4Ts OF RISK MANAGEMENT

The 4Ts of Hazard Response

Priority significant risks that an organization encounters are those that possess:

High or very high impact when studied about the benchmark test
High or very high probability of happening at or above the benchmark scale
High or very high possibility for cost-effective control methods for improvement

Only priority significant risks, in general, necessitate attention at the highest levels of the business. It
is also noted that control issues also require major consideration. In the normal course, the board will
want these regulatory risks to be appropriately handled, and the board will only receive annual risk
performance reports or a special report in case a particular problem of concern arises.

Source: depositphotos.com

The standard that is set for significance has to be fixed at a level that indicates a significant influence
on the organization. After identifying priority risks, the company must assess the regulatory measures
currently adopted and determine whether additional measures are required. Numerous responses are
available for hazard risks and are collectively referred to as the 4Ts. Risk response options can be
described using different terminologies. The terms risk treatment is defined in general by British
Standard BS 31100 and ISO 31000.

Risk treatment, for example, is defined by the British Standard as the "process of defining, selecting,
and implementing controls." Similarly, ISO 31000 defines risk treatment as "the creation and
implementation of risk mitigation methods." For the risk response phase of the risk management
process, the terminology used in the Orange Book has been applied. The 4Ts can then be used to
identify risk response alternatives.

The 4Ts of hazard risk management are stated as follows:

Tolerate
Treat
Transfer
Terminate

© 2023 Athena Global Education. All Rights Reserved

Fig. Risk Matrix & The 4T's Hazard Management

The figure above shows that there is a significant response about each of the 4Ts and the placement
of the risk in the risk matrix. For low-impact / low-likelihood risks, the major response is
tolerated. For low impact / high likelihood risks, the major response is ‘treat’. In the case of
high impact / low likelihood, the major response is transfer, and concerning high impact / high
likelihood risks, the major response is termination.

An organization will be able to place each risk on a risk matrix after assessing it. The risk position on
the risk matrix will then show the risk's most unlikely response. Typically, the impact of the present
control system would have been assessed as an exercise of risk assessment.

Consider a situation where a theatre is required to respond to booking agents who demand payment
at the time of booking rather than after the play and over and above this, the theatre also recently
suffered a significant financial loss due to an actor's inability to come on the night of the performance.
Due to this, the theatre has reviewed the booking and appearance arrangements for actors and
determined that all 4Ts are apt. The theatre may decide that they need to adjust to the new booking
fee arrangements. It could also determine that in the future, to reduce the risk, it will deal with
recognized agents only and will terminate current agreements with an agency that has previously not
proven to be trustworthy. The theatre may also look into purchasing insurance to facilitate the
transfer of the expense of a performance that is canceled because an actor had not shown up for the
event.

Risk Tolerance

British Standard BS 31100 defines risk tolerance as an organization's willingness to suffer risk after
risk treatments to accomplish the objectives. Risks that are now beyond an organization's
comfort zone and risk appetite may have to be tolerated. A company may have to tolerate
risks that are greater than its actual risk capacity on some occasions. This arrangement, however,
may not be workable, and the organization may stand vulnerable at this time.

© 2023 Athena Global Education. All Rights Reserved

When a hazard risk is deemed acceptable by the organization's risk appetite, it will be tolerated. Risk
tolerance is defined as the method that will be taken in the face of low probability and low-impact
dangers. A company may however decide to tolerate high-risk levels if they are related to potentially
profitable activity or are related to the basic operations of the company.

Hazard risk may not be accepted before the execution of risk control measures. In general, the risk is
tolerable only when all cost-effective risk reduction measures have been implemented, and the
company accepts or tolerates the risk at its current level. Some of the control measures could have
been implemented because the risk's inherent level was considered to be intolerable. The goal of the
control measure is to transfer the risk to the low-likelihood/low-impact quadrant of the risk matrix.

