Jonah C. Pardillo - Comprehensive Guide To Business Risk Management-Society Publishing (2023)

本书版权归Arcler所有
Comprehensive Guide to
Business Risk Management
COMPREHENSIVE GUIDE TO
BUSINESS RISK MANAGEMENT
Jonah C. Pardillo
Publishing
www.societypublishing.com
Comprehensive Guide to Business Risk Management
Jonah C. Pardillo
Society Publishing
224 Shoreacres Road
Burlington, ON L7L 2H2
Canada
www.societypublishing.com
Email: orders@arclereducation.com
e-book Edition 2023

ISBN: 978-1-77469-576-0 (e-book)
This book contains information obtained from highly regarded resources. Reprinted material
sources are indicated and copyright remains with the original owners. Copyright for images and
other graphics remains with the original owners as indicated. A Wide variety of references are
listed. Reasonable efforts have been made to publish reliable data. Authors or Editors or Publish-
ers are not responsible for the accuracy of the information in the published chapters or conse-
quences of their use. The publisher assumes no responsibility for any damage or grievance to the
persons or property arising out of the use of any materials, instructions, methods or thoughts in
the book. The authors or editors and the publisher have attempted to trace the copyright holders
of all material reproduced in this publication and apologize to copyright holders if permission has
not been obtained. If any copyright holder has not been acknowledged, please write to us so we
may rectify.
Notice: Registered trademark of products or corporate names are used only for explanation and
identification without intent of infringement.
© 2023 Society Publishing

ISBN: 978-1-77469-424-4 (Hardcover)
Society Publishing publishes wide variety of books and eBooks. For more information about
Society Publishing and its products, visit our website at www.societypublishing.com.
ABOUT THE AUTHOR
Jonah C. Pardillo received her degree for Masters in Business Administration from
University of the East, Philippines. Her bachelor was also earned from University of
the East. Currently, she is affiliated at University of Mansford, California, USA. She
has professorial experience and teaches several business courses in undergrad from Far
Eastern University, Technological Institute of the Philippines, Manila Business College,
Global Reciprocal College. Further, she was also a Content developer for undergrad
and graduate business subjects. Aside from academic experience, she also manages her
own business.
TABLE OF CONTENTS
List of Figures ................................................................................................xi

List of Abbreviations ....................................................................................xiii
Introduction .................................................................................................xv
Preface.......................................................................................................xvii
Chapter 1 Introduction to Business Risk Management ............................................... 1

1.1. Introduction ........................................................................................ 2
1.2. Risk .................................................................................................... 3
1.3. Business.............................................................................................. 5
1.4. Sustainability ...................................................................................... 7
1.5. Methods ........................................................................................... 12
1.6. Framework........................................................................................ 17
1.7. Public Relations ................................................................................ 27
Chapter 2 Fundamentals of Risk Management ......................................................... 31

2.1. Introduction ...................................................................................... 32
2.2. Risk .................................................................................................. 33
2.3. Hazards ............................................................................................ 34
2.4. Risk Matrix ....................................................................................... 37
2.5. Risk Management ............................................................................. 39
2.6. Attitude and Risk .............................................................................. 43
2.7. Compliance ...................................................................................... 45
2.8. Enterprise Risk Management ............................................................. 48
2.9. Risk Criteria ...................................................................................... 53
2.10. ERM................................................................................................ 56
2.11. Operations...................................................................................... 59
Chapter 3 Integrated Risk Management ................................................................... 61
3.1. Introduction ...................................................................................... 62
3.2. Techniques ........................................................................................ 63
3.3. Operational Risk ............................................................................... 64
3.4. Foreign Exchange.............................................................................. 65
3.5. Analysis ............................................................................................ 67
3.6. Classification .................................................................................... 68
3.7. Risk Elements.................................................................................... 68
3.8. Structure ........................................................................................... 70
3.9. Information ....................................................................................... 74
3.10. Problems ........................................................................................ 81
3.11. Cash Flow....................................................................................... 84
Chapter 4 Project Management ............................................................................... 89

4.1. Introduction ...................................................................................... 90
4.2. Issues ................................................................................................ 90
4.3. Banks................................................................................................ 91
4.4. Projects............................................................................................. 94
4.5. Funds................................................................................................ 95
4.6. Industries .......................................................................................... 99
4.7. Threats ............................................................................................ 101
4.8. Uncertainty..................................................................................... 104
4.9. Contracts ........................................................................................ 105
4.10. Project Management ..................................................................... 106
4.11. Accidents ...................................................................................... 107
4.12. Milestones .................................................................................... 109
Chapter 5 Enterprise Risk Management ................................................................. 113

5.1. Introduction .................................................................................... 114
5.2. Pillars ............................................................................................. 115
5.3. Opportunities ................................................................................. 116
5.4. Piracy ............................................................................................. 117
5.5. Risk ................................................................................................ 119
5.6. Discrepancy ................................................................................... 122
viii
5.7. FMEA.............................................................................................. 125
5.8. Model ............................................................................................. 129
5.9. Quality ........................................................................................... 131
Chapter 6 Corporate Governance and Risk Management ...................................... 135

6.1. Introduction .................................................................................... 136
6.2. Compliance .................................................................................... 137
6.3. Business.......................................................................................... 138
6.4. Liabilities ........................................................................................ 141
6.5. Payments ........................................................................................ 143
6.6. Laws ............................................................................................... 146
6.7. Funds.............................................................................................. 148
6.8. Cost-Savings ................................................................................... 152
6.9. Principles........................................................................................ 153
6.10. Claims .......................................................................................... 154
6.11. Information ................................................................................... 159
Chapter 7 Supply Chain Risk Management ............................................................ 161

7.1. Introduction .................................................................................... 162
7.2. Supply Chains................................................................................. 163
7.3. Integration ...................................................................................... 166
7.4. Risk Management ........................................................................... 166
7.5. Outsourcing.................................................................................... 168
7.6. Production ...................................................................................... 173
7.7. Strategies ........................................................................................ 174
7.8. Variables ......................................................................................... 177
7.9. Scorecard ....................................................................................... 180
Chapter 8 Sustainable Business and Risk Management .......................................... 183

8.1. Introduction .................................................................................... 184
8.2. Risk ................................................................................................ 185
8.3. Goals .............................................................................................. 186
8.4. Managers ........................................................................................ 189
8.5. Factors ............................................................................................ 191
ix
8.6. Assessment ..................................................................................... 192
8.7. Activities ......................................................................................... 197
8.8. Processes ........................................................................................ 199
Bibliography .......................................................................................... 203
Index ..................................................................................................... 223
LIST OF FIGURES
Figure 1.1. Risk management

Figure 1.2. Sustainable ERM system
Figure 1.3. Risk appetites
Figure 1.4. Taxonomy-based risk identification
Figure 1.5. Risk prioritization
Figure 1.6. Sustainability challenges
Figure 1.7. Corporate social responsibility
Figure 1.8. Global warming
Figure 1.9. Trading of greenhouse gas
Figure 1.10. Risk ratings
Figure 1.11. Record management
Figure 1.12. Compliance
Figure 1.13. Corporate environment
Figure 1.14. Kenneth Lay
Figure 1.15. E-commerce
Figure 2.1. Fundamentals of risk management
Figure 2.2. Hazard risks
Figure 2.3. Opportunity risks
Figure 2.4. Risk matrices
Figure 2.5. Hazard risk management
Figure 2.6. Start-up businesses
Figure 2.7. Brexit plan
Figure 2.8. Organization’s risk exposure
Figure 2.9. Enterprise risk management
Figure 2.10. Insurance
Figure 2.11. Opportunity management strategy
Figure 2.12. Risk management frameworks
Figure 2.13. IRM risk management standard
Figure 2.14. Risk criteria
Figure 3.1. Integrated risk management
Figure 3.2. Price fluctuations
Figure 3.3. Foreign exchange fluctuations
Figure 3.4. Risk elements
Figure 3.5. Alternative risk transfer
Figure 3.6. Finite risk insurance
Figure 3.7. Future cash flows
Figure 4.1. Political and societal unpredictability
Figure 4.2. Investment banks
Figure 4.3. UK Institute of Actuaries and Institute of Civil Engineers
Figure 4.4. British TSR2 supersonic fighter project
Figure 4.5. Federal Aviation Authority
Figure 4.6. Risk analysis and management of projects system
Figure 4.7. Munich plane accident
Figure 5.1. Katrina
Figure 5.2. Piracy
Figure 5.3. Failure modes and effects analysis
Figure 6.1. Corporate governance
Figure 6.2. Money laundering
Figure 6.3. IPR
Figure 6.4. London maritime arbitrators association
Figure 6.5. EHS crisis management
Figure 7.1. Supply chain risk management
Figure 7.2. Silk road
Figure 7.3. Outsourcing
Figure 7.4. Vendor-managed inventory
Figure 7.5. Bullwhip effect
Figure 7.6. Monte Carlo simulation
Figure 8.1. Sustainable business and risk management
Figure 8.2. Cause-and-effect analysis
Figure 8.3. Pareto analysis
xii
LIST OF ABBREVIATIONS
ART alternative risk transfer

CPR civil procedure rules
CR continuous replenishment
D&O directors and officers
EDI electronic data exchange
ERM enterprise-wide risk management
ERP enterprise resource planning
EU European Union
FMEA failure modes and effects analysis
FRI finite risk insurance
GHG greenhouse gas
GRC governance, risk, and compliance
ICE Institute of Civil Engineers
IPRs intellectual property rights
NGOs non-governmental organizations
ORM operational risk management
R&D research and development
RAD rapid application development
RASP risk, architecture, strategy, and protocols
SMEs medium-sized enterprises
SOX Sarbanes-Oxley
UPS uninterrupted power supplies
VMI vendor-managed inventory
INTRODUCTION
Any financial institution must handle a wide range of risks, including market, credit,
liquidity, event, and operational risks. Senior management in large institutions around
the world is changing how they see their future as a result of five important forces: new
technology, globalization, non-bank competition, deregulation, and the opening up of
formerly closed markets. Risk is constantly increased by cross-border business, and the
trend toward globalization among the clients means that they must follow the trend,
go worldwide, and deal with a continually expanding range of risks. Profits are always
under pressure due to increased competition, at least in the short term. This pressure is
partially a result of liberalization. In order to sustain bottom lines, compromises and
risks might be made.
In fact, no single technology can do all the necessary recovery tasks. Certain technologies
can provide the foundational elements, for there is no one-size-fits-all answer for a
company continuity plan. Companies are expanding and depend on technology to
function; hence, recovering those processes requires technology. However, you still must
have a well-thought-out plan for handling unanticipated circumstances or downtime.
Many of the current systems in use today in most organizations cannot be used as an
addition to the business continuity plan. Servers continue to be heavily dependent on
aging, outdated recovery strategies, and backup procedures that won’t match corporate
needs requirements. Consequently, a thorough and validated business continuity plan
is required. More than ever, and given the increased reliance on IT systems, potentially
much greater than ever before. Planning for business continuity is much more crucial as
a result of this dependency. The more dependent a business is on IT, the more essential
it is to have not just a very strong not only strong continuity plan, but also a strong and
resilient IT infrastructure.
Organizations increasingly understand that they cannot have one without the other.
There are now a lot more tools available to assist boost the resilience and redundancy
of systems, and using those approaches as a backup plan is now more practical than
aspects that are active in the business continuity plan. However, in the actual world,
choices are typically made to satisfy specific needs.
PREFACE
Businesses are changing into more effective and dynamic entities as a result of increased
competition. These companies will need to be robust to unforeseen and potentially
catastrophic occurrences, be able to respond swiftly to external factors and increase
their variable-to-fixed cost ratio. For a large part of this, it’s important to have a solid
grasp of risk, how to analyze and manage it, and finally, how to use this information
to your benefit. Understanding and weighing the effects of not fulfilling service level
agreements for a while, however, is one thing; setting a lower level of fixed resources in
response is quite another. The specification of a system or process to be resilient to both
internal and external variables is also simple.
Organizations must meet rising corporate governance standards with respect to ethical
and social responsibility while also delivering on higher stakeholder expectations in
this more uncertain business climate. For instance, legislation to widen the scope of
regulations surrounding the management of bribery risk and the avoidance of modern
slavery has been introduced in numerous nations. Given all of these developments, it
is highly appropriate to emphasize the value of enterprise risk management (ERM) to
corporate performance. All organizations still view effective ERM as a commercial
necessity, which includes protecting corporate reputation. A successful ERM program
improves an organization’s capacity to meet goals and guarantee sustainability through
transparency and moral behavior. Everyday hazards are something we all deal with.
Personal activities have risks, which might include those related to travel as well as
those related to financial decisions.
This book focuses on the responsibilities we play in our jobs or occupations, as well as
business and commercial risks. However, assessing risks and making decisions about
how to handle them is a daily process that must be completed not only at work but
also at home and when engaging in leisure activities. We live in a period of immediate
communication, media attention, and growing tendencies in global management. As
a result, it’s crucial to have precise technology and tools as well as greater business
understanding and commercial awareness. Due diligence, corporate governance, and
risk management are concepts that must be acknowledged as integral parts of larger
company challenges when traditional barriers and lines between responsibilities are
being broken down. This book serves as a handbook for business risk management for
graduates and research students.
CHAPTER 1
INTRODUCTION TO BUSINESS RISK
MANAGEMENT
CONTENTS
1.1. Introduction ........................................................................................ 2
1.2. Risk .................................................................................................... 3
1.3. Business.............................................................................................. 5
1.4. Sustainability ...................................................................................... 7
1.5. Methods ........................................................................................... 12
1.6. Framework........................................................................................ 17
1.7. Public Relations ................................................................................ 27
2 Comprehensive Guide to Business Risk Management
1.1. INTRODUCTION
A number of interconnected social, cultural, environmental, and economic
aspects have been incorporated into the sustainable development framework
over the past 10 years. Our ability to generate economic growth and wealth
from the finite resources this planet has to offer will be impacted by the
increasing severity of breakdowns in our life support systems that have
followed the rise in ecological stressors (Nyoman Pujawan & Geraldin,
2009). As local habitats are harmed, these pressures will have an impact on
the level of social development we can attain. Without economic income,
social capital development and ecological capital preservation would not be
supported by capital revenues. Identifying, measuring, and assessing risks
while formulating management plans is the process of risk management.
Moving the risk to a third party, avoiding the risk, lessening the risk’s negative
effects, and accepting some or all of the consequences are all strategies.
As detrimental to company interests as a lack of controls is excessive risk
management. The target of risk management is to actively manage hazards
in a commercial setting, not necessarily to eliminate or reduce them. This
could indicate that certain risks are being overcontrolled and that extra
expenses are being incurred (Nocco & Stulz, 2006) (Figure 1.1).
Figure 1.1. Risk management.
Source: https://profiletree.com/wp-content/uploads/2018/07/What-is-risk-man-
agement-process.jpg.webp.
Introduction to Business Risk Management 3
1.2. RISK
All risk management strategies fall into one of four broad categories once
risks have been identified and evaluated. Some methods of risk management
can be divided into several groups: Risk transfer refers to getting a third
party to take on the risk, usually through a contract or financial hedging;
Avoiding risk is avoiding engaging in potentially dangerous activities. An
illustration would be to refrain from purchasing a home or company in order
to avoid the obligation that comes with it. Risk reduction (mitigation) refers
to strategies that lessen the severity of the loss. Risk acceptance (retention)
entails accepting the loss when it occurs. This type of insurance includes true
self-insurance. For minute risks where the cost of insurance would outweigh
the overall losses incurred over time, risk retention is a practical strategy.
Traditional risk management prioritizes threats with physical or legal origins
(natural disasters, fires, accidents, death, and lawsuits). Contrarily, financial
risk management concentrates on hazards that can be controlled through the
use of traded financial instruments.
Financial as well as regulatory and compliance concerns, are all included
in a sustainable ERM system (Figure 1.2), but they are organized around
the three pillars of sustainable development (Schanfield & Miller, 2005).
However, it places more emphasis on analyzing the risks that threaten
intangible assets like reputation and includes a wider range of external risk
variables. Compared to more conventional approaches, the risk reward
assessments and strategic risks analyzes have a wider scope and time frame.
These more recent factors may nevertheless have an impact on your business
operations directly or indirectly, and we can illustrate the risk levels by
using a nonfinancial risk rating system, the SERM risk rating system, as a
model of typical loss experiences (Mainelli, 2004). The SERM model will
provide a quantitative assessment of effects on businesses that are pertinent
to their financial performance or, more precisely, their market worth. While
most organizations have a basic level of risk management capability to meet
regulatory requirements, investing in risk management processes that are
in line with business goals and strategy is advantageous for performance.
An assessment of the risks identifies the threats to the organization and the
advantages of controlling the risk environment in accordance with corporate
goals. The opportunity cost on risk management would be better spent on
more profitable activities, and this is where resource allocation becomes
challenging. Once more, effective risk management maximizes the reduction
of risks’ negative impacts while minimizing expense. Risk appetite refers to
the sum that a company is ready to achieve its goals. An organization can
create a strategy that is suitable for it by defining the type and level of risk
that is acceptable. A corporation that adopts a high-risk strategy but has a
poor taste for risk might anticipate a difficult period. In reality, different
areas of the organization will have varying risk appetites (Figure 1.3).
Figure 1.2. Sustainable ERM system.
Source: https://cengssud.org/wp-content/uploads/2018/12/serm-1170x500.jpg.
Figure 1.3. Risk appetites.
Source: https://cdn.ttgtmedia.com/rms/onlineimages/risk_appetite_vs_risk_
tolerance-f_mobile.png.
1.3. BUSINESS
For instance, a pharmaceutical business will approach its quality assurance
activity with a low-risk appetite because it recognizes the need for this activity
to be highly managed, but it may have a dissimilar risk appetite for risk in
its research and development (R&D) sector; creating a risk management
strategy. It is obvious that the formulation of the overall business strategy
would be influenced by a clearly defined risk appetite and risk environment
(Adil, 2008). According to the organization’s understanding of the risk
environment, all strategy documents submitted to the board for endorsement
should include a commentary on the key perils related to the organization’s
objectives and strategy and their acceptability in accordance with the agreed-
upon risk appetite; A properly created and formalized business plan should
outline how an organization will prioritize, concentrate, and distribute its
resources to take advantage of possibilities that have been recognized. A
number of supporting strategies, including HR and IT, will be developed
for the allocation of resources and investment to aid an organization in
achieving its business strategy. This does not change how risk management
investments and resources are allocated; additionally, a risk management
statement based on organizational goals and company strategy.
An investigation of the source of the risk, the problem, or the event that
gave rise to the risk is used to identify the risk. Common risk identification
techniques include taxonomy-based risk identification (Figure 1.4) or a
breakdown of potential risk sources, objectives-based, scenario-based
analysis, common-risk checking and risk assessments. After risks have been
identified, they must next be evaluated based on the likelihood that they will
occur multiplied by the likely extent of the loss; this roughly equates to the
risk level. These values may be easy to measure or almost impossible to
determine. Therefore, it is crucial to provide the most accurate assessment to
support the prioritization phase of the risk management plan. A key point is
that studies have shown that the frequency of risk assessments has a greater
impact on financial benefits of risk management than any formula.
Figure 1.4. Taxonomy-based risk identification.
Source: https://www.garp.org/hubfs/Website/Imported_Blog_Media/a2r-
5d000003oPzXAAU_Figure-1.jpg.
A risk prioritization (Figure 1.5) process should then be used, with risks
with the highest loss and highest probability of incidence being handled first
and risks with the lowest probability of occurrence and lowest loss being
handled later. In practice, it can be challenging to strike a balance between
risks with a high likelihood of incidence but lower loss and risks with a
high likelihood of occurrence but lower loss; a risk management framework
or system used to meet the aforementioned requirements and foster an
organizational risk management culture.
While the risk environment, risk appetite, and risk management plan
are essential components for organizations to successfully implement their
business strategies, they must be supported by an overarching framework
for risk management (Ullah et al., 2022).
Event Risk Unmitigated Unmitigated Unmitigated

