I.

Introduction to Risk Management

Risk – ambiguous and has different meaning, we use the term “loss exposure” to identify
potential losses.
A loss exposure is any situation or circumstance in which a loss is possible regardless of whether
a loss occur.

Risk ≠ Uncertainty
The term risk is used where the probability of possible outcomes can be estimated with some
accuracy while uncertainty is used where probabilities cannot be estimated.

Risk is meaning 4 major things:

1. Probability of an unfortunate occurrence.
2. Potential for realization of unwanted, negative consequences of an event.
3. Consequences of the activity and associated uncertainties.
4. Deviation from a reference value and associated uncertainties.

While there are only two major types of uncertainty:

1. Epistemic Uncertainty
It is the scientific uncertainty of the model of the process. It is due to the limited data and
knowledge.
Example: inadequate understanding of the processes, imprecise evaluation
2. Aleatory Variability
It is the natural randomness in a process. For discrete variables, the randomness is
parameterized by the probability of each possible value. For continuous variables, the
randomness is parameterized by the probability density function.
It is a variation of quantities in a population of units (probability model). Aleatory
variability is the natural randomness in a process. Aleatory uncertainties are
irreducible.
These uncertainties are characterized by a probability density function (pdf).

Uncertainty Metrics:
1. A subjective probability
2. The pair (Q, K) where Q is a measure of uncertainty and K the background knowledge
that supports Q

Risk Metrics
- Combination of probability and magnitude/severity of consequences.
- The triplet (𝒔𝒊 , 𝒑𝒊 , 𝒄𝒊) where 𝒔𝒊 is the ith scenario, 𝒑𝒊 is the probability of that scenario,
and 𝒄𝒊 is the consequence of the ith scenario, I = 1..N.
- The triplet 𝑪′, 𝑸, 𝑲 where C′ is some specified consequences, Q (a probability) a
measure of uncertainty associated with C’, and K the background knowledge that
supports C’ and Q (which includes a judgment of the strength of this knowledge.
- Expected consequences (damage, loss). Example: Fatal Accident Rate, Vulnerability
Metric...
The more important consideration for risk managers is not the magnitude of the event, but the
impact or consequences.

Probability of density function – continuous variable between two ranges (ex: P(a ≤ X ≤ b))

Risk management is part of an organization program, the tradeoffs between risk and return.
There are 3 tools of risk management :
- Reserve
* with greater reserves against adverse outcome, the risk is control
* but greater reserves imply lower returns
- Diversification
* it has benefits.
* but sometimes we might want to concentrate and make money on additional
idiosyncratic risk.
* it is not possible to diversify away all risks.
- Insurance
* car insurance : the value of the car is knowable over the year; the amount of the
insurance is easy to ascertain.
* we might not know how much insurance is necessary and when it might need the
insurance.

Risk Tolerance:
Organization is readiness to bear the risk after risk treatments in order to achieve its objectives.
Risk Appetite:
Amount and type of risk that an organization is prepared to seek, accept and tolerate
Risk Management:
Identification, assessment, and prioritization of risks (positive and negative) followed by
coordinated and economical application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risks are divided into 4 categories:

1. Compliance risks:
It is the threat posed to an organization’s financial organizational, or reputational standing
resulting from violations of laws, regulation, codes of conduct, or organizational standards of
practice.
Environmental risks, Workplace health and Safety, SR, Quality, and Process risk
2. Hazard or pure risks:
There are certain risk events that can only result in negative outcomes. Operational or
insurable risks. In general, organizations will have a tolerance of hazard risks and these need
to be managed whitin the levels of tolerance of the organization.
3. Control or uncertainty risks:
There are certain risks that give rise to uncertainty about the outcome of a situation.
Organizations will have an aversion to control risks. Uncertainties can be associated with the
benefits that the project produces, as well as uncertainty about the delivery of the project on
time, within budget and to specification.
4. Opportunity or speculative risks:
Organizations deliberately take risks, especially marketplace or commercial risks, in order to
achieve a positive return. These can be considered as opportunity or speculative risks, and an
organization will have a specific appetite for investment in such risks.

Risks and potential events

1) Compliance risk – Events that could result in regulatory enforcement
2) Hazard risk – Events that you do not want to happen and that only be negative.
3) Control risk – Events that you know will happen, but impacts are variable.
4) Opportunity risk – Events you hope to happen but could fail

The role of a risk manager is not just defensive. Firms need to generate and apply information
about balancing risk and reward if they are to compete effectively in the long term.
Implementing the appropriate policies, methodologies, and infrastructure to risk – adjust
numbers and improve forward-looking business decisions is an increasingly important element
of the modern risk manager’s job.

The risk Manager and Corporate Governance

Perhaps the trickiest balancing act over the past few years has been trying to find the right
relationship between business leaders and the specialist risk management within an institution.

The risk and the profitability analyses aren’t always accepted or welcomed in the wider firm
when they deliver bad news. There should be extensive interaction, but not dominance. There
should be understanding, but not collusion.

Business leaders want growth, not caution  The difficulty is political.

No one has found a best practice way to measure certain types of risk such as reputation of
franchise risk  The difficulty is technical

It’s hard to jump over a cliff on a business idea if all your competitors are doing that too (herding
behavior)  The difficulty is systemic.

Risk Manager’s role

- Identifying, analyzing, and assessing risks early and systematically, and developing plans
for handling them.
- Allocating responsibility to the party best placed to manage risks, which may involve
implementing new practices, procedures or systems or negotiating suitable contractual
arrangements.
- Ensuring that the costs incurred in reducing risks are commensurate with the importance
of the project and the risks involved.
- Provide a methodology to identify and analyze the financial impact of loss to the
organization, employees, the public, and the environment.
- Examine the use of realistic and cost-effective opportunities to balance retention
programs with commercial insurance.
 - Prepare risk management and insurance budgets and allocate claim costs and premiums
to departments and divisions.
- Provide for the establishment and maintenance of records including insurance policies,
claim and loss experience.
- Assist in the review of major contracts, proposed facilities, and/or new program activities
for loss and insurance implications.
- In cooperation with General Counsel, maintain control over the claims process to assure
that claims are being settled fairly, consistently, and in the best interest of the entity.

Risk management process

1. Risk Management Planning – How to approach and conduct risk management on a
project.
2. Risk Identification – Determining which risks might affect the project and documenting
their characteristics
3. Qualitative Risk Analysis – Prioritizing risks for subsequent further analysis or action
4. Quantitative Risk Analysis – Numerically analyzing the effect of identified risks on
overall project objectives
5. Risk Response Planning – Developing options and actions to enhance opportunities and
to reduce threats to project objectives
6. Risk Monitoring And Control – Tracking identified risks, monitoring residual risks,
identifying new risks, executing risk response plans, and evaluating their effectiveness.

Opportunity Management
It is the approach that seeks to maximize the benefits of taking entrepreneurial risks.
Organization will have an appetite for investing in opportunity risks.

Opportunity management  Strategic planning

Maximize the likelihood of a significant positive outcome from investments in business

opportunities.
Minimize the risks of not achieving the objectives of the project and the stakeholders with an
interest in it, and to identify and take advantage of opportunities.

Risk management assists project managers in setting priorities, allocating resources, and
implementing actions and processes that reduce the risk of the project not achieving its
objectives.