the risk happening is relatively low but the magnitude
is high. Insurance is one of the most sought-after techniques adopted by organizations to transfer the
dire financial losses incurred as a consequence of serious hazard risks and partially from control risks.
Hazard risk covers exposures that result in a loss with no chance of a benefit. When a structure is
destroyed by fire, a company's assets may be physically damaged. Employees or consumers may
sustain physical harm as a result of accidents, injuries, or sickness. This could result in lawsuits and
payment of huge compensations.
Even though the 4Ts of hazard response could be depicted on a risk matrix, the possibilities
are ambiguously stated. The risk matrix shows that the tolerate and terminate options conjoin at the
center of the matrix. It is illogical to believe that a slight increase in risk possibility and possible
impact will entirely alter the organization's risk management strategy.
On the risk matrix, there are three zones, low-likelihood and low-potential-impact occurrences are
essentially the comfort zone. There is always a level of possible impact that is within the acceptable
range. Similarly, there is a level of risk probability that is always assumed to be so low that it will
never occur.
Though so, as the probability of the risk occurring and the possible impact increase, a decision
regarding whether the risk should be tolerated or not has to be taken. risk's likelihood and possible
impact grow, a decision must be made on whether the risk should be tolerated. Within the cautious
zone, judgment is necessary, and steps are normally done to treat and/or transfer the
risks.
A critical line is reached as the prospects of danger and potential effects grow. When a risk crosses
the critical line, the organization will be concerned about accepting it and will refrain from
exposing itself to it. In some cases, the firm will not be able to eliminate these risks, either because
it is crucial for the business or because they are linked to a high-risk–high-reward strategy that the
board has embraced