Likelihood" Impact" Risk Score
(Likelihood x
Impact)
Lack of skilled operation Medium (3) Very High
labor willing to becomes (5)
relocate infeasible
Cannot find another Entire risk borne Medium (3) High (4)
oil company to by ExploriCo if
partner with failure
Environmental Extra cost to High (4) Medium

impact statement ensure low impact 131
unfavorable
Cannot acquire Project untenable Low (2) Very High 10

land from Canadian (5)
government
No good natural Delay of one year Low (2) Very High 10
harbor (5)
Not enough Lose 6 months of Low (2) Very High 10

icebreakers port usability (5)
available for rent per year
Environmental Some bad High (4) Very Low 4

advocacy group publicity (1)
protests
Figure 1.5. Risk prioritization.
Source: https://www.dummies.com/wp-content/uploads/389002.image0.jpg.
1.4. SUSTAINABILITY
Sustainability challenges (Figure 1.6) may have an economic bearing on
all of the major management choices that businesses make, from strategies
to investment choices (Child & Tsai, 2005). These selections may have an
impact on the economic levers, which in turn may have an impact on an
organization’s competitiveness and value drivers. Risk management and
sustainability management have an impact on operations and productions,
which is why they are connected to revenue and profits. Costs are rising as
resource demand skyrockets and resource base prices rise if supply cannot
keep up with demand, which has an inflationary impact on the entire supply
chain. When possible, expenses are reduced by not investing in fixed assets,
yet predictions call for ongoing cost rises. The idea that the government was
the best or primary institution for addressing significant social problems has
generally lost favor. As global welfare changes continue, it is anticipated that
this tendency will persist. Certain obstacles to this approach will be more
widely known. In the US, decisions have been made to replace private safety
inspectors with a federalized public screening agency staff in the post-9/11
era in the belief that government management in this area is superior (Van
Ryzin, 2014). Government has an indirect impact on the risk agenda, and the
number of informal government recommendations is rising. Government
authorities at all levels are urging businesses to provide the public with more
information on their methods and performance, both in terms of quantity
and quality.
Figure 1.6. Sustainability challenges.
Source: https://www.mdpi.com/sustainability/sustainability-12-03534/article_
deploy/html/images/sustainability-12-03534-g001.png.
Recently, the European Commission presented a plan for how it sees
corporate social responsibility (Figure 1.7) developing within the EU,
urging all businesses to follow the triple bottom line of economic, social,
and environmental responsibility; The European Commission is supporting
efforts to tighten vehicle emissions limits beyond those anticipated in current
proposals in response to calls from European Union (EU) governments and
lawmakers for stricter standards, which has significantly increased calls for
more product responsibilities and controls. The OECD is also in favor of
greater corporate responsibility because in the coming decades, corporate
social responsibility will become increasingly important, posing challenges

for businesses. The industrial revolution of the past 150 years was made
possible by the switch from coal to oil and gas, mechanization, and the huge
exploitation of all natural resources, including clean air, water, and soil, in
order to facilitate increased production and prosperity (Cannadine, 1984).
Increasing sea levels and desertification together will present the world with
fewer land resources and an unprecedented flow of environmental refugees
and the possibility of civil strife.
Figure 1.7. Corporate social responsibility.
Source: https://www.thebci.org/static/uploaded/c731f52f-8be9-4ea8-
80751b50ed523a81.jpg.
As a result of global warming (Figure 1.8), both drought and floods

may become more frequent. Species loss is anticipated to grow as a result
of global warming, which is particularly dangerous to migratory species
like birds and marine animals. Trading of greenhouse gas (GHG) emissions
(Figure 1.9) will become more significant (Clarkson, Li, Pinnuck, &
Richardson, 2015). Over the coming decades, the climate on Earth will
warm, leading to an increase in sea level. Its goal is to promote reporting
of GHG emissions. It should be emphasized that the expense of putting a
risk management plan into place is always less than the potential expenses
incurred if the organization does not manage risk. The banking industry,
which is under increasing pressure to show transparency to all stakeholders,
is a good example of how compliance risk management works. It allows
the board, for instance, to verify the connections between securities, their
issuers, associated subsidiaries, and affiliates and acquire a detailed image
of a company’s corporate hierarchy to better grasp their overall securities
structure and global exposure. Identify any conflicts of interest relating to
their current or potential holdings or relationships with their clients.
Figure 1.8. Global warming.
Source: https://www2.deloitte.com/us/en/insights/industry/financial-servic-
es/climate-change-credit-risk-management/_jcr_content/root/responsiveg-
rid_380572564/advanced_image.coreimg.95.800.jpeg/1641881523401/
us164768-figure1.jpeg.
Figure 1.9. Trading of greenhouse gas.
Source: https://nap.nationalacademies.org/openbook/12784/xhtml/images/
p2001c3c6g206001.jpg.
Legal hazards can be used in a way that causes some uncertainty. It
can be used to describe the impact of the risk or its origin such as a shift
in the regulatory environment. Additionally, it could suggest a specific
course of action to manage a risk, such as getting legal counsel to make
sure a crucial contract satisfies a business’s strategic needs. Applying
a more uniform process for assessing legal risks may reveal that risks
have been overcontrolled perhaps as a result of an excessive weighting
of legal issues, as well as reveal which legal repercussions call for more
investment in control mechanisms. The SERM method discovered that if
risk management strategies are not consistent with the concepts and policies
used elsewhere in the organization, their effectiveness will be diminished.
For instance, if compensation plans for certain people or units favor short-
term financial performance, a risk-based methodology for pricing projects
with possible long-term obligations may not have much of an impact. It
should be highlighted that the main goal is risk management, not necessarily
risk reduction or elimination. It may be clear through a comprehensive study
of risks and how they are currently managed in a business whether hazards
are being overcontrolled. Disproportionate control implementation can have
negative effects, including the creation of extra expenses and a reduction in
the ability to seize opportunities. For instance, situations like competitive
bidding for new business may make this particularly clear. For instance, a
set of controls that are too stiff may prevent the organization from reacting
rapidly enough to support success.
1.5. METHODS
A systematic method to risk recording is necessary for a successful risk
management program so that risks may be managed and regularly tracked.
Risk management professionals have indicated that categorizing hazards
is beneficial so that protocols may be established to monitor and control
them. It is more crucial to have mechanisms in place to manage the risks
involved and to consistently assess them than it is to employ a particular
classification approach. At the appropriate organizational level, information
about individual risks should be compiled. Actions to address risks might be
prioritized using the overall risk ratings emissions (Figure 1.10) generated
by an evaluation matrix or other methods (Zeng, An, & Smith, 2007). But
keep in mind that stakeholder perception of a risk may be just as significant
as the grade determined by taking its impact and possibility into account.
For instance, the public’s image of an organization’s actions may be
particularly impacted by environmental difficulties, necessitating the need
for procedures that can be clearly demonstrated to handle environmental
hazards. As a result, there should be less tolerance for certain risks and a
larger priority placed on the appropriate controls.
Figure 1.10. Risk ratings.
Source: https://www.mckinsey.com/~/media/mckinsey/business%20functions/
risk/our%20insights/banking%20imperatives%20for%20managing%20cli-
mate%20risk/svgz-banking-climate-risk-ex1.svgz.
It is crucial that the reactions to the pertinent hazards be commensurate

with their likelihood and impact. This has to do with more than just the
price of risk control or mitigation techniques. Certain answers could have an
indirect cost by reducing the organization’s capacity to seize chances or the
possible uncertain situations. Instead of only striving to eliminate or reduce
hazards, it is important to optimize the management of risk. Reviewing the
controls now in place and their costs and side effects in comparison to other
available measures should be part of the process of assessing and managing
risks. It should be understood, nevertheless, that varied reactions might only
cover a portion of the potential effects of a given risk. For instance, product
liability insurance may only cover the immediate financial consequences
of a compensation claim, not the negative impacts on the company’s
reputation. It’s important to keep in mind that some reactions could lead to
the creation of fresh hazards when it comes to managing legal issues. For
instance, by terminating certain operations and outsourcing the process to a
different provider, the risks connected with a specific manufacturing method
may be transferred. This will result in a unique set of risks for managing
the supplier’s performance and the related financial connections. Although
some liability risks may be transferred as a result of this, the business will
still be affected by unfavorable events.
It’s obvious that there are a wide variety of methods and strategies that
can be used to manage risks. Like the principles for the management of
credit risks, elaborate recommendations have been produced in several
industries. The Basel Committee on Banking Supervision’s established
principles should be taken into consideration in this situation. Organizations
have historically minimized risk and compliance management, today’s
business complexity, reliance on IT and processes, expansion of business
partner relationships, and increased liability and regulatory oversight have
amplified risk to the point where governance is necessary (Viterbo, 2019).
Additionally, the sheer number of compliance mandates that organizations
must adhere to raises the danger of non-compliance, which could result
in civil and criminal penalties. Although operational risk and compliance
are not directly addressed, their effects have been felt across the whole
organization. Following the Enron scandal and SOX reaction, executives
are subject to harsh sanctions over the accuracy of their financial statements.
To limit the impact on the financials, they therefore demand that risk and
compliance be constantly managed within outlined limits of risk tolerance.
Increased control and oversight are the sole means of fending off potential
legal action resulting from one of the primary risks that must be managed in
the US. Management frequently finds a disjointed approach as they struggle

to understand how risk and compliance are managed inside the organization.
SERM has discovered via pertinent case studies that risk and compliance
management has been dispersed across organizational silos, leading to a
duplication of technology and activities with inconsistent methodologies,
measurement, and reporting. Islands of information trapped in papers and
people across the organization as a result of the lack of central visibility and
oversight.
One of the effective instruments in the compliance and risk management
strategy is now record management (Figure 1.11). Significant regulatory
concerns in the United States and overseas include financial transparency,
corporate governance, anti-terrorism, and privacy protection. Recent
events have given corporate directors numerous reasons to pay attention to
enterprise risk. For example, energy giant Chevron Corporation has been
acutely conscious of the need for risk management given its $184 billion
in revenue and 59,000 employees across 180 countries (Shelden & Brown,
2000). Chevron executives were ready when SOX was enacted because they
had a risk-based system in place for years before it called for a risk-based
approach to evaluating internal control over financial reporting. However,
it appears that less than 25% of businesses are giving their internal audit
operations the thorough external assessments that the Institute for Internal
Auditors recommends as a requirement for sound corporate governance in
the post-SOX economic context. Additionally, businesses trying to comply
with SOX’s internal control requirements are learning that they must assess
the controls of both their own operations and those of potential alliance
partners.
The fact that the material discloses how the target has been managed
with relation to sustainable risk management is, as previously mentioned, a
significant advantage of the legal due diligence process. This is extremely
pertinent to the discussion. It may consider the history of the target and
candidate as well as their goals, as well as their chosen organizational
structure whether that be a corporation, partnership, or owner/manager
operation. It is important to realize that while many due diligence operations
involve very big transactions, there are also many smaller deals that draw
the due diligence process and various organizational vehicles.
Figure 1.11. Record management.
Source: https://d3i71xaburhd42.cloudfront.net/2c63b34f9a92dbf9c88a645d1e
00bc50c2907fb/12-Figure5.1-1.png.
Although some of the process’s challenges are unquestionably better
suited to the larger transaction, others are as relevant regardless of its size.
For instance, the administration of the company will be reflected in late
or imprecise returns to the authorities. They might also point to money
problems, as in the case of late financial statements filed with corporate
registrations. The knowledge gathered throughout the due diligence process
can be a priceless asset in the target’s continued management after the
sale. Organizations should be aware that there are more people benefiting
from the risk management and due diligence processes as a result of the
constant demand from regulators, security exchanges, and stakeholders. It
is crucial to take the user of this information into account when the parties
are designing the methodology for legal risk management and due diligence
assignments because there may be overlaps in the functions. For instance,
there are often certain forms and formats in which data must be delivered
if it is to a government authority. Recasting the material numerous times
only to satisfy the regulator’s obsession with precision will be exceedingly
annoying and more expensive.
The idea is to have each due diligence team decide the level of exposure
based on what can or cannot be replied, keeping in mind how important
high-quality data is. Due diligence is often not completed because there
is insufficient information about the business operations. The deal can be
risky, much like in personal partnerships like marriage, because there can
never be a full examination into each party’s pasts in terms of their health,
emotions, and finances. All due diligence procedures must include a balance
as part of the risk-reward calculation. For instance, failing to authenticate a
£1,000 transaction in a £50 million trade could not be worth the thousands
it would cost to validate the transaction. The due diligence team’s skills
and experience are crucial in this situation. To be able to differentiate
between what is vital and what is not, they must first acquire the necessary
training and experience. Second, they must have the right equipment at their
disposal in order to carry out their duties. Information presentation is also
crucial. Accurate and timely information can satisfy shareholders, investors,
and stakeholders, but they are often less interested with the accuracy. In
actuality, most people would rather prefer simpler information to complex
information. They may be making judgments on the company’s adherence
to a certain regulation, but they are also interested in knowing the company’s
prospects for survival and growth. As stated, it is crucial to identify the risk
owner. For instance, it’s crucial to make sure that nobody in this procedure
forgets about the employees. All employees who earn remuneration from the
company, including clerks, middle managers, management, and associated
parties, like hearing about it. Additionally, the exercise in due diligence can
involve the creation of reports without transgressing privacy laws or other
legal requirements.
At the highest level of the organization, commitment to the program
must be paramount. The program won’t become fully implanted
throughout the organization in order to provide the anticipated results
without the personal involvement of the board members or similar body.
This is frequently represented in the delegation of responsibility for risk
management implementation to a specific officer or committee. It is crucial
that risks are assessed and tracked uniformly across the pertinent operations.
For this, there needs to be a precise framework for identifying and rating
risks as well as precise reporting and oversight processes. Additionally,
an internal program will be required to outline the strategy to be used as
well as the roles and responsibilities of individuals and groups within the
organization. It’s important that everyone in the organization is aware of
the main goals and components of the risk management strategy. Different
people’s duties and responsibilities should be transparently defined. The
implementation of a risk management program involves a major investment
in terms of management time and resource. Information concerning risks
should be communicated both upwards and downwards in order to bring
about the most benefit. It could be necessary to seek outside counsel on

specific matters. These expenses must be acknowledged and budgeted for.
Being realistic about the time that may be needed to set up the necessary
mechanisms is equally crucial.
1.6. FRAMEWORK
Contingent on the complexity of the systems involved and the type of
systems already in place, this could take months or years. It’s critical that the
risk management system be viewed as an ongoing program of improvement
and adjustment rather than a static framework. A strong procedure for
tracking development and re-evaluating priorities is also essential. To do
this, active input on risk issues is necessary. It has also been discovered
that implementing any risk management system, no matter how flawed or
insufficient, usually offers advantages over not implementing one at all.
Efficacy ought to increase with time as the organization gains experience.
Similar to this, an organization’s risk profile will alter as a result of both
internal and external variables, like regulatory changes or an increased threat
of terrorist attack, as well as changes to the type or scope of the business.
For any risk management system to be effective, it must be able to respond
to these changes. The organization’s culture must support the goal of open
and transparent risk management. Establishing a “no blame” culture that
encourages risk identification rather than penalizes it is useful in managing
professional or personal constraints that could otherwise tend to prevent
honest reporting. Compliance was formerly managed and measured as a
project rather than a process by organizations. This puts the organization at
great danger in the current business climate.
Compliance (Figure 1.12) must be monitored and validated continuously
due to the dynamic nature of business processes, workforces, partner
relationships, and IT systems. The requirement for a structured compliance
management program will arise when organizations face a growing number
of compliance duties. Organizations will look to tools that offer a central
repository of risk and compliance management services in order to control
expenses as well as to give a single interface into risk and compliance
management (“Strategic Outsourcing,” n.d.). This will include reporting on
metrics, assessments, and control documentation. It ought to be compatible
with other technologies that focus on particular compliance and risk domains
such data security, privacy, business partner relationships, and financial
systems.
Figure 1.12. Compliance.
Source: https://s7280.pcdn.co/wp-content/uploads/2020/07/GRC-break-down.
png..
Any risk management procedure’s goal is based on established company
objectives. The targets have to be prepared and be able to be expressed. If
the business targets are to be understood and attained, clarity and precision
are far preferable to hazy assumptions and broad generalizations. Clarity
is necessary for the risk management team to be able to recognize when
the company is veering off course, which is another crucial factor. If the
automobile is not in motion and the keys are in another person’s pocket,
falling asleep at the wheel poses no risk. However, dozing off is not advised
if the business is progressing. Finding justifications and explanations for
continuing is not the goal. Every procedure has exceptions, but the more
consistently consistent the principles that guide corporate operations, the
easier it is to spot the exceptions and assess whether they are warranted this
time or not. Integration is a significant topic and a crucial business concern.
It has consequences for risk culture and is crucial for continuing risk
management. It is obvious that in the deal, the momentum, the need to close,
and the short amount of time to evaluate the facts can lead to actions that
have a significant long-term influence on the ability to integrate. Operational

