Professional Documents
Culture Documents
___
1
This module reviews the concepts and definitions of risk and risk management. It will also describe
the general and alternative risk management standards and explain enterprise risk management (ERM).
According to Andrew Jaquith, “The purpose of risk management is to improve the future, not to
explain the past.” And that “The key to risk management is never putting yourself in a position where you
cannot live to fight another day”, according to Richard S. Fuld, Jr.
4. Analyze risk management situations and give insights on whether they were properly managed or not
LEARNING CONTENTS (A. Concepts and definitions of risk and risk management.)
1. Definitions of risk
According to Curracubby Team (2020), “we all manage risk in our daily lives. When we cross the
street, order food (let’s say a fried oreo), or call an old friend, we are analyzing the pros and cons of each
action, along with associated risks. Will I make it across the street in time? Will the fried food catch up to me?
Is my old friend going to be the same as they were in the past?”
According to Information Security Risk Management, "Risk is the combination of the risk of exposure
and the impact = combination of likelihood of the threat being able to expose an element(s) of the system and
impact".
Another definition by Managing Successful Programmes is that “Risk is an uncertain event or set of
events which, should it occur, will have an effect on the achievement of objectives; a risk is measured by a
combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on
objectives.”
In economics, risk implies future uncertainty about deviation from expected earnings or expected
outcome. Risk measures the uncertainty that an investor is willing to take to realize a gain from an investment.
The important thing to remember is that risks are part of daily lives, but these can be managed
and may be avoided through preemptive actions.
Risk impact is an estimate of the potential losses associated with identified risk. It is a standard risk
analysis to develop and estimate probability or impact. The following are common types of impact.
The impact of risk on organizations can range from low, moderate to significant.
The above chart can be used to strategize in various situations. The two factors that govern the action
required are the probability of occurrence and the impact of the risk. For example, a condition where the
impact is minor and the probability of occurrence is low, it is better to accept the risk without any interventions.
A condition where the likelihood is high, and the impact is significant, extensive management is required. This
is how a certain priority can be established in dealing with the risk.
HIGH or SIGNIFICANT level risks require escalation and thorough risk analysis. Extra risk control
mechanisms need to be put in place, and risk treatment measures clearly identified, budgeted, and
implemented; frequent monitoring; and necessary precautions to ensure staff and personnel safety and
security are not compromised and opportunities are not missed.
Both SUBSTANTIAL and MODERATE level risks require risk analysis scaled to the scope and nature of the
risks with risk treatment and monitoring measures in place and budgeted. SUBSTANTIAL risks require more
detailed risk analysis and risk management plans.
LOW level risks do not require further analysis or treatment.
Risk can be of two types: positive or negative. The former is also known as an opportunity, and the latter is
called a threat.
Negative Risk
A negative risk is a situation that will negatively impact one or more of your project objectives.
Because they harm your project objective; therefore, you must mitigate their impact. Your strategy will either
avert the negative risk or minimize its chance of happening.
For example, let us say that there is a possibility that a piece of equipment may break due to overuse; this will
hurt your project.
Positive Risk
Positive risk is a condition or situation that will positively impact any of your project objectives.
Since these risks are favorable, you will encourage them. The response strategy is to increase the likelihood of
the event happening or increase the impact.
For example, let us say that you will get another gig if you complete your project a few days before the
scheduled date.
The following are also types of risks that can be applicable in the school organizations and businesses.
The risks facing an organization and its operations can result from factors both external and internal to the
organization. The diagram overleaf (Fig. 2) summarizes examples of key risks in these areas and shows that
some specific risks can have both external and internal drivers and therefore overlap the two areas. They can
be categorized further into types of risk such as strategic, financial, operational, hazard, etc.
The diagram is another categorization of risk:
At the broadest level, risk management is a system of people, processes and technology that enables an
organization to establish objectives in line with values and risks.
Risk management is the process of identifying, assessing, and controlling financial, legal, strategic and
security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide
variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents,
and natural disasters.
If an unforeseen event catches your organization unaware, the impact could be minor, such as a small impact
on your overhead costs. In a worst-case scenario, though, it could be catastrophic and have serious
ramifications, such as a significant financial burden or even the closure of your business.
To reduce risk, an organization needs to apply resources to minimize, monitor and control the impact of
negative events while maximizing positive events. A consistent, systemic, and integrated approach to risk
management can help determine how best to identify, manage. and mitigate significant risks.