Risks are often accepted only as a part of a deal in which one risk is balanced in contrast to another.
This is a risk neutralization or hedging, but on a commercial level, it could be a critical strategic
decision. An independent electrical firm functional in the northern states of the United States, for
example, may be forced to accept the impact of temperature on turnover from electricity. A response
to such a situation for the firm in the northern state of the United States would be to set up a joint
venture with an electricity company in the southern state. This could moderate the temperature-
related differences in electricity sales. The outcome of such a measure would be that during cold
weather, when demand in the southern states is low, a combined operation will sell more electricity in
the northern states. On the other hand, during summer, the combined operation will sell more
electricity for air-conditioning equipment in the southern states, when demand for electricity in the
northern states tends to be less.

Risk Treatment

When a hazard risk exposure or likelihood is significant but the potential loss is less, the organization
will want to deal with the risk. Risk treatment is therefore carried out with the risk at its inherent
and/or current level, in the hope that once the risk is treated, the new current level or target level
would be acceptable.

Risk Termination

The organization will want to terminate or remove a risk that has both a high likelihood and a high
potential impact. It's possible that the risks of dealing in a given region of the world, or the
environmental problems of continuing to use specific chemicals, are too much for the organization
and/or its stakeholders to bear. The best course of action in these cases is to eliminate the risk by
ceasing the activity, replacing a new process, or outsourcing the risky activity. Even if an organization

© 2023 Athena Global Education. All Rights Reserved

attempts to reduce risk, the activity that produces it may be vital to the organization's continued
operation. In such circumstances, the organization may not be able to eradicate or eliminate the risk,
necessitating the implementation of additional controls. This is a particular problem in the case of
government services. Certain hazards may have a high likelihood and impact, but the organization
may not be control or eradicate those actions that are the root cause of such risks. This could be due
to a statutory requirement imposed on a government organization. Because the public service
imperative may make it difficult to stop the activity, the organization will need to implement control
measures to the extent possible. Therefore, it is most probable that control measures that are
adopted would be a blend of risk treatment and transfer.

If these controls are implemented, the degree of risk decreases to a point where the organization can
tolerate it. Due to the varying nature of risks, it may not be possible to reduce all risks to a level that
is within the organization's risk appetite. To continue engaging in a specific activity, the organization
may perceive that it must accept risks that are greater than its empirical risk appetite.

Risk Transfer

Risk transfer is adopted when the probability of the risk happening is relatively low but the magnitude
is high. Insurance is one of the most sought-after techniques adopted by organizations to transfer the
dire financial losses incurred as a consequence of serious hazard risks and partially from control risks.

(Source-Fundamentals of Risk Management Understanding, evaluating and implementing effective

risk management Paul Hopkin)

Hazard Risk Zones

Hazard risk covers exposures that result in a loss with no chance of a benefit. When a structure is
destroyed by fire, a company's assets may be physically damaged. Employees or consumers may
sustain physical harm as a result of accidents, injuries, or sickness. This could result in lawsuits and
payment of huge compensations.

© 2023 Athena Global Education. All Rights Reserved

The impairment caused by a hazard can be greater than the immediate damage it produces. An
explosion at a refinery needs immediate repair and redevelopment. The time it takes to repair the
refinery results in direct sales losses and could result in future commercial and financial losses.

Even though the 4Ts of hazard response could be depicted on a risk matrix, the possibilities
are ambiguously stated. The risk matrix shows that the tolerate and terminate options conjoin at the
center of the matrix. It is illogical to believe that a slight increase in risk possibility and possible
impact will entirely alter the organization's risk management strategy.

On the risk matrix, there are three zones, low-likelihood and low-potential-impact occurrences are
essentially the comfort zone. There is always a level of possible impact that is within the acceptable
range. Similarly, there is a level of risk probability that is always assumed to be so low that it will
never occur.

Though so, as the probability of the risk occurring and the possible impact increase, a decision
regarding whether the risk should be tolerated or not has to be taken. risk's likelihood and possible
impact grow, a decision must be made on whether the risk should be tolerated. Within the cautious
zone, judgment is necessary, and steps are normally done to treat and/or transfer the
risks.

A critical line is reached as the prospects of danger and potential effects grow. When a risk crosses
the critical line, the organization will be concerned about accepting it and will refrain from
exposing itself to it. In some cases, the firm will not be able to eliminate these risks, either because
it is crucial for the business or because they are linked to a high-risk–high-reward strategy that the
board has embraced

© 2023 Athena Global Education. All Rights Reserved