details and broader organizational concerns, such as the loss of implicit,
codified business knowledge that was held in the minds of key individuals
who have since died, can all fall under this category (Scholten, Sharkey
Scott, & Fynes, 2019). Another example is the IT industry, where only the
most basic inventories of physical hardware are frequently made, even if
programming expertise and long-term single-source service agreements
may actually be the most important aspects to take into account.
The early win strategy may eventually be harmful to value in terms of
sustainable risk management. It is improbable that the acquirer will have
accessed the premium that was paid for in the purchase if the acquired target
is not integrated into the larger corporate structure and is allowed to carry on
substantially as before. Risk and market experts have stated that it’s possible
that the emphasis on short-term delivery is less invasive in European or
Asian nations with more conservative stock exchanges (Coffee, 2001). In
fact, this might make it easier to build integration and conduct more careful
analysis. A comparison study might be beneficial. Therefore, it appears that
true value creation via acquisitions is only attempted in a small number of
actual situations. This means that there is still a clear possibility for true
wealth development. Regardless of what literature best practices suggests,
it is very likely that integrating the cultures of two combining firms will not
take place much below the surface in the timescale of integration. This is
true even though merging episodes are frequently given high profile both by
management and in the literature. A parent culture frequently persists with
many people even after a number of years. It could be wiser to accept that
the cultures will continue to have a particular flavor, and that if this is not
acceptable, important staff members may need to be replaced. In any case,
it is necessary to do a thorough analysis of the true importance of this. If
it sounds doable but requires a lot of resources, the pricing should reflect
this. It is obvious that significant post-merger integration will frequently
be a challenging and time-consuming undertaking if it is tried. Therefore,
it would seem logical that this resource and time commitment be used to
counter inflate payments for the target firm as part of a negotiated target
price. This partially solves the issue of shareholder value return, and it might
even be a wise course of action to follow in order to determine how viable
the larger merger or acquisition will actually be.
It has been emphasized that risk management needs to be integrated
throughout the organization for it to be completely effective. In other words,
a program for handling risks generally throughout the organization should

include the assessment and treatment of individual risks developing in
connection with a particular area of the business. This is due to the possibility
that simultaneous occurrence of several risks could multiply their impact.
For instance, if an IT system malfunction occurs at the same time as the
introduction of a new product or service, the impact may be exacerbated.
These interrelationships should be acknowledged and addressed in a risk
management approach. Similar to this, controlling risk needs to be part of
the procedures and guidelines for running the firm as a whole. It should be
utilized in conjunction with more conventional information, such financial
performance, to guide decision-making. If risk management practices are not
in line with those used elsewhere in the organization, their effectiveness will
be compromised. It should be emphasized once more that risk management
rather than risk reduction or elimination is the ultimate goal. Hazards may
be overcontrolled, as shown by a comprehensive review of risks and how
they are being managed in an organization (Borgelt & Falk, 2007). This
might be especially important in circumstances like competitive tenders for
new business, where an overly strict system of controls might prevent the
organization from reacting rapidly enough to allow success.
The corporate environment (Figure 1.13) in which we live is dynamic.
Other earlier examples related to due diligence and corporate governance,
in addition to the discussion of financial transparency, show how the
complicated regulatory system has evolved. For instance, the Victorians in
England made provisions for company incorporation in order to respond to
the significant changes in corporate structures that occurred during the 19th-
century (Wilson, 2006). This resulted in the firm becoming a distinct legal
entity and the development of limited liability. As politicians responded to
scandals and criminal acts periodically committed by different individuals
within companies, as well as perceived shortcomings in the protection of
investors or trying to stop fraudulent activities from happening, these early
developments were modified over time by Parliament. Over the previous
150 years, significant parliamentary acts and fragmentary amendments
pertaining to businesses have been adopted on occasion. It is vital to
understand that directors must lead and advise the company, regardless of
the legal framework in which boards must operate.
Figure 1.13. Corporate environment.
Source: https://cafe24corp.com.ph/img/culture/img_curtureEnvironment_gal-
lery2.jpg.
Compared to most industrialized countries, Britain makes it simpler to
start a company organization. It depends on the firm whether it succeeds
or not, but bureaucracy rarely leads to failure. It can be surprisingly easy
to put the framework in place. We should first think about the kinds of
situations that could expose a trader to personal liability and jeopardize
their own assets. It almost goes without saying that the trader, whether
acting as a lone proprietor, a partner in a firm, or a corporate director,
may be held personally liable for damages sustained by third parties as a
result of dishonest or careless behavior in the course of his business. But
being sincere and responsible does not exclude the possibility of personal
culpability. It is common knowledge that even professional, experienced,
and cautious drivers occasionally exhibit poor judgment or have a brief loss
of focus. The results could be costly and fatal. Although a clean driving
record may persuade the magistrates to be lenient, it is unlikely to lessen
legal liability for physical harm, injury, and death brought on by driver
mistake. In business, it is the same. The restaurant owner whose suppliers
provide wholesome-looking but tainted food that is served to a customer, the
one-man financial advisor who unknowingly offers what proves to be bad
advice, and the international auditing practice who failed to uncover a fraud
concealed deep in the accounts could all be at risk.
Generally speaking, the majority or many partnerships may likely

function well as limited liability businesses, professional rules, regulations,
and constraints notwithstanding. However, some business owners would
rather stay in a partnership than become the directors of their own limited
company, where they would then be viewed as workers by the Inland
Revenue and subject to the corresponding taxes. Another benefit is that,
unlike limited liability organizations, partnerships are not required to file
partnership accounts for public record. A self-employed business partner may
decide that the tax benefits he could receive outweigh the security of being
a shareholder or director of a limited liability company. Perhaps the limited
liability partnership, which sits in between a partnership and a limited liability
company, will evolve more quickly in the future. Personal obligation can be
decreased in the same methods as for a single proprietor, but the caution
to pick partners prudently must be added to the list. Additionally, partners
should be aware of the necessity of diplomatically policing one another.
The lone proprietor frequently evolves into a partnership. The partners come
to the decision that operating the company as a limited liability company
is less expensive overall and thus preferable to paying expensive liability
insurance premiums. They would also like to avoid worrying at night about
keeping the house secure from the business or about having given the house
to the spouse as exclusive ownership with that in mind.
A sensitive subject when talking about risk and organizational challenges
is corporate giving, problems with gifts, and the legal entities involved.
The not-for-profit sector is supported and encouragement for good work
is encouraged; on the other hand, it is crucial to make sure that money is
used in an open and honest manner. In the UK, the Charity Commission
has expanded the not-for-profit industry into a region that is now more
approachable and has reviewed hybrid legal entities to foster innovation in
the sector, such as charitable corporations. Everywhere a charity operates, as
a general rule in this era of increasing responsibility, clarity over donations
is a concern because corporate assistance is essential to numerous important
facets of the voluntary sector. Giving is both highly effective and tax-
efficient. In the US, for example, this has been true for a while, but in the
UK, the tax ramifications have taken on more significance. Transparency
is therefore crucial when it comes to both the donor and the recipient.
Charities are discovering that there is more public interest from taxpayers
and shareholders in who is donating to charity and why, much as there has
generally been in the US since the stock market collapse.
The relationship between Enron and the foundation linked to the

company’s disgraced former chairman Kenneth Lay (Figure 1.14) is one
notable illustration of the growing interconnections between charities and
corporate donations in the US (Novak, 1997). Due to the complexity of the
agreements and a lack of evidence, it is unknown how much Lay and his
company’s funding of organizations favored by Enron directors contributed
to their success. It is evident that a significant portion of corporate giving is
strategic. Giving eventually has an impact on a business’s financial line. Being
a decent corporate citizen is not enough. Even small businesses should make
sure that their policies regarding donations are transparent in light of the
importance of governance for both companies and non-profit organizations.
Since the giving varies, from small payments to neighborhood community
groups to charity events used as marketing opportunities, many businesses
simply are unaware of the precise amount and source of their charitable
contributions. To ensure that the trend toward increased transparency is
followed, there should be clarity on both sides.
Figure 1.14. Kenneth Lay.
Source: https://upload.wikimedia.org/wikipedia/commons/c/ce/Ken_Lay.jpg.
There are almost daily reports of illegal conduct that is disrupting both
private people and corporate citizens wherever they operate. For instance,
the UK was hit hard by crimes against businesses last year. So, if business
is to become truly organized in its battle against organized crime, more
and more businesses are discovering that establishing a more favorable
connection with governmental institutions, particularly the police, can offer
a healthy path ahead. In order to address these issues, business should in
fact be more creative and, to the greatest extent feasible, stay current with
advancements. Today’s economy can make running a business a challenging
task that necessitates a multidisciplinary approach to problems that were
previously irrelevant or handled by others. Additionally, people in charge
of non-profit organizations need to take into account the risks involved
because there have been instances of charities being used as fronts for
financial crime. However, the majority of the challenges are pertinent to
business in general. The results of the surveys and the above-mentioned
actions demonstrate that economic crime is an issue of growing concern
that affects not just the business community but also the general population
because of its detrimental repercussions. It’s important to dispel the myth
that economic crime has no victims because everyone is affected by its
harmful effects. The results are startling and highlight the need for increased
cooperation between government, business, and consumer organizations.
Additionally, as was already mentioned, economic crime has no bounds
and transcends all geographical and industry borders. It is crucial that the
topic of economic crime is highlighted in industry forums and that there is
closer cooperation between industry bodies and consumers in this age of
technological innovation in order to increase public awareness of the issue.
The trust that companies have in their employees is typically rewarded by
their diligence and commitment, but since employee disengagement by a
single staff member can have serious consequences, this must be prioritized.
For instance, both music and software piracy are serious issues.
Additionally, while teaching management and staff about preventative
techniques is essential, it must be done in tandem with strict and efficient
regulation. There is no doubt that the price of crime and the cost of crime
prevention is significant for business, especially given the global trend toward
increasing economic crime. Businesses experience the cost of crime both
directly and indirectly, for instance, in the form of stolen items and greater
security and insurance costs. All firms, regardless of size and location, must
prioritize increased risk management in order to become more organized
against organized economic crime. There is no question that all interested
parties need to work together more, and that this is a situation that has to be
watched closely and on which expert advice should be sought. In light of the
aforementioned, a major source of concern is the relative lack of attention

paid to the ethical issues faced by small and medium-sized firms. Numerous
business counselors have remarked that an excessive amount of research on
company ethics makes the assumption that all private sector commercial
organizations behave similarly or experience identical issues.
It is therefore surprising that this disparity between large and small
businesses, which operate in various ways, has not been more widely
acknowledged with regard to ethical behavior. Furthermore, it is surprising
that straightforward behavioral codes of conduct, which might improve the
organization’s overall performance and transparency, are not used more
frequently. Commercial dishonesty is illustrated in one straightforward
manner. Business executives should first evaluate their own behavior and
ethics if they want to deter stealing and scamming in the office (“Code
of Business Conduct and Ethics,” n.d.). Of course, they should lead by
example, and this example is crucial for employee morale and behavior in
the workplace. However, practical recommendations that take into account
contemporary corporate practices are sometimes absent. For instance, it
should be noted that in a world where individuals work from home, it is
debatable if the pen needs to be checked in when they leave the office. In
general, not enough is being done to educate staff members and human
resources as a whole on ethical challenges and how to take moral initiative.
Business ethics must be viewed as having a high value in order to be
taken seriously. Therefore, this can only be accomplished if staff members
understand the difference between right and wrong and are given direction
in this area in addition to bottom line justifications. Numerous statistics, for
instance, show that economic crime often begins with workplace discontent.
Once more, a suitable company code is crucial as a tool for long-term risk
management in business.
The ground has obviously changed from that under the old insurance
purchasers in several ways at once, starting with risk management. First,
it’s highly likely that their employer’s organization is undergoing such
significant transformation that the old organization from only a few years
ago and the new organization hardly resemble one another. After mergers,
it will probably be much bigger, and more global. Communications and
computerization have produced new options for marketing, service delivery,
and cost-cutting. The demand for places and people has significantly
decreased as a result of these advances. The emphasis on adding value at
each distinct supply chain level has led to the development of new, crucial
dependencies in third-party organizations that are more difficult to closely
monitor. With these dependencies, the amount of time that can pass without
causing harm is dangerously decreasing. Customers now expect a smooth,
seven days a week service, and there are entirely new hazards as a result of
e-commerce, internationalism, and other factors.
E-commerce (Figure 1.15) is one significant field where the benefits
of the first pioneer are utterly disproportionate to the others (Chen, Liu,
& Li, 2019). Here, fundamental entrepreneurial inclinations are fueled by
ever-more-powerful computers, together with telecommunication and data
mining technologies.
Figure 1.15. E-commerce.
Source: https://www.thestatesman.com/wp-content/uploads/2020/10/iStock-
ecomm.jpg.
Therefore, the implication is that contingency planning is merely one of
the risk manager’s options. Risk spending and resources are choices, too,
if reliable, tried-and-true preparations can be made so that the organization
can navigate through an occurrence without suffering major damage. This
is especially true when dealing with low frequency, high impact exposures
and when risk management prevents the organization from doing what it
does best. Finance directors love the fact that subsequent expenses accrued
after the incident are frequently covered by insurance. However, before we
go, it’s crucial to emphasize the need for trustworthy, tried-and-true plans.
The continuity manager, who is tasked with identifying risks and evaluating
them in light of their potential influence on safety as well as the urgency,
survival requirements, and obligations of the organization, is familiar with
all of this. The inclusion of contingency plans for kidnapping, extortion,
bomb threats, suspicion of large fraud, succession planning, media attacks,
product recalls, and other situations should also be made here, in addition
to business continuity plans. Of course, there are similarities between them,
but each person’s demands must be satisfied. Risk management may not
be able to completely eliminate risk since it is not cost-effective or just
not possible. When all practicable preventive measures have been taken,
continuity planning may be the only remaining option.
1.7. PUBLIC RELATIONS

Some businesses have expended a significant amount of money working
with competent public relations agencies and attorneys to build EHS crisis
management plans. Too many of them, though, simply take the plan and
store it, content in the knowledge that it will be available when needed.
This is incorrect. The first or even second time you should test a plan is not
during a crisis. Furthermore, there just isn’t time during a crisis to study a
strategy, especially a lengthy one, that you aren’t already intimately familiar
with. Companies, both plant people on the scene and senior management,
must respond almost immediately to crises. Everyone tangled in managing
an EHS crisis, from the CEO to the process operator on second shift, needs
to be aware of both the plan’s contents and, more crucially, their specific
position in the crisis management procedure. The type of organization
needed to manage an EHS emergency involves careful consideration,
planning, testing, practice, and upgrading. These prospects have been made
possible by new technology, which has sped up and improved business-to-
business and business-to-customer communications. Because of the sheer
size of merging businesses and the encouragement of the internet and more
open marketplaces in the developed world, they are becoming more and
more global. Outsourcing has allowed spin-offs to extract new values from
supply and distribution networks. A modern multinational’s board is focused
on the company’s survival through a potentially devastating calamity. The
replacement of buildings and contents are not the most pressing issues. That
is the comparatively simple part. However, the large organizations of today
have incorporated new and risky sites of exposure into their processes, which,
if and when the risk incident occurs, could eliminate essential dependencies
on which the entire organization depends. In other words, the likelihood of
a quick demise or expulsion from their market has increased, not decreased.
When evaluating an organization, the risk manager should take into account
the expectations of its stakeholders and determine whether the failure to
achieve any of them could result in a single point of potential catastrophic
failure.
As a result, not only have the risks themselves changed, but so has the
likelihood that these new hazards would harm the organization. Furthermore,
the level of damage that may result from old, maybe insurable risks may
be incomparable to anything we could have predicted in the past. Older
business models had the organization’s locations scattered throughout the
host nation so they could be close to their clients. Nowadays, the product
delivery often comes from one or two important technology factories that,
if inoperable, may bring the entire organization to a halt. Additionally,
these factories themselves rely on postage-stamp-sized information and
communication technology (Schweer & Sahl, 2017). As a result, a small
team’s or an individual’s skills may be what an international company
counts on for its whole delivery. The true issue is not the hardware’s loss,
but rather how it is used, the data it contains, and the effects its introduction
has had on the larger production process. It has taken the place of a sizable
number of trained employees who are now simply non-existent. It provides
the fundamental data about the product and the client. It makes the audit
criteria and audit trail credible. It allows other authorized people access and
has the company principles incorporated within its software. Both internally
and publicly, it communicates. Both sensitive information and useful
management data are secured.
The first thing to emphasize is the significance of adequate liability
coverage, both in terms of the scope of coverage and the adequateness of the
limit of indemnity. Liability awards may be many times the organization’s
net asset worth in some cases. In other words, a successful claim coupled
with a breach in insurance coverage could undermine the company’s
very financial soundness and force its liquidation. The inadequacy of the
limit of indemnity may not be the main cause of such insurance failure.
Exclusion clauses will be present in policies. Claims filed in American
or Canadian courts may be excluded as one exclusion, and any goods or
services provided to the aviation sector may be excluded as another (Salter,