Another definition of risk management is that it is the process of minimizing or mitigating the risk. It starts with
the identification and evaluation of risk followed by optimal use of resources to monitor and minimize the
same. Risk management is the process of anticipating unwelcome events and mitigating their effects as
much as possible. It includes anticipating and assessing risks, planning around them, monitoring them, and
responding to them when appropriate.
Risk management applies to many fields, from Finance to Healthcare, and to many processes, from new
product development to IT projects. Product development projects in particular are exercises in reducing risk to
an acceptably low level.
LEARNING ACTIVITY 1
With a colleague/classmate, identify possible risks in school. How does the school manage these risks?
Brainstorm how risk management benefits the school and the administration. Give concrete examples of how
risk management helps in certain situations.
Share to class.
Possible answers:
Risk management is important because it keeps your students, faculty, and finances safe from any harm, while
also protecting your financial assets and lowering your legal liability. Not only will developing a risk
management plan for your school reduce the chances of risks, but it will also mitigate the effects of those risks
if they should occur.
For example, if you do have a student that is showing symptoms fromCOVID-19 during the school day, you will
already have a response plan in place to make sure the adverse effects stop there. You'll be able to prevent
the spread.
Risk management comes with these benefits for school administrators:
ISO is a nongovernmental organization that comprises standards bodies from more than 160 countries, with
one standards body representing each member country. For example, the American National Standards
Institute represents the United States.
ISO members are national standards organizations that collaborate in the development and promotion of
international standards for technology, scientific testing processes, working conditions, societal issues and
more. ISO and its members then sell documents detailing these standards.
The ISO's General Assembly is its decision-making body. It consists of representatives from the members and
elected leaders called principal officers. The organization has its headquarters in Geneva, Switzerland, where
a central secretariat oversees operations.
The ISO 31000-2018 standard, Risk Management--Guidelines, lists the following eight principles for any solid
risk management program.
1. Integration - An organization should integrate its risk management efforts into all parts and activities of
the organization.
2. Structured and comprehensive - Creating and following a comprehensive, structured risk management
approach leads to the most consistent, desirable risk management outcomes.
3. Customized - To be most effective, risk management should involve all stakeholders in appropriate
and timely ways. This allows the different knowledge sets, views, and perceptions of all stakeholders
to be considered and implemented into risk management efforts.
4. Inclusive
5. Dynamic - As the organization changes, including its external and internal context, the organization's
risk management program and efforts should change, too. Change is inevitable and successful
organizations know how to work with change. A risk management program should help the
organization anticipate, identify, acknowledge, and respond to changes in an appropriate and timely
way.
6. Uses best available information - Effective risk management is done by considering information
from the past and present as well as anticipating the future. Therefore, (1) the information from the
past and present must be as reliable as possible, and (2) risk managers must consider the limitations
and uncertainties with that past and present information. All relevant stakeholders should receive
necessary information in a timely and clear manner.
7. Considers human and culture factors - Risk management is a human activity, and it takes place
within one or more culture (organizational culture, etc.). Risk managers must be aware of the human
and culture factors that the risk management effort takes place in and know the influence that human
and culture factors will place on the risk management effort.
8. Practices continual improvement - Through experience and learning, risk managers must strive to
continually improve an organization's risk management efforts.
AVOID engaging in current projects and activities that would trigger unacceptable risks.
SHIFT (through partnering, changing contract terms, or purchasing insurance) risks that cannot be directly
mitigated.
ACCEPT the remaining risks, having taken the reasonable steps outlined above. But
IMPROVE the process by reviewing the results and modifying the approach going forward, so that over time
the organization grows nimbler and more resilient.
LEARNING ACTIVITY 2
Create a Risk Management Plan for Your School. Take into considerations all the discussed concepts.
Enterprise risk management (ERM) is a methodology that looks at risk management strategically
from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess,
and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an
organization's operations and objectives and/or lead to losses.
Enterprise risk management takes a holistic approach and calls for management-level decision-making that
may not necessarily make sense for an individual business unit or segment. Thus, instead of each business
unit being responsible for its own risk management, firm-wide surveillance is given precedence.
It also often involves making the risk plan of action available to all stakeholders as part of an
annual report. Industries as varied as aviation, construction, public health, international development,
energy, finance, and insurance all have shifted to utilize ERM.
ERM, therefore, can work to minimize firmwide risk as well as identify unique firmwide
opportunities. Communicating and coordinating between different business units is key for ERM to be
successful, since the risk decision coming from top management may seem at odds with local assessments
on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that
oversees the workings of the firm.