2008). Policies may also contain warranties stipulating those particular
actions or restrictions be followed in order for the coverage to continue in
effect. The accountability of the risk manager is to keep track of the specific
actions taking place within the organization and make sure they adhere to
the terms of the insurance policies, which is in fact a matter of corporate
survival. Finally, it’s important to keep in mind that liability insurance can
never provide protection against intentional misconduct. Insurance policies
for material damage may be able to cover the costs necessary to start the
rebuilding process. Before the factory or office can resume operations as
normal, however, the actual task of rebuilding must pass through several
stages. It’s necessary to clean up the area. The design of the new facility must
then be decided, and planning approvals are almost certainly required. The
tender document cannot be created until after estimates have been collected,
discussed, and decided. After that, there is a delay until the construction
companies or the manufacturers of the machinery can get to work, and
then another delay until the buildings are finished and delivered. Except
for the uncommon application of business interruption policies, which have
shortcomings that have already been mentioned, material damage insurance
does not provide any aid in addressing delivery issues during this delay.
CHAPTER 2
FUNDAMENTALS OF RISK
MANAGEMENT
CONTENTS
2.1. Introduction ...................................................................................... 32
2.2. Risk .................................................................................................. 33
2.3. Hazards ............................................................................................ 34
2.4. Risk Matrix ....................................................................................... 37
2.5. Risk Management ............................................................................. 39
2.6. Attitude and Risk .............................................................................. 43
2.7. Compliance ...................................................................................... 45
2.8. Enterprise Risk Management ............................................................. 48
2.9. Risk Criteria ...................................................................................... 53
2.10. ERM................................................................................................ 56
2.11. Operations...................................................................................... 59
2.1. INTRODUCTION
In order to clearly oversee and govern the risks that are thought to be material
to its business and to continuously monitor its operational environment for
new hazards. The strategy aims to make sure that a defined risk appetite is
established that strikes a balance between opportunities and risks to help the
organization accomplish its strategic goals (Bojanić, Nerandžić, Stevanov,
& Gračanin, 2022). The board is in charge of developing the group’s risk
appetite, defining the risk framework, and making sure that risk controls are
included into management’s operational strategy. The audit committee is in
charge of evaluating the efficacy of the existing risk management systems
and conducting an impartial examination of the risk mitigation strategies
created for significant risks. The purpose of the monthly meetings of the risk
committee is to perform a thorough evaluation of the risk register and make
sure that management is doing an effective job of identifying and managing
risks when they come up (Figure 2.1).
Figure 2.1. Fundamentals of risk management.
Source: https://46ev833n9u2l3zs8zp44sst3tpr-wpengine.netdna-ssl.com/wp-
content/uploads/2019/03/1.-Figure-Risk-Management-Flow-Simple.png.
Fundamentals of Risk Management 33
To ensure that risks are detected promptly and that appropriate action plans
are put in place, the committee holds working sessions with departmental
and divisional management. In order to guarantee that risk registers are
complete, this strategy makes sure that risk is identified both top-down and
bottom-up from the various management levels of the business. The risk
committee is assisted by group internal audit, which carries out independent
evaluations of the business’s risks and its progress in implementing the
mitigating action plans set forth for any pertinent risks (Bozkus & Caliyurt,
2018). The status of these reviews is communicated to the risk committee
on a monthly basis.
An event must happen for a danger to manifest. So perhaps the simplest
definition of a risk is an unplanned event with unforeseen repercussions.
If the focus is on occurrences, the risk management approach is likely to
become more transparent. Think about what may interfere with a theatrical
performance, for instance. Power outages, the absence of a key actor,
considerable transportation problems or road closures that delay audience
arrival, as well as a sizable staff illness are some of the occurrences that
could create interruption. The management must decide what to do after
identifying the potential performance-disturbing incidents to lessen the
likelihood that one of them would result in the cancellation of a performance.
This examination by the administration is an illustration of risk management
in action.
2.2. RISK
Risk can result in either positive or negative outcomes, or it can only
create uncertainty. As a result, risks may be thought of as being connected
to a chance, a loss, or the existence of uncertainty for a business. Every
danger has unique characteristics that call for specialized management or
investigation. Risks are categorized into four groups: hazard (or pure) risks,
control (or uncertainty) risks, hazard (or speculative) risks, and compliance
(or required) risks. Organizations will generally aim to reduce compliance
risks, mitigate hazard risks, manage control risks, and accept opportunity
risks. It’s crucial to remember that there is no correct or wrong way to divide
up risks. Perhaps more frequently, risks are divided into two categories:
pure risks and speculative risks. Indeed, there are numerous arguments over
terminology used in risk management. Regardless of theoretical debates,
it is crucial that an organization choose the risk classification system that
is best appropriate for its particular set of circumstances. There are certain
dangerous situations that can only end badly. These risks, which can be
categorized as operational or insurable risks, are hazard risks or pure risks.
Organizations will typically have a tolerance for hazard risks, and these
risks need to be controlled within the organizationally acceptable limits
(Black & Baldwin, 2010). Theft is an excellent illustration of a hazard issue
that many firms deal with. There are various dangers that cause uncertainty
regarding how a scenario will turn out. These are typically related to project
management and are referred to as control hazards. Organizations generally
dislike taking risks under control. Uncertainties can be linked to the project’s
advantages as well as the completion of the project on schedule, within budget
specifications. To make sure that the results of the business activities fit
within the desired range, the management of control risks will frequently be
implemented. The aim is to lessen the discrepancy between expected results
and actual results. In order to generate a profit, companies also consciously
assume risks, particularly those related to the market or the economy. These
risks can be categorized as speculative or opportunity risks, and a company
will have a particular appetite for taking such risks. Opportunity risks have
to do with how risk and return are related (Lenz, 2016). The goal is to take
risky action in order to acquire benefits. Opportunity risks will be geared
toward investing.
2.3. HAZARDS
Hazard risks (Figure 2.2) are connected to a source of possible harm or a
circumstance that has the potential to adversely affect objectives, and hazard
risk management is focused on minimizing the potential impact (Yeung &
Morris, 2001). The most frequent hazards connected to operational risk
management (ORM), including programs for workplace health and safety,
are hazard risks. Unknown and unforeseen events are linked to control risks.
They are occasionally referred to as uncertainty risks, and it can be quite
challenging to quantify them. The use of strategies and project management
are frequently linked to risk control. In certain situations, it is obvious that
certain things will happen, but it is difficult to anticipate and regulate exactly
what those things will lead to. As a result, the strategy is built on controlling
the ambiguity around these events’ potential effects and consequences.
Opportunity hazards can be divided into two categories. While there are
risks and dangers involved in taking advantage of an opportunity, there are
also risks involved in passing it up.
Figure 2.2. Hazard risks.
Source: https://www.securingpeople.com/wp-content/uploads/2019/09/BPS_
Enterprise_Risk_Chart.jpg.
Opportunity risks (Figure 2.3) are sometimes of a financial nature and
may not be obvious or readily evident. Even while opportunity risks are
taken with the hope of getting a good result, there is no guarantee of this.
Nevertheless, the main strategy is to seize the chance and any accompanying
dangers. Small firms face opportunity risks from moving to a new location,
buying new land, expanding, and diversifying into new goods (Luo & Tung,
2007). The usage of computers as an example aids in clarifying the differences
between compliance, hazard, control, and opportunity risks. The hazards
of compliance come from operating a computer system while adhering to
specific legal standards, particularly those pertaining to data protection.
An organization that experiences a viral attack on its software programs
will not gain from it. Control risks are related to the upgrade project when
a business installs or upgrades a software product. The decision to install
new software is also an opportunity risk because the goal is to improve
results; nevertheless, it is possible that the new software may not provide
all of the capabilities for which it was designed and that the opportunity
benefits will not materialize. In reality, the organization’s operations could
be seriously harmed if the new software system’s functionality fails. It is
crucial to comprehend the full extent of each and every risk that has been
noted. Before any steps are made to alter the likelihood or severity of the
danger, this is the degree of risk. Although there are benefits to knowing
the level of risk that is inherent, some dangers make it difficult to do so
in practice. The relevance of the implemented control measures can be
determined by defining the inherent level of risk. The IIA has historically
held the position that determining the risks inherent level should be the first
step in the assessment of all risks. According to prior IIA guidelines, “we
look at the inherent hazards in the risk assessment before evaluating any
controls.” The goal of any risk assessment remains the same, despite the
heated argument over whether to conduct it at the inherent or current level.
Its purpose is to determine what is thought to be the current level of risk and
to list the major safeguards in place to make sure that it is really maintained.
A risk matrix is frequently used to display the underlying risk level in terms
of likelihood and size (Anthony (Tony), 2008). Once the control or controls
have been implemented, the risk’s residual or current level can then be
determined. The risk matrix may clearly show the work needed to minimize
the risk from its inherent level to its current level.
Figure 2.3. Opportunity risks.
Source: https://www.journalofaccountancy.com/content/dam/jofa/archive/is-
sues/2008/06/creating-growth-exhibit1.gif.
The inherent amount of risk may also be referred to as the absolute

risk or gross risk depending on the context. The residual level, net level, or
managed level of risk are other terms frequently used to describe the current
degree of risk. The classification can also be done on the basis of the risk’s
origin. In this situation, a risk could be categorized in terms of where it came
from, such as counterparty risk or credit risk. To further categorize hazards,
take into account the impact’s type. While some risks may have an adverse
effect on the organization’s finances, others may have an adverse effect on
its operations or physical infrastructure. Furthermore, risks may have an
effect on the company’s standing and perception in the market, as well as
its reputation and position. Additionally, risks may be categorized based on
the aspect or function of the company that will be harmed. For instance,
hazards can be categorized based on whether they will affect people, places,
processes, or things. Determining whether the risks will be categorized in
accordance with the source of the risk, the component impacted, or the
consequences of the risk materializing is crucial for organizations when
choosing their risk categorization system. Contingent on the type of business
and its activities, each organization will choose the risk classification system
that best suits them. Additionally, a lot of risk management frameworks
and standards recommend using a certain system for classifying risks. If
the organization accepts one of these standards, it will likely adhere to the
suggested classification scheme. The risk classification system chosen must
be completely appropriate for the organization in question (Schwartz &
Davis, 1981). There isn’t a single classification scheme that meets the needs
of every organization. To fully comprehend each risk’s possible impact, it is
likely that it will be necessary to classify it in a number of different ways.
2.4. RISK MATRIX

The easiest way to illustrate risk likelihood and magnitude is through a risk
matrix. Risk matrices (Figure 2.4) can be generated in a variety of ways. A
risk matrix is a very useful tool for risk management practitioners, regardless
of its structure (Woods, 2009). The fundamental risk matrix shows the
probability of an event against the size or impact, should the event actually
occur. This approach is frequently used to depict risk likelihood and the size
(or gravity) of the event, should the risk manifest. A crucial risk management
tool is the usage of the risk matrix to show risk likelihood and size. To define
whether a risk is acceptable and within the organization’s risk appetite and/
or risk capability, the organization might utilize the risk matrix to depict
the characteristics of individual hazards. Probability is displayed on the

horizontal axis. Because the word frequency indicates that occurrences will
undoubtedly occur while the risk matrix tracks how frequently these events
occur, the term likelihood is used instead of frequency. The term likelihood
has a wider definition that covers frequency as well as the likelihood that
an unexpected event would actually occur. However, the word probability
will frequently be used to express the likelihood of a risk materializing in
risk management literature. It is not acceptable for enterprises to be in a
situation where unanticipated events result in monetary loss, disruption of
routine business operations, reputational harm, and loss of market presence.
Stakeholders increasingly anticipate that organizations will fully account
for the risks that could result in business interruption, project delays, or
strategy failure. An individual risk’s exposure can be described in terms of
the possibility of the risk occurring and the impact of the risk if it does.
The likelihood of an impact will rise along with the level of risk exposure.
A collection of risk criteria may be used to describe the risk appetite.
Hazardous risks defeat goals, and the severity of such risks is a gauge of
their importance. The management of hazard has the oldest history and the
most fundamental roots in risk management. The management of insurable
risks and hazard risk management are closely related. Keep in mind that a
risk can only result in harm (Young & Tomski, 2002).
Figure 2.4. Risk matrices.
Source: https://www.business2community.com/wp-content/uploads/2019/08/
Risk-Matrix.jpg.
2.5. RISK MANAGEMENT

Hazard risk management (Figure 2.5) addresses problems including
workplace health and safety, preventing fires, avoiding property damage,
and dealing with the effects of faulty products (Bründl, Romang, Bischof,
& Rheinberger, 2009). Hazard risks can interfere with daily operations and
result in higher expenses and negative PR from disruptive incidents. Risks
associated with hazards are connected to company dependencies, such as IT
and other auxiliary services. Most firms are becoming more and more reliant
on their IT infrastructure, and IT systems are susceptible to disruption from
computer failure, server room fires, virus infections, and malicious hacking
or computer attacks. For many firms, theft and fraud can also pose serious
risk factors. This is true for businesses that deal in cash or oversee a large
volume of financial transactions.
Figure 2.5. Hazard risk management.
Source: https://slideplayer.com/4893322/16/images/slide_1.jpg.
Adequate security protocols, the separation of financial responsibilities,
authorization, and delegation procedures, as well as the pre-employment
screening of workers, are all significant prevention methods for theft and
fraud. It is worthwhile to consider language since, should an occurrence
occur, this is crucial in connection to hazards and dangers. If a danger of
hazard materializes, it might have a very significant impact. The organization
will be affected by this major event in terms of potential financial losses,
infrastructure damage, reputational harm, and the incapacity to operate in

the market. The risk’s gross or inherent level is represented by its magnitude.
A large-scale catastrophe of this nature might not have much of an
effect on the organization’s finances if it results in a huge financial loss
that is insured (Han & Nigg, 2011). Finally, it is important to recognize
the significance of compliance concerns. For many firms, especially those
in highly regulated industries, compliance risks can be significant. Another
characteristic of risk and risk management is that firms frequently take risks
in order to reap rewards. A company will introduce a new product because
it thinks that good marketing will result in more profits. The company will
risk resources when introducing a new product since it has determined that
taking some risk is acceptable. The value at risk is a representation of the
organization’s risk tolerance in relation to the activity it is engaging in. When
an organization takes this kind of risk, it should do so fully aware of the risk
exposure and confident that the level of risk exposure is acceptable to the
business. It should make sure it has the resources to cover the risk exposure,
which is much more crucial. In other words, the organization’s ability to
bear any anticipated negative outcomes should be clearly established, the
risk exposure should be assessed, and the appetite to take that degree of risk
should be affirmed. Not all commercial endeavors will yield the same return
for the same degree of risk. Start-up businesses (Figure 2.6) frequently carry
a high level of risk and may have low initial expected returns.
Figure 2.6. Start-up businesses.
Source: https://ddi-dev.com/uploads/swot.png.
Risks must be considered in the context in which they first surfaced.
When a board has decided that an opportunity should not be passed up, it
may look that an organization is taking excessive risks. The opportunity’s
significant risk component, however, might not have been completely taken
into account. Making sure that strategic decisions that seem high risk are
actually made with all of the information available is one of the primary
contributions of effective risk management. One of the main advantages
of risk management is an increase in the robustness of decision-making
processes. The organization’s risk appetite and attitude toward risk are
closely linked but not the same concepts (Aquino & Douglas, 2003). Risk
appetite and risk attitude both reflect how a company views risk over
the long term and the short term, respectively. This is comparable to the
distinction between a person’s current hunger for food and their long-term
or established attitude toward the food they eat. The maturity cycle stage is
another important aspect that will impact the organization’s attitude toward
risk. A more proactive approach toward risk is needed for a start-up company
than it is for one that is growing or one that is an established company in a
well-established industry. In mature markets where a business is in decline,
there will be a considerably more risk-averse attitude toward risk. It is
frequently argued that certain high-profile business people are very good at
entrepreneurial start-up but are not as successful in managing established
firms since the attitude toward risk must alter whether a company is a start-
up operation rather than a mature organization.
Overall, the UK government’s challenge is to maintain the UK economy’s
prosperity based on a Brexit plan (Figure 2.7) and other measures that will
maintain the UK’s resilience (Billing, McCann, Ortega-Argilés, & Sevinc,
2021). Risk is sometimes referred to as result uncertainty. This term, while
a little technical, is nonetheless helpful and is especially relevant to the
management of control risks. The most challenging risks to recognize and
quantify are control risks, which are frequently connected to projects. A
project’s overarching goal is to provide the required results on schedule,
within budget, and in accordance with the project’s specifications for quality
or performance. More details on the nature of the conditions will become
available as the construction work progresses. Alternatively, it might
be found that the earth is contaminated, weaker than anticipated, or that
there are other potentially harmful circumstances, including the discovery
of ancient remains. Given this uncertainty, these risks ought to be viewed
as control risks, and the project’s overall management ought to take the
uncertainty of these various risk types into account. The project manager
shouldn’t expect that only negative features of the ground conditions would
be found. The project manager should also avoid assuming that things will go
more smoothly than anticipated just because they want to. Because control
risks introduce uncertainty, it’s possible to assume that an organization will

dislike them.
Figure 2.7. Brexit plan.
Source: https://www.onepager.com/community/blog/wp-content/up-
loads/2016/06/Brexit.png.
Analysis of an organization’s risk exposure (Figure 2.8) can be done
very effectively by categorizing risks according to their long, medium, and
short-term impacts. These risks will be connected to the organization’s
strategy, tactics, and operations, in that order. Risks might be viewed in
this sense as being connected to things like occurrences, changes in the
environment, actions, or choices. Strategic choices therefore have an impact
on long-term risks. When the decision is made to introduce a new product,
it may take some time before the outcome of that choice becomes clear. The
impact of medium-term risks often manifests a year or so after the event
or decision, depending on the circumstances. Medium-term hazards are
frequently connected to specific projects or work programs. For instance,
choosing a computer system is a long-term or strategic choice if new
computer software needs to be installed. The endeavor to implement the
new software, however, will include medium-term decisions with medium-
term risks. Short-term dangers start to affect you as soon as the incident
happens. Short-term hazards include theft, fire, road accidents, workplace

accidents, and other occurrences that have an immediate impact and lasting
effects. These short-term risks disturb regular, effective operations right
away and are probably the simplest types of risks to recognize, manage, or
minimize. Despite the uncertainty surrounding the precise timing, amount,
and impact of insured occurrences, insurable risks are frequently transient
hazards. In other words, insurance is made to offer defense against risks
with immediate repercussions. When it comes to insurable risks, the event’s
nature and effects may be known, but its timing is uncertain. In fact, when
the insurance coverage is purchased, it is unknown whether the incident will
happen at all.
Figure 2.8. Organization’s risk exposure.
Source: https://pm-training.net/wp-content/uploads/2021/11/Organizational-
Risk-Exposure-Types.png.
2.6. ATTITUDE AND RISK

If risk management is to contribute as much as possible within a company,
there needs to be a shared language of risk. The organization will be able to
establish a shared understanding of risk and attitude toward risk by using a
single language (Gilmore, Carson, & O’Donnell, 2004). The agreement on
a risk classification system, or succession of such systems, is a necessary
step in creating this shared vocabulary and sense of risk. Consider someone
who is assessing their financial situation and the hazards they currently face.
It’s possible that generating enough money and controlling spending are the
main financial dependencies. An evaluation of the risks to pension plans, real

estate ownership, and other investments should be part of the examination.
The dangers of noncompliance here concern the responsibilities of owning
and operating a vehicle under the law (Frederiksen, 2018). The owner does
not want the events that pose a risk to occur. The costs that are known to
be involved in uncertainty can change. The advantages of owning a car are,
finally, the opportunities. Organizations take some risks voluntarily in order
to accomplish their goals. These risks are frequently business or market risks
that have been taken with the hope of making a profit. Alternative terms for
these opportunity risks include commercial, speculative, or business risks.
Opportunity risks are the kind of risk that have the potential to improve the
accomplishment of the organization’s mission. These are the risks connected
to seizing business opportunities. Every firm has a desire to take advantage
of possibilities and a willingness to invest in them. The organization will
continually strive for effective and efficient operations, tactics, and strategy.
Opportunities can also be created through increasing the effectiveness of
operations and putting change efforts into place, although opportunity risks
are typically linked to the development of new or modified strategies.
Each firm will need to determine its hunger for capturing new
possibilities and the necessary amount of commitment. For instance, a
company can be aware that the market needs a new product that it can create
and deliver. It may not be able to implement that approach if the company
lacks the means to produce the new product, and it would be foolish for it
to pursue such a potentially dangerous course of action. The decision to
take advantage of the apparent opportunity will be made by the company’s
management. The organization may have that appetite, but that does not
necessarily mean it is the right thing to do. The company’s board should be
cognizant of the possibility that, despite their desire to seize the opportunity,
the organization may not have the risk tolerance to sustain that course of
action. The goal of opportunity management is to maximize the advantages
of taking entrepreneurial risks. Businesses will be willing to take investment
risks in opportunity. Strategic planning and opportunity management are
clearly related (Calantone, Garcia, & Dröge, 2003). The target is to increase
the possibility that investments in business opportunities will produce a
major positive consequence. It is generally agreed upon that organizations
should have zero tolerance for health and safety concerns and should take all
necessary steps to remove them. In reality, this is not feasible, and businesses
will reduce safety hazards to the minimum that still complies with the law
and is cost-effective. For instance, it is technically possible to fit trains with
an autonomous braking system to prevent them from running red signals.

However, the railway operating corporation might consider this to be an
excessive investment. The organization’s risk exposure or hazard tolerance
may be viewed as being affected by the effects of trains running past red
lights, yet the expense of installing an automatic braking system may be
viewed as being unreasonably costly. Theft is a less emotional illustration.
Most businesses will experience a small amount of petty theft, which may
be manageable. Businesses operating in an office setting, for instance, may
experience some stationery theft, such as the loss of paper, envelopes, and
pencils. It may be more expensive to prevent this small-scale theft, thus
the organization finds it more cost-effective to accept that these losses will
happen.
2.7. COMPLIANCE
The extensive range of compliance criteria that enterprises must meet will
be known to all of them (Gunningham, Thornton, & Kagan, 2005). These
regulatory standards differ greatly amongst company sectors, and many are
heavily regulated with a specific regulator for the sector or industry. For
instance, most nations throughout the world set strict regulatory restrictions
on businesses engaged in the gambling or gaming industries. The regulator
may revoke the license to operate if the required regulatory conditions are
not met. This drastic response by a regulator could lead to the organization’s
eventual departure. All businesses that deal with money are obligated to
implement policies to lessen the likelihood of money-laundering operations
being carried out. Banks and other businesses that deal with large sums of
cash must implement anti-money-laundering procedures, and frequently, a
top executive who is solely focused on this issue. Compliance issues are
important and can be difficult in the insurance sector (Baker & Griffith,
2007). Compliance problems pose special challenges when an insurance
policy is issued in one nation to safeguard assets or pay liabilities in another
nation. If an unapproved form of insurance or illegal insurance policies have
been issued, failure to comply with all requirements may result in insurance
claims not being paid or, in the worst-case scenario, being illegal in a certain
country.
There are still many regulatory standards that must be met by
organizations even if there aren’t specific regulators for that area of the
economy or industry. Most nations across the world, in particular, have
health and safety regulations that impose duties on organizations to protect
the welfare and health of workers and other people who may be impacted by
their job activities. These safety criteria typically cover not only locations
within the organization’s direct control, but also the health and safety of
employees working abroad. Organizations with cars will also be subject to
certain road safety requirements, particularly if they transport persons or
hazardous materials (Sheffi, 2001). Risk management has several different
historical roots and is used by many different types of professions. One
of the earliest innovations in risk management came from the handling
of insurance in the United States. Because insurance in the 1950s was so
expensive and had such a narrow scope of coverage, risk management
became more common and better coordinated (Dionne, 2013). Companies
understood that buying insurance alone was not enough to ensure the safety
of both persons and property. As a result, insurance buyers started to worry
about the level of property protection, health, and safety regulations, product
liability problems, and other risk management difficulties.
In Europe throughout the 1970s, a combined approach to risk finance and
risk control emerged, and the notion of total cost of risk gained significance
(Allen & Santomero, 2001). As this strategy gained traction, it also became
clear that corporations faced several risks that could not be insured. There
have been institutionalized disciplines of risk management for at least 100
years. Its early roots can be found in the specialized field of insurance,
which has a long and illustrious history. The demand for risk control
criteria grew as insurance got more regulated and structured, particularly
in regard to the insuring of cargo being moved by ships throughout the
globe. Education programs to support the growth of risk management as
a profession emerged as risk management grew more established. At this
time, risk management laws related to corporate governance started to
emerge, and different regulators received more power in regards to certain
risks as well as in regards to certain business sectors. During the 1980s,
the development of risk management credentials became more formally
structured (Knechel, 2007). Risk management standards have emerged as a
result of increased risk management knowledge and expertise, as well as a
more organized regulatory approach. Particular risk management strategies
have also developed in certain sectors, such the banking sector, in addition to
the generic risk management guidelines applicable to all industries. A higher
level of risk management maturity is expected of financial organizations, as
evidenced by the establishment of regulated capital requirements for banks
and insurance companies.
In the 1950s, the American business risk management function expanded

to include choices about buying insurance (Bertinetti, Cavezzali, &
Gardenal, 2013). The importance of contingency planning to organizations
increased in the 1960s. Beyond risk financing, loss prevention and safety
management also received attention. Self-insurance and risk retention
procedures emerged within corporations in the 1970s. Additionally, captive
insurance firms began to emerge. Business continuity plans and catastrophe
recovery plans later evolved from contingency plans. Occupational health
and safety practitioners’ use of the risk management strategy underwent
significant changes at the same time in the 1960s and 1970s. The use of risk
management strategies in project management advanced significantly in the
1980s. Throughout the 1980s, financial institutions continued to refine how
to apply risk management tools and procedures to market risk and credit
risk. The financial institutions expanded their risk management programs
throughout the 1990s to incorporate methodical evaluation of operational
hazards. Treasury departments also started to adopt the financial approach to
risk management in the 1980s (Bezzina, Grima, & Mamo, 2014). The need
for better coordination between insurance risk management and financial
risk management policies was acknowledged by finance directors. Risk
finance solutions that integrated insurance and derivatives first appeared in
the 1990s.
A discipline that is continuously growing and changing is risk
management. Risk management has strong ties to the credit and treasury
operations in addition to its roots in the insurance sector and other areas of
hazard management. Several departments inside major firms, including tax,
finance, human resources, procurement, and logistics, will have a sizable risk
management component to their operations. However, experts in those fields
are unlikely to view their work as merely a subset of the risk management
discipline. Health and safety at work may be one of the most well-known
and specialized fields of risk management. Planning for catastrophe recovery
and business continuity is another area of expertise. By making certain
that important dependencies are analyzed, tracked, and reviewed, risk
management can enhance the management of an organization’s essential
activities. Tools and approaches for risk management will help in managing
the hazards, controls, and opportunities risks that could have an impact on
these critical dependencies. The practice known as enterprise or enterprise-
wide risk management (ERM) is another area where the risk management
discipline has advanced recently (ERM) (Simkins & Ramirez, 2007). The
primary characteristic that sets ERM apart from what would be called more
conventional risk management is the more holistic or integrated approach

used in ERM. It can be seen as a concept that unifies the management of all
risks in various ways rather than as a novel or innovative strategy.
2.8. ENTERPRISE RISK MANAGEMENT

An organization is beginning an enterprise risk management (Figure 2.9)
approach when it takes into account all of the risks it confronts and how
these risks could affect its strategy, projects, and operations. If a person
depends on a specific prescription, it is crucial that the medication be always
available. If the pharmaceutical business adopts this strategy, it will examine
all potential risks that could have an impact on this crucial procedure or
stakeholder expectations. Analysis of the supply chain, assessment of the
manufacturing processes, and review of the delivery arrangements will all be
part of this. What could stop the constant delivery of drugs is the main query
that needs to be addressed. Ingredient scarcity, manufacturing interruption,
product contamination, a breakdown in supply transportation plans, and
distribution disruption are all risks to the continuous supply. There are several
charities and volunteer organizations in the majority of the nations. The
directors or trustees of these organizations should be highly concerned and
aware of risk management, which is understandable and quite appropriate.
But it’s frequently said that trustees are more focused on risk management
and good governance than they are on generating money for the charity
they support. The causes that the charities are supporting would suffer if the
organization’s operations were paralyzed by this risk management concern.
Risk management professionals should value the contribution that alternative
approaches to risk management can make as their level of sophistication
rises and they become aware of them. Operational risks that are insurable
or hazard risks might have an immediate effect. Therefore, the primary goal
of the initial implementation of risk management concepts was to assure
that regular, effective operations would continue. Project management and
the execution of programs to improve key business processes have become
increasingly important as risk management has grown (Bojanić et al., 2022).
Processes must be both efficient and effective in that they provide the desired
results. For instance, having an effective software program is of limited use
if it cannot do the necessary variety of functions.
Figure 2.9. Enterprise risk management.
Source: https://www.nexigroup.com/content/dam/corp/img/sustainability/en-
terprise-risk-management/roles-and-responsibilities/ERM-process_notext.png.
The most crucial choices a company must make are strategic ones. Better
information is delivered through risk management, allowing for the more
confident execution of strategic decisions. An organization must be able
to achieve the desired goals with the plan it chooses. There are numerous
instances of corporations that chose the wrong strategy or failed to implement
the chosen strategy effectively. Numerous of these businesses experienced
corporate failure. When technological advancements or shifts in consumer
expectations occur, as is frequently the case with grocery shops, strategic
decisions are frequently the most challenging. The goal of strategy should be
to seize chances. For instance, a sports club might recognize the opportunity
to increase product sales to its current clientele. Some organizations will set
up a travel agency and offer related travel insurance to their supporters who
travel abroad. Additionally, a club credit card could be established and run
by a fresh financial division (Zumello, 2011).
Any hazard event’s outcome will be less detrimental with the help of
hazard management. Insurance (Figure 2.10) serves as a technique for
limiting the financial cost of losses when a risk materializes in the context of
hazard management. Techniques for risk management and loss management
will cut down on anticipated losses and guarantee that overall costs are kept
in check. The organization’s risk tolerance will inevitably decrease as a
result of the combination of insurance and risk control/loss management
lowering the actual cost of hazard losses. The organization’s risk capacity
will then be more readily available for opportunity investment. The variety
of potential outcomes from any event is reduced via control management.
Internal auditors’ well-established methods of internal financial control
serve as the foundation for control management. The major goal is to lessen
losses brought on by ineffective control management while also narrowing
the range of potential outcomes. This is the contribution internal control
should make to an organization’s overall risk management strategy. The goal
of opportunity management is to increase the likelihood and importance of
favorable outcomes. The company should consider opportunities to boost
sales of the good or service as part of its opportunity management strategy
(Figure 2.11).
Figure 2.10. Insurance.
Source: https://www.researchgate.net/publication/268259388/figure/fig3/AS:6
69396536131584@1536607979033/The-major-players-in-insurance-business.
png.
Figure 2.11. Opportunity management strategy.
Source: http://wiki.doing-projects.org/images/f/f1/Pyramid.png.
Opportunity management should make it easier to give better value
for money in not-for-profit organizations. The most crucial thing to stress
is how critical it is to have top management’s backing and, preferably, a
board member’s sponsorship. A plan for implementation is also required to
address the doubts of the workforce and other stakeholders. Although risk
management is essential to an organization’s performance, many managers
might need to be convinced that the advised implementation strategy is
the best one. It’s vital to remember that not all actions and responsibilities
conducted by managers should be attributed to risk management by the risk
manager. Even while risks are inherent in all choices, processes, procedures,
and activities, not all actions inside the business will be guided by risk
management (Lavastre, Gunasekaran, & Spalanzani, 2012).
There are numerous risk management frameworks (Figure 2.12) and
standards that have been developed by numerous businesses. It is widely
accepted that a standard is a written document that provides information
on both the risk management framework and process. It is mentioned in
many risk management standards that risk management activities should be
carried out in the context of the organization, the business environment, and
the risks that the organization faces. A framework is needed to implement
and assist the risk management process in order to explain and define the
context. The risk management context should be taken into account when
conducting risk management activities. The risk management framework is

mentioned in all of the published risk management standards, despite the fact
that it is depicted in various ways. The acronym risk, architecture, strategy,
and protocols (RASP) has been created in order to give a clear description of
the extent of the risk management framework (Nel & Jooste, 2016). For risk
management efforts to be successful, these three-risk architecture, strategy,
and protocols elements must be present. Prior to defining the framework that
supports the risk management process, there must be a clear understanding
of the process itself. The risk management framework must make it easier
for people to communicate and exchange information about risks in order
to implement and support the risk management process. Two distinct factors
are taken into account in the risk management framework. It must, first and
foremost, support the risk management process and, second, make sure that the
process’ outputs are shared within the business and result in the benefits that
the organization expects. An organization would need to build up a framework
that encompasses the structure, responsibilities, administration, reporting, and
communication components of risk management if it chooses to adhere to the
IRM risk management standard (Raz & Hillson, 2005) (Figure 2.13).
Figure 2.12. Risk management frameworks.
Source: https://upload.wikimedia.org/wikipedia/commons/thumb/4/47/Risk_
Management_Framework.svg/779px-Risk_Management_Framework.svg.png.
Figure 2.13. IRM risk management standard.
Source: https://www.researchgate.net/profile/Barbara-Adams-3/publica-
tion/235184165/figure/fig4/AS:393539851702279@1470838620383/Exam-
ples-of-the-drivers-of-key-risks-AIRMIC-ALARM-IRM-2002-p-3_W640.jpg.
2.9. RISK CRITERIA

The determination of risk appetite or risk criteria (Figure 2.14) is a crucial
factor to take into account in the context of risk management (Mishra, Raut,
Narkhede, Gardas, & Priyadarshinee, 2018). This will assist the organiza-
tion in determining the controls that need to be implemented and whether
the existing or residual level of risk is acceptable. The context of risk man-
agement should also offer a way to determine the whole total risk exposure
so that it may be related with the organization’s risk tolerance capacity. The
internal context includes the organizational culture, the resources available,
receiving the outputs of the risk management process and making sure that
they have an impact on behaviors, as well as assisting in the governance of
risk and risk management. A good risk management strategy is built around
an effective and dynamic risk register. The risk register, however, runs the
risk of turning into a static record of the current state of risk management
operations. This has the practical repercussions that senior management may
believe their risk management responsibilities have been satisfied by attend-
ing a risk assessment session and creating a risk register, and no further
measures are necessary. It is preferable to think of the risk register as a risk
action plan that offers a record of the key controls that are already in place as
well as the specifics of any additional controls that need to be implemented,
as well as the state of the organization with regard to risk management. It
shall be made clear who is responsible for carrying out the suggested steps
when creating such a risk action plan.
Figure 2.14. Risk criteria.
Source: https://international.gc.ca/world-monde/assets/images/funding-fi-
nancement/criteria-en.gif.
The organization’s intranet may host the data contained in the risk
register, which will aid in communicating and understanding risks. In
some businesses, the risk register is designated as a restricted record that
internal audit can utilize as one of the primary sources of reference while
conducting an audit of risk management practices. Even in the event that
this is not the case, the data included in the risk register should be extremely
thoroughly thought out and assembled. To accurately identify the origin,

source, occurrence, magnitude, and impact of any risk event, for instance,
the risks included in the register must be precisely described. Additionally,
all proposed additional controls must be defined in detail and their proposed
additions must be accurately noted. For the controls to be auditable, risk
control procedures should be documented in sufficient depth. This is crucial
when the risk register has to do with the organization’s regular business
operations. Additionally, risk registers for projects and to support strategic
choices should be created. An extremely dynamic document is required
for a project risk register. At each project review meeting, specifics of
the project’s risks, as listed in the risk register, should be discussed. Risk
registers must assist business decisions in addition to being pertinent to
projects. In this situation, a risk register’s exact format could be less formal
(Ghasemzadeh & Archer, 2000). The risk analysis of the proposed strategy
should be included when a board-level strategic decision needs to be made.
The hazards of implementing the strategy and an analysis of the risks posed
by not implementing the suggested strategy could both be included in this
risk assessment.
There have been significant advancements in risk management techniques
during the past few years. First, specialized disciplines of risk management,
such as project, energy, financial, operational, and clinical risk management,
have emerged. Second, firms have accepted the ambition to approach risk
management from a wider perspective. This larger strategy has been referred
to by a number of names, including holistic, integrated, strategic, and ERM.
The most popular and widely accepted nomenclature for this broader
approach is enterprise or ERM. Moving away from risk management as
the discrete management of specific risks is the primary principle of the
ERM approach. ERM adopts a unified, more comprehensive, and integrated
methodology. An organization that uses the ERM approach examines all
of the risks that it faces in all of its operations. The control of risks that
could have an influence on an organization’s goals, critical dependencies,
or fundamental activities is the focus of enterprise risk management (ERM).
Along with managing control and hazard risks, ERM is also concerned with
managing opportunities. The fact that many hazards are interconnected and
that conventional risk management ignores the relationship between risks
has also been taken into account. The ERM technique uses the possibility
of two or more risks having an impact on the same activity or objective to
determine the link between risks. The ERM strategy is centered on analyzing
all of the risks that could have an influence on the target, critical reliance,
or core process (Soltanizadeh, Abdul, Mottaghi, & Wan, 2016). Risk