2. Implementing ERM
ERM practices will vary based on a company's size, risk preferences, and business objectives.
Below are best practices most companies can use to implement ERM strategies.
Define risk philosophy. Before implementing any practices, a company must identify how it
feels about risk and what its strategy around risk will be. This should involve strategic discussions between
management and an analysis of a company's entire risk profile.
Create action plans. With a company's risk philosophy in hand, it is time to create an action
plan. This defines the steps a company must take to protect its assets and plans to protect the future of the
organization after a risk assessment has been performed.
Be creative. When considering risks, ERM entails thinking broadly about the problems a
company may face. Though far-fetched, it is in a company's best interest to think of as many challenges it
may face and how it will respond (or decide to not respond) should the event happen.
Communicate priorities. A company may determine several high-important risks are critical
to mitigate for the continuation of the company. These priorities should be communicated and broadly
understood as the risks that should not be incurred under any circumstance. Alternatively, a company may
wish to communicate the plans if the event were to occur.
Assign responsibilities. When an action plan has been devised, specific employees should
be identified to carry out specific parts of the plan. This may include delegating tasks to specific positions
should employees leave the company. This not only allows for all action items to be worked on but will hold
members responsible for their area(s) of risk.
Maintain flexibility. As companies and risks evolve, a company must design ERM practices
to be adaptable. The risks a company faces one day may be different the next; the company must be able to
carry its current plan while still making plans for new, future risks.
Leverage technology. ERM digital platforms may host, summarize, and track many of the
risks of a company. Technology can also be used to implement internal controls or gather data on how
performance is tracking to ERM practices.
Continually monitor. Once ERM practices are in place, a company must ensure the
practices are adhered to. This means tracking progress towards goals, ensuring certain risks are being
mitigated, and employees are performing tasks as expected.
Use metrics. As part of monitoring ERM practices, a company should develop a series
of metrics to quantifiably gauge whether it is meeting targets. Often referred to as SMART goals, these
metrics keep a company accountable on whether it met objectives or not.
Internal Environment
A company's internal environment is the atmosphere and corporate culture within the company set
by its employees. This sets the precedence of what the company's risk appetite is and what management's
philosophy is regarding incurring risk. The internal environment may be set by upper management or the
board and communicated throughout an organization, though it is often reflected through the actions of all
employees.
Objective Setting
As a company determines its purpose, it must set objectives that support the mission and goals of a
company. These objectives must then be aligned with a company's risk appetite. For example, an ambitious
company that has set far-reaching strategic plans must be aware there may be internal risks or external risks
associated with these lofty goals. In response, a company can align the measures to be taken with what it
wants to accomplish such as hiring additional regulatory staff for expansion areas it is currently unfamiliar
with.
Event Identification
Positive events may have a great impact on a company. On the other hand, negative events may
have detrimental outcomes on a company's ability to continue to operate. ERM guidance recommends that
companies identify important areas of the business and associated events that may have dire outcomes.
These high risk events may pose risks to operations (i.e. natural disasters that force offices to temporarily
close) or strategic (i.e. government regulation outlaws the company's primary product line).
Risk Assessment
In addition to being aware of what may happen, the ERM framework details the step of assessing
risk by understanding the likelihood and financial impact of risks. This includes not only the direct risk (i.e. a
natural disaster yields an office unusable) but residual risks (i.e. employees may not feel safe returning to the
office). Though difficult, the ERM framework encourages companies to consider quantifying risks by
assessing the percent change of occurrence as well as the dollar impact.
Risk Response
A company can respond to risk in the following four ways:
The company can avoid risk. This results in the company leaving the activity that causes the risk as the
company would rather forgo the benefits of the activity than incur the risk. An example of risk avoidance is a
company shutting down a product line and discontinuing selling a specific good.
The company can reduce risk. This results in the company staying engaged in the activity but putting forth
effort in minimizing the likelihood or magnitude of the risk. An example of risk reduction is a company keeping
the product line above open but investing more in quality control or consumer education on how to property
use the product.
The company can share risk. This results in the company moving forward as-is with the current risk profile of
the activity. However, the company leverages an independent third party to share in the potential loss in
exchange for a fee. An example of risk sharing is purchasing an insurance policy.
The company can accept risk. This results in the company analyzing the potential outcomes and determining
whether it is financially worth pursuing mitigating practices. An example of risk acceptance is the company
keeping open the product line with no changes to operations and risk sharing.