management is a practice that organizations use in many different ways. But
most of these approaches have a lot of characteristics. The characteristics
of enterprise risk management are compared to the silo-based strategy, in
which risk management tools and procedures are applied to various risk
types separately. In most firms, enterprise risk management is now the
standard method for carrying out risk management tasks. In order to take
coordinated action to control these risks, the organization is able to have a
comprehensive picture of all the hazards it confronts. However, specialized
risk management activities like business continuity and health and safety
continue to be important.
2.10. ERM
Consider a sports club as an illustration of the ERM strategy, where the main
objective is to increase game attendance. This process contains a number of
steps, including marketing, promotion, the distribution, and sale of tickets,
as well as logistical planning to make sure that fans have the best possible
experience during the game. Making sure there are sufficient parking and
transportation options, together with acceptable catering and other welfare
preparations in the stadium, will help maximize attendance at sporting
events. The treasury function and the specialized knowledge of hedging
against the price of a barrel of oil are frequently used in energy sector
ERM. Several energy companies have built quite sizable departments in this
field of financial risk management. However, the management of treasury
risks continues to be intimately linked to the practice of ERM in energy
businesses. The regulatory environment is one of the factors influencing
risk management in the finance industry. Banks have been subject to Basel
II for a while, and they are getting ready to adopt Basel III standards by that
year. The Solvency II Directive will soon impose comparable restrictions
on the European insurance industry (Gatzert & Wesker, 2012). Financial
institutions are obligated as a result to assess their operational risk exposure.
The ability to estimate the capital that needs to be held in reserve to meet the
effects of the identified risks materializing is the result of ORM efforts in
financial institutions. These ORM operations have the effect of improving
risk identification and management, which lowers the capital needed to
cover the repercussions of the risks materializing. The ERM technique can
be considered as having a specific use in ORM inside financial firms.
A good risk effort is destined to develop and become more complex,

just like any management program that is in-built into how the business
functions. Histrionic changes have occurred in the field of risk management,
particularly over the last 10 years. Additionally, there has been significant
integration of risk management needs into corporate governance. During
that period, numerous new risk management innovations have emerged.
Risk management practitioners used to refer to integrated or holistic
risk management in the 1990s, but enterprise risk management is now
the standard phrase for the broad application of risk management across
the entire company (ERM. The fact that the field of risk management is
continually evolving and adapting to new situations can be considered as
advantageous in many ways. However, there is a chance that risk management
professionals will be perceived as conveying a message that is inconsistent
since it is constantly changing. This is not to imply that risk management
should become a static discipline, but it is crucial to keep in mind that senior
board members will grow confused and lose interest if the premise on which
risk management analysis and advice is provided is changed. The global
financial crisis and the part risk management played in its emergence must
be acknowledged in any analysis of how risk management has evolved
(Fidrmuc & Korhonen, 2010). Organizations must take calculated risks,
and the failures that contributed to the global financial crisis were due to
poor risk management implementation rather than poor risk management in
general.
Without a doubt, taking on too much risk can be improper and lead
to the failure of the entire firm. However, many organizations have found
that they almost always manage to get away with it or survive. It is not
intended to prevent all audacious strategic decisions from being made in
light of a thorough grasp of the level of risk contained in the organization.
An organization should not refrain from pursuing a high-risk plan due to
risk awareness, but decisions will be made fully cognizant of the dangers
involved. Businesses should keep looking for chances and occasionally
admit when one looks particularly risky but is actually quite good. The
company may still be interested in pursuing that risky course of action, but
the next phase of the conversation should center on how to manage the risks
so that they stay within the organization’s risk tolerance and how to measure
the risks so that the board is always aware of the actual risk exposure. It is
incorrect to say that risk management fell short during the global financial
crisis. It indicates a failure to correctly and fully implement risk management
practices. When a company is risk-averse, there is less room to classify
hazards as high likelihood/high impact, which reduces the spectrum of risks

that the board will examine. In other words, the organization’s risk space is
extremely constrained and will not include hazards that require the board’s
attention. Being risk aggressive for a company, however, is not intrinsically
wrong. A risk-aggressive firm will have a greater need to evaluate risk
assessments, question the scope and outcomes of risk analysis activities, and
make sure that a highly dynamic approach to risk management is maintained
constantly and at all organizational levels. Other difficult problems for risk
management exist in addition to the doubts about risk management sparked
by the global financial crisis. The ideas of risk appetite and the upside of risk
are helpful ones, but additional research is needed before their definitions
and their implementation can ensure advantages.
An organization should determine if the risks should be handled as
hazard, control, or opportunity risks while trying to manage these rising
risks. Many of these new hazards could either be dangers to the business
or chances for growth in the future, contingent on the actions of the
organization. In some circumstances, the new risks will only add to the
existing uncertainties that need to be addressed. The pace at which new threats
can materialize is a crucial factor to take into account. Risk development
and change velocity is a term used by some risk management professionals
(Power, 2004). Nanotechnology is a prime illustration of an emerging risk.
In order to increase the efficacy of esthetic treatment for skin disorders,
nanotechnology is widely used in the medical and, to some extent, cosmetics
industries. The adoption of mobile phones is another excellent illustration.
Although mobile phones are now widely used, technology has advanced
significantly in the last 25 years. Around 25 years ago, mobile phone signals
were substantially stronger (Henderson, Kotz, & Abyzov, 2004). Therefore,
if any health complaints start to surface about the use of mobile phones,
these health impacts are probably related to the outdated technology.
Determining whether any health risks no longer exist due to changes in
technology or whether they are still extant and will turn out to be equally
related to current technology will create substantial hurdles. Practitioners
of risk management are conscious of the significant contribution their field
makes and that risk management operations should be included with other
management activities. There is always a chance that risk management and
auditing efforts will combine in some circumstances, turning these three
lines of defense into only two.
2.11. OPERATIONS
Instead of approaching risk management operations as a separate manage-
ment function requiring a separate set of management information, firms
must integrate risk activities across the board. Perhaps this is one of the
main drawbacks of the risk register’s widespread adoption in many orga-
nizations. The risk register represents a snapshot of the organization’s risk
management operations, but there is a risk that it is not continuously exam-
ined. The risk register is frequently a static record that offers little resistance
to organizational management. Perhaps the era of the risk register is over,
and businesses should instead integrate risk assessment, risk recording, and
risk action plans into the management data that is utilized to run their opera-
tions on a daily basis. In conclusion, maintaining risk management opera-
tions that are appropriate, aligned, comprehensive, entrenched, and dynamic
is a challenge for risk managers and risk management. However, as boards,
executive management, managers, and staff become more aware with the
theory and practice of risk management, the difficulties of achieving this are
growing. Management reforms frequently come and go. A particular strat-
egy temporarily gains popularity before going out of style. Since risk man-
agement practices are already required in many industries, it is unlikely that
this would ever happen to risk management. The global financial crisis has
also prompted a thorough review of the advantages that risk management
can provide and how these advantages can be realized.
CHAPTER 3
INTEGRATED RISK MANAGEMENT
CONTENTS
3.1. Introduction ...................................................................................... 62
3.2. Techniques ........................................................................................ 63
3.3. Operational Risk ............................................................................... 64
3.4. Foreign Exchange.............................................................................. 65
3.5. Analysis ............................................................................................ 67
3.6. Classification .................................................................................... 68
3.7. Risk Elements.................................................................................... 68
3.8. Structure ........................................................................................... 70
3.9. Information ....................................................................................... 74
3.10. Problems ........................................................................................ 81
3.11. Cash Flow....................................................................................... 84
3.1. INTRODUCTION
Risk has intensified as a result of the quickening company pace. The
way businesses engage has undergone significant changes as a result of
new technologies and commercial strategies (Miller, 1992). While using
information technology more frequently has increased productivity, it has
also added new sources of complexity and uncertainty. Value chains are
more streamlined and reliant on the meticulously planned coordination of a
vast network of supply chain partners. Shorter product life cycles and quick
product uselessness are commonplace in many sectors. Because business
operations have gotten more automated, minor issues can quickly get out
of hand without adequate monitoring and management. In addition to
increasing a company’s reliance on outside parties, increased outsourcing
has also made it more challenging to identify risk events and take appropriate
action. The implications of ineffective risk management have also gotten
worse. Because of how intertwined today’s value chains are, even a minor
error made by one party might affect several other trading partners (Miller,
1992) (Figure 3.1).
Figure 3.1. Integrated risk management.
Source: https://www.researchgate.net/profile/Bijan-Khazai/publica-
tion/291312102/figure/fig2/AS:614348313604096@1523483460033/Compo-
nents-of-the-framework-for-integrated-risk-management-Cardona-2010-Car-
reno-et-al_W640.jpg.
Integrated Risk Management 63
Equivalently harsh are the equities markets. Even for well-managed

companies, missing financial targets can cause sharp drops in market value.
Businesses have hitherto been unable to manage risk in an integrated way.
The lack of a standardized set of risk measurements makes it difficult to
assess and manage risk across organizational boundaries, and many risks are
only managed at the corporate level. Risk factor interactions and potential
correlations are frequently disregarded. Due to this, it is challenging for
businesses to comprehend their overall risk exposure, let alone monitor,
manage, or control it.
3.2. TECHNIQUES
A technique for managing risks comprehensively and tightly binding risk
management to a company’s financial and economic goals is enterprise
risk management. It starts by establishing the firm’s appetite for risk on a
strategic level. Using a uniform framework for measurement, monitoring,
and control, risk issues influencing the company are addressed. Across
business divisions, functions, and risk sources, risk is managed in an
integrated manner. Programs for corporate risk management are becoming
more popular among executives. Market risk, credit risk, operational risk,
and business risk are just a few of the hazards that businesses must deal with.
Market risk is the degree of uncertainty brought on by shifts in the value
of financial or nonfinancial assets (Linsmeier, Thornton, Venkatachalam,
& Welker, 2002). Changes in foreign exchange rates, for instance, can
significantly affect both the income statement and the balance sheet when a
company operates in different nations. Changes in interest rates can have an
impact on a company’s interest costs, loan portfolio value, and market value
of its debt.
Price fluctuations (Figure 3.2) for commodities like steel and copper
can have an impact on the price of things sold, while price variations for
commodities like heating oil and electricity can have an impact on the cost
of maintaining factories and office buildings. The possibility that parties to
whom a company has granted credit may not meet their obligations is known
as credit risk. Customer defaults or missed payments from customers can
have different effects on a business. These can range from short-term changes
in liquidity to downgrades in ratings or even bankruptcy. Although it might
seem that financial services companies should be primarily concerned with
credit risk, this is not the case. A strong credit concentration in a high-risk
customer group can occasionally have serious financial ramifications, even
for industrial enterprises, as recent experience in the telecommunications

and computer industries has demonstrated.
Figure 3.2. Price fluctuations.
Source: https://www.new.treasury-management.com/wp-content/up-
loads/2020/09/TMI187-P19-24-Validus-1no.jpg.
3.3. OPERATIONAL RISK

Operational risk is the term for risks brought on by how a company conducts
its operations. It encompasses the dangers of technical breakdowns, financial
losses brought on by processing mistakes, and quality and cost issues
resulting from production mistakes. It also covers losses brought on by human
mistake, including fraud, poor management, and ineffective supervision and
monitoring of activities (Coleman, 2011). Uncertainty related to important
business drivers is the root source of business risk. Business risks can be the
most challenging to handle since they have a tendency to be more strategic
than other risks. The general status of the economy, changes in customer
demand, interruptions in supply, rivals’ competitive actions, technology
change, legal liabilities, and regulatory changes are all examples of business
risk factors. It is crucial to analyze and manage risk in an integrated, global
manner for a number of reasons. Understanding interaction effects is
challenging when risk factors are examined separately. Because businesses
may needlessly hedge some risks that are actually mitigated by others,
this can raise risk management expenses. A dispersed approach to risk
management makes it more likely to overlook significant threats. Otherwise,
risk mitigation efforts can just create new hazards or move the risk to areas of
the company that are less obvious. Additionally, failing to take into account
risk interactions might lead businesses to drastically overestimate their
risk exposures. For instance, the sharp reduction in capital expenditures by
telecom companies a few years ago created risk for producers of telecom
equipment on a number of fronts. As demand for their products became
increasingly unpredictable, manufacturers faced significant business risk.
They were exposed to higher credit risk. High-flying consumers were given
loans whose credit quality quickly declined since many of them were on the
verge of default (Taskinsoy, 2013). As stock valuations for recent strategic
purchases plummeted, triggering multibillion-dollar write-offs, they also
faced heightened market risk.
3.4. FOREIGN EXCHANGE

Historically, managing exposures to foreign exchange fluctuations (Figure
3.3), changes in interest rates, credit downgrades, and the risks of catastrophes
like fires, earthquakes, and liability claims were under the purview of the
corporate treasury function (Dreher & Vaubel, 2009). Corporate treasurers
now have a growing but well-defined range of risk management tools and
strategies at their disposal. Business hazards, however, are more challenging
to control. Managers frequently have to be content with qualitative
assessments of risk based on little more than intuition because they might
be challenging to quantify. Company hazards can be challenging to identify
and characterize due to their intricate relationships with business operations.
There are less well-defined risk management tools and strategies than there
are for financial risk. Businesses often handle business risk on an as-needed
basis. Anywhere along the extended value chain of an organization is
susceptible to business hazards. They influence all business processes within
a company and are also influenced by them. Between the time a new product
is conceptualized and when it actually reaches the end of its useful life, good
risk management can play a significant role in enhancing business success.
There is a chance that two key changes may change how businesses manage
risk along their extended value chains. Increased financial innovation is the
first. New products are starting to appear in the traditional insurance and
financial derivatives markets that help businesses manage risks including
sensitivity to weather fluctuations, bandwidth costs, and energy expenses.
In order to transfer risks in a way that appeals to a wide range of investors,
the financial markets have evolved creative methods. Additionally, there
are greater options for supplier diversification due to the increased use of
auctions and spot markets. Additionally, it increases price transparency for
a variety of goods and services (Hanna, Lemon, & Smith, 2019). Firms
will find it simpler to quantify a wide range of risk factors as a result. The
development of new risk management products will also be influenced by it.
Figure 3.3. Foreign exchange fluctuations.
Source: https://d3i71xaburhd42.cloudfront.net/aa4b14b52817bef28e758e9ade
5879c5b1344a62/14-Figure1-1.png.
Access to corporate information is now easier, which is the second
important shift. Businesses now have unparalleled access to fairly standardized
information because of the widespread deployment of enterprise-level
software packages to assist corporate operations like enterprise resource
planning (ERP) and supply chain management. Both within the company
and amongst partners in the value chain, these systems are becoming more
tightly connected. Businesses will be in a position where they can see their
supply chains from beginning to end, from the early stages of product design
through after-market service. They will be able to notice risk occurrences
earlier and respond more skillfully as a result. The implementation of new
business procedures and organizational controls may be necessary to address
other risk categories. For this, a company needs to assess the level of risk
that may be accepted and then modify its business strategies or financial risk
management programs accordingly. This procedure might involve shifting
some or all of the risk to a third party, either through the use of financial
derivatives or insurance, in order to reduce the exposure to risk. It could also
entail passing up on specific business possibilities, quitting certain product
or customer groups, or selling some business units in situations when
derivatives and insurance are either unavailable or too expensive.
3.5. ANALYSIS
Historical analysis has the disadvantage that important risk events are
frequently rare, which is a downside (Bucheli & Salvaj, 2018). By integrating
in the analysis events affecting other organizations with comparable business
characteristics, this challenge can be at least partially overcome. Another
issue with historical analysis is that, by its very nature, it can only pinpoint
risk variables that have already led to problems. This raises the likelihood
that significant risk factors, particularly those connected to shifting
technological, commercial, or industry dynamics, would go unnoticed.
Risks can also be discovered through process mapping. This method starts
by developing a business process map, a graphic representation of business
workflows for various company tasks that resembles a flowchart. Process
maps are thorough because they give a complete picture of the business
or value chain processes that are being examined. Each step on the map
describes a specific business process, offering information about its goal,
method of execution, personnel involved, and potential pitfalls. Following
completion, the process map is examined for control openings, potential
weak points, and vulnerabilities. Risks that might develop during meetings
between departments or organizations are given particular consideration.
The analysis looks for missing control procedures that are not depicted
on the process map, such as a missing approval process. Additionally, it
searches for steps where poorly defined tasks or responsibilities could result
in mistakes in processing or a loss of control. Process mapping is especially
helpful for locating risks related to subpar execution. Process mapping, as
opposed to historical research, can spot risks with a significant potential
impact before a loss really occurs. Clarifying the expected effects of a
prospective risk exposure on the organization as a whole can also be helpful.
3.6. CLASSIFICATION
For recognizing particular classifications of risk, certain risk identification
techniques work well. Finding operational risks and prospective risks
related to value chain interactions can be done through process mapping
and historical analysis. On the other hand, market risk is virtually typically
examined using historical analysis. Although it might be challenging
to apply for threats to intangibles like reputation, historical analysis is
frequently the method of choice for evaluating the frequency and magnitude
of risk events. The best method for identifying a variety of value chain risks,
such as quality, quantity, and price risk, is historical analysis. And finally,
scenario analysis is a flexible method for locating significant risks at the
corporate level. There are several value chains hazards that merit in-depth
discussion. When a company develops and produces new products, buys
goods, and services from its suppliers, or sells goods and services to its
clients, it is exposed to risk. Price risk, for instance, results from uncertainty
regarding both the prices that a company will ultimately realize for its
products in the market as well as the cost of goods and services required for
production. Quantity risk, or the chance that the intended quantity of a good
or service may not be offered for purchase or sale, is a related risk. Quantity
risk can occasionally be very serious, as is the case when there is a supply
disruption. In other circumstances, it is just the outcome of typical supply
unpredictability. Inventories of raw materials and component parts, products
in the manufacturing pipeline, and inventory retained to satisfy expected
consumer demand all present quantity risk to businesses (Christopher &
Peck, 1997). The danger connected to having too much or too little inventory
is sometimes referred to as inventory risk. A company that has too much
inventory may be vulnerable to product or pricing changes that lower the
value of its inventory. Contrarily, a company may be unable to satisfy client
demand if there is a scarcity of inventory.
3.7. RISK ELEMENTS

Risk elements (Figure 3.4) like quality risk and complexity risk have an
impact on a wide range of business activities. The risk connected to variation
in quality, dependability, or execution is known as quality risk (Houston,
Peters, & Pratt, 1999). Both the products and services that a company
produces or sells as well as the ones that are purchased might be subject
to quality risk. It can be utilized for a wide range of value chain processes,
such as design, logistics, and customer service. Similar to this, complexity
risk is caused by complicated products, complex supply chains, or corporate

processes. Understanding which business processes, they impact is crucial
when describing value chain risks. Risk issues for value chains frequently
have a wide influence. Quantity risk, for instance, has an impact on
practically the whole value chain. Parts shortages have an influence on
procurement because management is focused on finding other sources of
supply and negotiating more capacity with new suppliers. Production is
also hampered by part shortages, which briefly reduce utilization. They
may decrease productivity, particularly if regular operations are suspended
to meet accelerated deadlines for impacted products. Along with lowering
income and harming a company’s reputation, input shortages can prohibit
businesses from satisfying client demand. The need for quicker shipping may
result in higher logistics costs and complexity. Even after-market support
and service may be impacted by supply constraints, which may restrict the
supply of replacement parts. Some hazards spread along the value chain in
a generally well-behaved way, maintaining a fairly steady impact on value
chain participants. Other dangers behave differently. Their impact increases
as they progress up the value chain, often with disastrous results. Price risk
is one value chain risk that generally behaves well.
Figure 3.4. Risk elements.

Source: https://www.cloudapper.com/wp-content/uploads/2020/07/nine-el-
ements-in-a-hipaa-risk-analysis-hipaa-ready.png.
Now think about how risk is increased when a defect in a malfunctioning

semiconductor device is discovered at various points throughout the value
chain (Hofer, Leitner, Lewitschnig, & Nowak, 2017). The loss will be
relatively minor, or about the device’s price, if the issue is found at the time
of purchase. However, the impact would be higher if the issue is discovered
only after the device has been mounted on a printed circuit board since
either the circuit board will need to be reworked or trashed. If the flaw goes
unnoticed and the circuit board is installed in a high-end computer, the
effect will be even more severe. Field repairs are expensive, and equipment
breakdowns might put the owner of the device in a difficult financial
situation. The expenses to the computer manufacturer may rise dramatically
if the flaw is not a single incident, which could sometimes result in harm
to the company’s reputation and brand. Supply risk is another instance of
nonlinear risk propagation. A scarcity of even one component can stop the
manufacture of a complete product that is made up of many different parts.
This may result in circumstances when a cheap, little component effectively
halts manufacturing. Such shortages can result in revenue losses that are
orders of magnitude greater than the cost of the limited portion.
3.8. STRUCTURE
Ensuring that a company’s organizational structure is suitable for the risks
it faces is one of the first stages in building an efficient risk management
program (Zaridis & Mousiolis, 2014). This entails a number of actions, such
as identifying the company’s risk objectives, outlining the senior management
position, setting up efficient monitoring methods, and developing a set of
suitable internal controls. In order to develop a successful risk management
program, senior managers are crucial. They are in charge of outlining the
risks the company is willing to accept and its tolerance for risk. They ensure
that the company has the resources and expertise it needs to support its risk
management plan. Senior management determines suitable roles and duties
for individuals either directly or indirectly involved in risk management by
developing an appropriate organizational structure. Additionally, many non-
financial companies are using similar strategies. An integrated framework for
risk measuring and management is one of the crucial mechanisms that must
be put into place. In order for a company to effectively monitor and manage
its overall risk exposure, it is essential to build methods for measuring and
reporting various forms of risk as part of this process. To give a means of
staying up to date on industry best practices, businesses must also set up risk
assessment and audit systems in conjunction with a benchmarking process.
Three major categories can be used to categorize the essential tools

and resources needed for effective risk management: policies, procedures,
and infrastructure. They assist in the measurement, monitoring, reporting,
regulating, and minimizing of risk, among other risk management
activities. Risk management strategies are defined and put into action by
risk management policies in a variety of ways. They provide guidelines for
assessing the trade-off between risk and return in the context of the firm’s
overall business objectives and, at a high level, define a firm’s tolerance for
risk. Guidelines are provided by disclosure policies to assist top managers in
recognizing and disclosing the risks that are present in their organizations.
Disclosure policies outline the appropriate internal controls, including self-
management, that must be implemented and clearly lay out the roles and
responsibilities for each business unit. A company can manage uncommon
conditions and keep the business running efficiently when disaster hits with
the help of specific rules. A continuity of business policy outlines a series of
operational steps for handling problematic situations. It offers suggestions
for how to react in emergency situations and details backup plans, risk
monitoring strategies, and steps to resume operations after a disruption. Risk
characterization, risk modeling, and risk valuation are just a few of the many
risk management activities that can be supported by a variety of frameworks,
models, tools, and analytics that make up risk management approaches.
Methodologies give principles and techniques for evaluating various forms
of risk as well as for building and validating models. They go beyond the
basic mechanics of risk analysis. Capital planning and the evaluation of
strategic acquisitions both require valuation procedures (Adams, Bourne,
& Neely, 2004). They also offer crucial information when negotiating
and structuring contracts for outsourcing, strategic partnerships, and joint
ventures. A thorough set of risk management procedures aids a company in
regularly taking risk into account when making decisions, especially when
calculating risk-adjusted returns for specific projects and divisions and when
modifying performance metrics to take risk into account.
The operating leverage of a company can be significantly impacted
by a number of value chain decisions. Increased fixed costs and risk result
from investments in highly automated manufacturing and distribution
infrastructure. Operating leverage is impacted by outsourcing agreements,
with the degree of the change depending on how the deal is set up. If planned
payments to the provider simply replace the fixed expenses of company-
owned warehouses, a long-term contract to outsource warehousing to a
third-party logistics provider would have little impact on a firm’s operating
leverage. On the other side, if contractual volume commitments are modest, a

manufacturing outsourcing deal to a contract manufacturer can significantly
reduce operating leverage. Strategic alliances and joint ventures frequently
require shared financial obligations, which can impair operating leverage
(Walters, Peters, & Dess, 1994). A company’s risk profile can be significantly
impacted by the way it arranges its supplier and customer contracts. Take-or-
pay supply contracts and other contracts with volume commitments improve
operating leverage by raising fixed costs. Through diversity, a business can
also proactively control risk. Financial diversification is utilized to lower
the risk in financial asset portfolios. It is predicated on the idea that because
different securities are vulnerable to various risk factors, movements in
the prices of securities such as stocks and bonds do not move precisely
in tandem. Price movements typically cancel out in portfolios made up
of stocks and bonds that move in opposing directions, lowering portfolio
volatility. At both the strategic and tactical levels, operational diversity
can be broadly applied to a range of business operations. Businesses can
diversify by purchasing new companies in unrelated industries, focusing
on various market segments, expanding their product lines, and selling to
various consumer segments and geographical markets. For the purpose of
efficiently managing financial asset portfolios, finance theory has produced
a vast array of management strategies.
Operational hedges can also be built in other configurations. By carefully
balancing supply and demand, the process of managing supply and demand
can be enhanced, making financial performance less susceptible to various
value chain risks (Boyabatli & Toktay, 2004). The method can also be used
to manage contracts and balance investments in manufacturing capacity
with spending in sales and marketing efforts. Restructuring the value chain
is another method that businesses may use to lower risk. Restructuring
enhances a company’s extended value chain’s efficiency by eliminating or
combining unnecessary or ineffective phases. By getting rid of middlemen,
streamlining corporate procedures, or providing novel forms of connection
between value chain participants, it does this. The use of middleware to assist
business process integration as well as online marketplaces and collaboration
networks to conduct transactions and exchange information are some of the
new value chain restructuring strategies that have been raised in recent years
because of information technologies. There are many ways value chain
reorganization can lower risk. A shorter value chain ensures that products
are processed more quickly and are therefore exposed to less risk (Macher,
Mowery, & Simcoe, 2002). This is crucial for fashion and technology
products in particular because every extra minute in the supply chain raises
the possibility of price drops. Since uncertainty tends to grow over time, the
longer it takes for a product to reach its intended consumer, the greater the
risk. Value chain restructuring lowers risk by simplifying the value chain.
As a result, it is simpler to coordinate operations with suppliers, which helps
to eliminate execution errors and lower supply risk. An organization has
fewer middlemen between it and its end clients, which gives the company
quicker access to information regarding changes in supply and demand.
Thus, inventory and manufacturing resources can be used more effectively.
Risk can also be decreased by altering the way value chain interactions
function. This frequently has the effect of changing information flows and
incentives. Without physically shortening the value chain, cooperative
business models like vendor-managed inventory (VMI), for instance, give
suppliers improved inventory visibility. The provider nevertheless continues
to get more precise and timely information regarding client demand. Since
eliminating one type of risk might also introduce others, many of these
decisions involve trade-offs. It is necessary to implement methods, metrics,
and procedures for controlling and mitigating operational risk in order to
develop integrated risk management systems that connect strategy, planning,
and execution. Operational risk management (ORM) is to reduce business
interruptions, enhance crisis response, and limit the negative effects of risky
events. This is achieved by incorporating various types of risk management
capabilities into operational processes. They can be used as a guide for
developing information systems that track and react to dangerous supply
chain occurrences. They also offer a useful set of metrics for monitoring and
tracking operational risks and outline a hierarchical method for determining
risk limits that may be used in a production scenario. The first step in ORM
is figuring out how much risk a company is willing to take. The amount of
money the company is willing to lose as a result of risky actions is used to
define this. A firm’s overall financial goals, including its profit and sales
ambitions, are taken into consideration when determining acceptable losses
because a firm’s potential for profit depends on its appetite for risk. At the
business unit level, where business managers have the power to influence
and control risk, risk limits are created once acceptable risk levels have
been determined for the company as a whole. The value at risk is frequently
used to indicate risk limitations, with different time periods having differing
acceptable loss thresholds. The process of establishing these restrictions
often include assessing the unit’s operations and how well they align with the
firm’s overall risk appetite. It takes some skill to strike the right balance when
establishing restrictions. The goal is to manage business unit risk without

imposing limitations that needlessly restrict flexibility. If risk limitations are
set too low, the business unit may be unable to reach its overall revenue and
profit goals (Hawtin, 2003).
3.9. INFORMATION
Information in plenty is necessary for effective risk management. Systems
collect data directly from business operations in order to enable the
necessary management controls and conduct risk analysis (Woo, 1987). The
risk management process can be organized so that hazards can be controlled
collectively by adopting a modular approach. This enables multitasking,
allowing various organizational units to successfully coordinate their risk
management operations. An ideal ORM system would also have ways to
record and organize organizational risk learning. Continuous monitoring
of hazards as well as the program’s efficacy is necessary for effective
ORM (Panisello & Quantick, 2001). Losses avoided, opportunities taken
advantage of, the pace at which new products are introduced, management
comfort level, control efficacy, and overall company risk-return profile are
among the metrics used to measure program effectiveness. Programs for
minimizing operational risk can provide a capacity for handling company
emergencies. These include methods for dealing with extreme circumstances
as well as backup systems. They want to provide quick crisis resolution
while striking a balance between risk management and business flexibility.
Foreign exchange, interest rates, equity prices, and commodity prices are
just a few of the many market risks that companies have historically used
the financial markets to manage. New derivatives products have arisen as
financial engineering approaches have advanced to protect against a wide
range of new hazards. Some of these goods are standardized, while others
are extremely adaptable to the unique requirements of a certain party.
Moving risk from one party to another is the main focus of financial risk
management. In a business situation, a company frequently looks to offload
some or all of its risk to a third party, such as a bank, an insurance provider,
a trader, or an investor. Transferring risk does not automatically make it
safer. A company will occasionally genuinely take on more risk as part of its
financial management strategy. Instead of just switching from one type of
risk to another, a company may choose to maintain a steady level of overall
risk exposure.
A firm should take into account a variety of variables when determining

whether it makes sense to use by-products to hedge a certain risk. The first
is how the risk factor will probably affect the company. It probably doesn’t
make sense to hedge if prices for a certain risk factor are not extremely
volatile, or if a firm’s profitability or market value is not particularly sensitive
to fluctuations in the risk factor. Despite the fact that a firm’s costs may be
highly sensitive to changes in the price of a certain component or commodity,
hedging is not always necessary. Hedge may not be necessary, for instance,
if a company can pass on price increases for purchased components to its
clients. Hedging may be necessary if a company must maintain sizable
stocks of a part or commodity since doing so exposes it to risk. The chance
of being able to build an efficient hedge is another aspect to take into
account. The risk that a corporation faces may not always be precisely offset
by the risk management tools deployed. This might occur, for instance, if an
electronics company buys a unique kind of gold for electrical interconnects.
It’s possible that the price it pays its gold manufacturer does not exactly
correspond to the price of gold traded on a commodities exchange. This
introduces basis risk, which is the discrepancy between price movements in
the hedging instrument and those in the asset being hedged. Hedges that are
ineffective have two main drawbacks. First, if basis risk is high, hedging is
no longer helpful and may even make riskier situations worse. Furthermore,
for financial accounting purposes, ineffective hedges might not be eligible
for hedge accounting treatment. When this is the case, the asset being
hedged and the hedging instrument offsetting price changes may be reported
at various periods. Even if cash flows are actually less unpredictable from
an economic standpoint, this might have the impact of raising the volatility
in reported profitability.
Businesses must also take into account the costs of hedging. Transacting
can be expensive, especially when using alternatives. Furthermore, it can
frequently be challenging to fully comprehend all of the expenses connected
with financially managing risk (Bode, Hübner, & Wagner, 2014). This
increases the chance of experiencing substantial unforeseen losses if certain
unwanted circumstances take place. It could occasionally be challenging
to obtain a reasonable price for derivatives. This is not the case with
commonly traded over-the-counter securities like forward contracts and
foreign exchange options, as well as exchange-traded derivatives. Prices
for customized derivatives items, however, are notoriously challenging
to model. This might make it challenging to judge whether a price being
offered is reasonable, especially given how challenging it can be to
compare prices on highly customized products. The strategic ramifications

of a company’s risk management efforts must also be taken into account.
The expense of hedging with options may leave little room for profit in
low-margin companies. Using forward contracts to lock in the prices of
purchased components may help a company reduce cost uncertainty, but it
may also increase earnings uncertainty. For instance, if DRAM prices drop
significantly, a personal computer manufacturer that uses DRAM swaps to
fix the price of its computer memory purchases would find that its pricing
structure is no longer competitive. While the company must continue to pay
the higher fixed price set under the swaps contract, competitors will benefit
from purchasing at low market prices. The nature and conditions of supply
contracts frequently contain characteristics that cause them to behave quite
similarly to financial derivatives. Examples include pricing that is based
on the price of commodities and pricing that is fixed to a certain foreign
currency. Risk is successfully transferred across value chain participants via
embedded derivatives, such as between suppliers and their buyers. There
are various ways to profit from embedded derivatives. Since the amount
of risk transmitted varies according to the actual quantity of products or
services purchased through the contract, they frequently offer a particularly
strong hedge. They are occasionally overpriced as well. This gives one value
chain partner the chance to transfer risk more affordable than they could
with conventional financial derivatives.
The introduction of new risk management solutions that can be used
to hedge risks closely associated with a firm’s operating earnings is an
intriguing trend. As an illustration, consider weather derivatives, which are
financial products whose returns are based on variations in local temperature.
Electricity, telecommunications bandwidth, and electronic components like
computer memory chips are among industries that are seeing the emergence
of derivatives. As these derivatives products become more widely available,
businesses will be able to manage a wider range of risks, many of which are
essential to their ability to operate. The main goal of traditional insurance is
to protect a company against losses. There are insurance policies available
to protect against a wide range of risks, including theft, property damage,
injuries, and other potential liabilities.
A variety of products that insurance companies offer are loosely referred
to as alternative risk transfer (ART) (Figure 3.5) products or unconventional
insurance (Bode et al., 2014). These services often aim to handle substantial
risks whose management necessitates specialist knowledge not offered by
noninsurance organizations. Structured transactions that provide specific

accounting or tax treatment, insurance against operational risk, and defense
against exposures like credit risk and weather are a few examples. These
products are especially made to reduce downside risk on a firm’s income
statement or balance sheet and are frequently used to address a firm’s need for
capital after large business losses. A lot of ART products are a special kind of
debt where payments depend on a specific occurrence. Principal or interest
payments on structured debt are based on the market price of oil or another
commodity. Another type of ART offering combines financing and equity.
When money is tight, the issuer may choose to convert reverse convertible
debt to equity in order to minimize its financial leverage. Products that
restrict the amount of risk transfer include structured transactions and finite
risk insurance (FRI) (Figure 3.6). Additionally, they frequently combine
several risks (Baranoff & Sager, 2003).
Figure 3.5. Alternative risk transfer.
Source: https://d3i71xaburhd42.cloudfront.net/387843cbffea63d7ff1a10d1c22
e4434a380264e/23-Figure1.2-1.png.
Figure 3.6. Finite risk insurance.
Source: https://d3i71xaburhd42.cloudfront.net/20f18ec0b62d2f00e3dc964157
99e6c8a201c44e/8-Figure2-1.png.
A profit-sharing mechanism is frequently a part of FRI and enables ex-
post insurance rate adjustments based on the purchasing company’s claim
history. Compared to traditional insurance products, FRI has a longer term,
with coverage often lasting three to five years. It might be challenging to tell
financial risk management products apart from insurance. Additionally, the
line separating the two is continually changing. For the financial markets
to become more liquid, risk needs to be reasonably standardized. In order
for diverse market players to easily exchange it, it also needs to be pretty
simple to price. Insurance can be a good substitute for risks that the financial
markets are unable to absorb. For instance, the financial markets have
increasingly displaced insurers as the source of weather insurance. Liquid