Control Activities
Control activities are the actions taken by a company to create policies and procedures to ensure
management carries out operations while mitigating risk. Control activities, often referred to as internal
controls, are broken into two different types of processes:
Preventative control activities are in place to stop an activity from happening. These controls aim to
mitigate risk by disallowing certain events from happening. An example of a preventative control is a keypad
or physical lock preventing all employees from entering into a sensitive area.
Detective control activities are in place to recognize when a risky action has taken place. Although
the event is allowed to happen (or was not supposed to happen but still did), detective controls may alert
management to ensure appropriate follow-up steps occur. An example of a detective control is an alarm for
the room or a l
Information and Communication
Information systems should be able to capture data useful to management to better understand a company's
risk profile and management of risk. This means not granting exceptions for departments outperforming
others; all aspects of a company should be continually monitored. By extension, some of this data should be
analyzed and communicated to employees if it is relevant to mitigating risk. By communicating with
employees, there is more likely to be greater buy-in for processes and protection over company assets.
Monitoring
A company can turn to an internal committee or an external auditor to review its policies and
practices. This may include reviewing what is actually performed compared to what policy documents
suggest. This may also entail getting feedback, analyzing company data, and informing management of
unprotected risks. In an ever-changing environment, companies must also be ready to assess their ERM
environment and pivot as needed.
What Is the Difference Between Risk Management and Enterprise Risk Management?
Risk management has traditionally been used to describe the practices and policies surrounding a specific
risk a company faces. More modern risk management has introduced ERM, a comprehensive, company-
wide approach to view risk holistically for the entire company.
NG ACTIVITY 1
1) Identify Risks
Before you can develop response plans, you need to know which risks are out there. Some will be obvious,
such as a COVID-19 infection, while others will be more hidden, such as an unsafe part of the playground.
To track down every risk, brainstorm with your team. Also, include other stakeholders and industry experts in
your identification process. They might have experience which sheds light on risks your team hadn't thought
about.
Once you have found all the risks, put them in a centralized location, accessible to your entire team. That way,
your team can continuously monitor the risks. It also helps to divide your risks up into categories. For
example, you could have a section for operational risks and one for financial risks. Or, you could separate
them by parts of the school-day, by creating categories like recess risks or cafeteria risks.
SUMMARY
Risk is an uncertain event or set of events which, should it occur, will have an effect on the
achievement of objectives; a risk is measured by a combination of the probability of a perceived threat or
opportunity occurring and the magnitude of its impact on objectives.
The impact of risk varies. Risk impact is an estimate of the potential losses associated with identified
risk. It is a standard risk analysis to develop and estimate probability or impact. The following are common
types of impact. This can be classified as: high or significant level risks require escalation and thorough risk
analysis. Both substantial and moderate level risks require risk analysis scaled to the scope and nature of the
risks with risk treatment and monitoring measures in place and budgeted. SUBSTANTIAL risks require more
detailed risk analysis and risk management plans. Low level risks do not require further analysis or treatment.
Risk can be of two types: positive or negative. The former is also known as an opportunity, and the
latter is called a threat. Because of the many risks that an organization may face, risk management has been
done to mitigate, if not total go away from, the detrimental effects of these risk to organizations.
Risk management is the process of identifying, assessing, and controlling financial, legal, strategic and
security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide
variety of sources, including financial uncertainty, legal liabilities, strategic management errors,
accidents, and natural disasters.
These are the aims of Risk management: Ensure the optimal, balanced, and sustainable performance
of the company; Develop a comprehensive, systematic, integrated, and flexible approach. Thus identifying,
assessing, analyzing, and managing risks; Develop better risk management practices; Address all types of
business risks; Take responsible risks; Make informed decisions; and better manage change
REFERENCES
E-Sources:
What is a Risk? 10 definitions from different industries and standards. Date retrieved: 10.01.2022.
https://www.stakeholdermap.com/risk/risk-definition.html
What is Risk? Definition of Risk, Risk Meaning - The Economic Times (indiatimes.com)
Usmani, Fahad. (2022). Different Types of Risk. Types of Risks: Different Types of Risks in Risk
Management | (pmstudycircle.com)
Video clips:
COSO ERM - Risk Management Framework (Simple Explanation) COSO ERM - Risk Management
Framework (Simple Explanation) - Bing video
https://cutt.ly/kBoTm1M
Daniels, Richard. (2022). Risk Management: Definition, Types, Model, Process, Strategies, Practices. Risk
Management: Definition, Types, Model, Process, Strategies, Practices (businessstudynotes.com)
https://cutt.ly/0BoFGiR