markets for weather derivatives have swiftly emerged because weather risk
can be fairly easily standardized and can be modeled using current pricing
techniques. Risk management has experienced tremendous expansion and
greater specialization during the last 10 years. The banking industry has
been driven to develop ever-more exotic types of risk packaging and risk
transfer products as a result of the maturation of the financial engineering
profession. On the basis of their capacity to transfer clients’ financial risks
to the capital markets, banks continue to engage in intense competition.
Insurers have created unique products to secure the risk of natural disasters
and safeguard against hazards like weather, cybercrime, rogue trading,
and terrorism. This has led to some novelty in the insurance business.
Through a variety of onshore and offshore captive insurance companies,
businesses have also gotten better at self-insuring their own risks. Along
with an increase in product and market specialization in risk management,
risk management activities multiplied. Companies at the forefront of risk
management innovation have set up their risk management function to
reflect the specialized nature of their markets and products. For example,
interest rate risk, foreign exchange risk, commodity price risk, credit risk,
operational risk, and insurable property and casualty risk each have their
own risk managers. Although the finance function consolidates the entire
investment in risk management activity, the risk management decisions are
often not coordinated. Companies have forgotten how hazards interact as a
result of this process.
Many businesses can predict how much oil they will require in the near
future. For instance, an airline will be able to forecast how much jet fuel
it would use over the upcoming three months. In this instance, figuring
out the company’s risk exposure to oil price fluctuations is rather simple.
However, it won’t be that easy for a lot of businesses. It could be challenging
to determine the precise amount of a large company’s direct oil purchase.
Additionally, because of how the economy as a whole may be affected by
the secondary or indirect consequences of changes in the price of oil. If
suppliers are negatively impacted by oil prices, the cost of items may be
indirectly influenced. If customers are impacted, sales volume and price
competition may also be affected. In these circumstances, a corporation
must first build a financial model of earnings as a function of oil prices in
order to minimize the risk of rising oil prices. It is crucial to understand
that defending something of value against a knowledgeable and adaptable
adversary differs significantly from defending it against natural disasters
or accidents. For instance, simply because buildings have earthquake

safety features does not make an earthquake wiser or stronger. A clever and
determined adversary, however, would probably change their attack tactics
when a certain set of safety precautions were put in place. For instance, an
adversary is likely to target a different point of entry if one point of entry
into a system is safeguarded and rendered practically invulnerable. As a
result, effective defense tactics must consider the intentions and actions of
prospective enemies.
It is crucial to consider the objectives, drives, and capabilities of
the possible adversaries from whom we seek to defend our systems
since defensive strategy selection must take adversary behavior into
consideration. Similar to this, skilled crooks target computers to obtain
personal financial advantage. Individual criminals and organized crime
are further distinguished. Other attackers are more interested in obtaining
information than they are in doing harm or making money for themselves.
Insider threats are frequently seen as a particular area of concern among the
different potential attacker characteristics. In particular, many components
of an organization’s computer system may already be accessible to insiders.
Insiders may also be known and trusted by others inside the business, which
makes it easier for them to access (and learn about) more areas. Finally,
insiders might have a wider range of offensive options than outsiders. For
instance, an insider may be able to affect the life cycle of a certain product
by exerting influence over developers or other people with access to the
product’s development, interfering with the distribution process, and so on.
In general, opportunistic attackers will typically have little or no reason to
prefer one target over another and may have a wide range of targets that
would be of interest to them. An opportunistic attacker is only seeking for
an easy target and will switch to another if their initial target proves to be
too challenging or expensive to successfully attack (Manworren, Letwat,
& Daily, 2016). A successful system protection against such an attacker
may only require that a single system be significantly more difficult to
successfully attack than those of other similar organizations. In the same
way that many computer hackers may not care specifically whose Internet
firms they harm, common vandalism often falls into this category.
Taxonomies of human error are directly applicable to the field of
e-business security (Damanpour & Damanpour, 2001). Human mistakes in
computer and information systems can lead to vulnerabilities and security
breaches because of suboptimal work system variables. When it comes to
e-business security, the usage of human error taxonomies can help with
both recognizing and responding to vulnerabilities and security breaches

brought on by errors or accidents in computer and information systems.
They also contribute to the development of stronger attack defenses. The
elements of the related technological system must be integrated into the
design of a work system. Lack of end-user awareness about the technical
system’s components may be one issue preventing these two systems from
working together. A nontechnical user may find the technical terminology of
computer and information systems to be excessively challenging, resulting
in a knowledge gap. It can be challenging to pinpoint end users’ primary
information demands, instill technical knowledge in them through education
or training, and convey the significance of this for security. Lack of end-
user expertise could be an issue that causes mistakes, which then results in
security lapses, vulnerabilities, and breaches. Lack of security awareness
among end users is definitely tied to communication issues (D’Aubeterre,
Singh, & Iyer, 2008). A technical expert’s perception of a severe security
issue may differ greatly from what a non-technical end user would consider
a security threat. The technical jargon used to explain security-relevant
scenarios may not be known to nontechnical end users. Therefore, technical
professionals may find it difficult to explain security information to non-
technical personnel due to communication obstacles. Not only should end
users be informed about proper security procedures and guidelines, but
avenues should also be provided for them to contact technical professionals
with questions or concerns about security. Additionally, information must be
delivered to end users in a way that allows them to grasp how it pertains to
the business as a whole and apply it to their own job in a meaningful way.
Failure to complete these communication activities may result in end-user
mistakes that erode the organization’s overall security.
3.10. PROBLEMS
Another difficult problem is installing software. Software design, coding,
implementation, and maintenance mistakes can happen (Verdon & McGraw,
2004). Software upgrades are challenging to implement throughout the
complete technical system from a technical standpoint as well. A thorough
understanding of the technical system is necessary to determine whether the
software installation or upgrade will fit into the system’s overall structure
and to determine how the installation or upgrade will affect the system’s
overall usability. Good software installation also requires being aware of
security holes and patches from the security community. Technical experts
must consider not just how changes to the system will affect security but
also the kinds of problems that users of the modified system will face.
Safety stock is intended to address demand uncertainties during an item’s
inbound lead time, or the period of time between placing an order with a
supplier at the warehouse and the delivery of the products. It also covers
lead time uncertainties. However, in this case, demand uncertainty will be
the main topic. If the safety stock level is set too high, more resources than
necessary are committed to inventory. The intended serviceability may not
be achieved if, however, the safety stock level is set too low and stock runs
out too frequently. The majority of inventory control software applications
work by assuming that daily needs are regularly or Poisson distributed or
by simply setting a fixed safety stock level to determine the level of safety
stock for each product.
It is essential to apply an adjusted demand distribution for every single
product in order to solve this issue and enhance the accuracy of safety stock
estimates, enabling accurate risk management (Medina, Muller, & Roytelman,
2010). By giving each product its own continuous demand distribution
based on either historical or anticipated daily demand data. Additionally, it
enables adaptive adjustment of the safety stock calculation scheme. Failures
are a possibility with IT infrastructures. In terms of dependability, a failure
is an occurrence that takes place when the delivered service differs from the
intended service. Here, we distinguish between intentional system failures
that are accidental or non-malicious and intentional system failures that are
malicious. For instance, a failed disc drive falls under the first category,
whereas a hacker assault falls under the second. While coping with accidental
faults is something we understand very well, malicious faults still present
a number of unresolved issues. Here, we’ll focus on the latter category of
errors and risk management for IT security. While dynamic security risk
management deals with security vulnerabilities as they arise, static security
risk management addresses architectural difficulties.
It is more difficult to get data for ORM and measurement than it is for
credit or market risks. Given the general lack of interest in strict cost controls,
banks rarely gather or store data about their internal control environment
in a systematic way. As a result, designing and putting in place a suitable
infrastructure to compile these loss events and indicators could be expensive
and take several years to complete. Instead of only previous losses being the
proof of operational risk, operational risk is a result of both the institution’s
internal control environment over which it has some degree of control and
the external environment. The control environment is far more of a leading
signal as to where the primary operational risks may lie in an organization

than the observed losses, which are used to educate management of where
the major risks are. The initial layer of the data model that is being provided
here is a data gathering exercise for losses. To fully comprehend how
operational risk manifests itself, one must also have a thorough awareness
of the internal control environment. The loss data alone cannot provide this
understanding. In addition to any qualitative characteristics that will aid
in our comprehension of the inputs and outputs, some quantitative factors
referred to as control environment factors and key control indicators must be
established in order to model the control environment.
The impact of risk is always on the downside under traditional investment
analysis, whether using the net present value or any other technique based
on discounted cash flows, as the presence of risk depresses the value of
an investment (Guidara, Lai, Soumaré, & Tchana, 2013). Real options
theory acknowledges that managerial flexibility may actively influence
an organization’s level of risk, and that taking on additional risk can serve
as a key tool for value generation. Therefore, under certain situations,
higher risk may actually boost the value of an investment opportunity.
One can then proceed to incorporate other types of corporate real options
that capture the inherent value of active management of the risk factor by
taking into account the novel viewpoint that the ability for management to
actively increase the level of risk is a key element in valuing an investment.
There are several methods to group the risk variables, also known as risk
determinants, but it is most straightforward to do so under the categories of
credit, market, and operational risks. Understanding how each risk factor
contributes to the many types of risk and how much administrative control
there is over it is desirable, particularly in the context of real options. The
amount of fixed costs in an organization is an example of a risk factor in the
domain of operational risk. When production levels or market conditions
change, an operating structure typified by a predominance of fixed costs
will be stiff and challenging to adapt. The impact that variations in volume
may have on operating results is significantly conditioned by the degree of
cost structure rigidity, other things being equal. Real options theory may
help guide management choices like recruiting or firing staff members or
purchasing a better operating system. For instance, high fixed costs, which
could be brought on by a large number of transactions that were handled
incorrectly, would often make it impossible to undo business decisions and
entail substantial reconversion expenses. Given this, it may be advantageous
to postpone project implementation in the face of such uncertainty and to
base such decisions on the occurrence of positive risk factor conditions.

Evaluating the prospective market for their goods and services and the
associated risks involved in the business is one of the major issues facing
new enterprises (Swani, Milne, Brown, Assaf, & Donthu, 2017). The
problem is particularly important in brand-new markets like virtual banks,
brokerages, or financial institutions. Due to these factors, the theory of real
options has been crucial in both valuing and determining the risk of these
new e-businesses. It is crucial to decide which real choices model to use
in the modeling process as well as when it might be used. The future is
very uncertain, particularly for start-up businesses in a market that is still
developing: in addition to the usual market potential problems, there are
questions about the efficacy of the technology underlying the e-bank,
customer acceptance, the appropriate level of operational framework,
etc. Another difficulty is that, because these e-banks are proposing to
operate in a new field, there is frequently insufficient historical data that
is specifically relevant to a given industry or business. Future cash flows
may be considered as being dependent on a number of risk factors in the
structural architecture of the e-banking firm, which may be grouped in this
case under the headings of operational, market, and credit risks. Contingent
on the level of detail required, more elements may also be included in this
list, which is not meant to be exhaustive. The materialization of operational
risk will affect the actual number of clients serviced and, thus, impact the
cash flows realized, impacting the earnings volatility given a finite upper
bound on the number of clients that may be served at a given time. The
ability of management to respond to changing market conditions, such as
an unexpected increase in the number of potential clients if a competitor
departs this line of business, may also be negatively impacted by the same
operational variables. Contrary to traditional brick-and-mortar banks, where
credit risk is typically more prevalent, operational risk may be regarded as
the primary risk that an e-bank confronts (Sharma & Kansal, n.d.). Market
risk, as opposed to the risk of holding financial instruments, may be more
effectively viewed in the context of the general business model for e-banks
as demand risk from the market for its products and services. Depending on
the chosen business strategy, credit risk should be minimal.
3.11. CASH FLOW

Future cash flows (Figure 3.7) in the risk architecture above depend on how
management responds to the specific materialization of any uncertainty
(Hsu, Fournier, & Srinivasan, 2016). Therefore, to assess how a specific ele-
ment will affect the profitability, all types of uncertainty should be taken into
account under a variety of future business scenarios. Following this mapping
of all the risk components, the computations can be performed using a Mon-
te Carlo simulation or even more complex methods like stochastic dynamic
programming. The consolidated data are evaluated to identify subgroups of
projects that exhibit or have previously displayed comparable health char-
acteristics. The similarity is determined by a set of measurements. In the
early stages of a project, this segmentation can be quite helpful for project
profiling. Before continuing with the project development cycle, it can be
quite beneficial to establish a few project profiles in order to ascertain the
precise requirements that must be met by a given proposal. The various port-
folios are examined in light of the segmentation process’s findings in order
to find statistically significant reasons why certain behaviors are healthy or
problematic. In this step, data mining techniques are utilized to identify key
project characteristics that, when combined, result in the patterns of project
health that are visible. In order to establish an accurate baseline for perfor-
mance measurements, analysis should be performed on data for both healthy
and troubled projects. An approach like this would prevent one from identi-
fying erroneous trends or root causes that would be skewed by problematic
project data and would not actually affect project health management.
Figure 3.7. Future cash flows.
Source: https://www.starbreeze.com/sbz-media/2019/10/Estimated_cash_
flow_1923-e1570799009450.jpg.
The management of price risk and quantity risk is the main focus of
financial risk management for the more advanced conventional utilities. The
utility industry’s players can be divided into retail customers, wholesalers,
and traders for the purpose of financial risk management. Since they
frequently have fixed-price variable-quantity contracts, retail users typically
incur little to no price or quantity risks. Although there are frequently some
daily or weekly variations in the price schedule, prices for retail users are
fixed in the sense that they are known in advance with certainty. They
don’t, however, suffer any quantity risks because when someone turns on a
light, they always assume that there will be enough electricity to power it.
Wholesale customers and suppliers typically deal with market-determined
costs and supply constraints; therefore, they actively manage risk. These
procedures estimate risks and carry out mitigation plans for those that the
businesses do not want to keep. In utility markets, where the fundamental
commodities are purchased and sold, traders act to create liquidity. Energy
deregulation is either advanced or complete in the majority of Western
nations, meaning that wholesale customers are still subject to the whims of
market-based rates and availability. The markets themselves, however, can
be a significant source of risk. Some power markets, including those in the
UK and California, have experienced serious issues with their commercial
models, necessitating a recent revamp. Prices for spot contracts and a variety
of forward contracts are often available due to the deregulation of the energy
markets (Tanlapco, Lawarree, & Liu, 2002). Once more, the presence of
a market does not guarantee that all potentially valuable contracts are
readily available in sufficient numbers. The specific forward contracts that
are offered depend on the commodity in issue as well as the region. Gas
is expensive to transport, electricity is still governed by some interstate
transmission restrictions, and oil is transported by tankers and pipelines.
Thus, to name just three of the more frequently occurring risk categories
for energy, wholesalers must contend with market risks, liquidity risks, and
location risks.
These factors will still be present in utility computing, although
location risk will play a less role due to the constant need for high-capacity,
dependable network connections between remote supply and consumption
locations. The most frequent comparison to computational utilities is
electricity. Electricity, on the other hand, is a very unique good and utility
since it incorporates certain physical laws that will be upheld no matter what
the market wishes to happen and must thus be incorporated in to prevent
physical harm to utility system components. Since there is free disposal in

computing, price models with negative prices are unnecessary and should
be avoided. This shows that while the lessons learned from the design of
energy markets are very instructive for the potential types of issues, they are
not entirely relevant. Based on the maturity of the utility and the sectors it
supports, a wide variety of contracts are employed in conventional utilities
for financial risk management.
CHAPTER 4
PROJECT MANAGEMENT
CONTENTS
4.1. Introduction ...................................................................................... 90
4.2. Issues ................................................................................................ 90
4.3. Banks................................................................................................ 91
4.4. Projects............................................................................................. 94
4.5. Funds................................................................................................ 95
4.6. Industries .......................................................................................... 99
4.7. Threats ............................................................................................ 101
4.8. Uncertainty..................................................................................... 104
4.9. Contracts ........................................................................................ 105
4.10. Project Management ..................................................................... 106
4.11. Accidents ...................................................................................... 107
4.12. Milestones .................................................................................... 109
4.1. INTRODUCTION
Wherever goods or services are produced, processed, supplied, or bought,
business risk arises. Enterprises can have a variety of outcomes, including
continued operation, bankruptcy, a natural disaster, or a change to a different
type of organization. Project risk arises during the phase from the limited
number of business operations that are predetermined from the project’s
beginning until its conclusion in order to achieve specific objectives (Van
Der Merwe, 2002). A business is typically a group of projects; frequently,
the organization manages a portfolio of related projects at once. A project is
an endeavor or activity that is planned to make use of a variety of resources,
most notably money, land, labor, and time, in order to accomplish a goal
or set of goals. An expected or fixed budget and a predetermined timeline
or time period are two conventional project instruments introduced by
the project control. Lenders may become more risk prone in a variety of
circumstances even when they still desire high investment returns and fear
worse-case scenarios. There will be non-monetary returns, but the project
equation will still need to take these into account. Some organizations will
establish their objectives to be defined by non-monetary ideals or to achieve
a benefit other than financial gain. The optimal compromise to balance the
risk-return ratio is what today’s leaders seek.
4.2. ISSUES
Political and societal unpredictability (Figure 4.1) are current issues.
A significant aspect for firms is globalization. Competition for today’s
enterprises might easily come from the next town over or from across
the world (Gummesson, 2005). The management teams of today must be
more agile, proficient, and rapid than before. Standing still is not an option
given the rate of technological advancement, which indicates that this is
probable to last long into the future. Only adaptable organizations will be
successful; change management develops into both a business requirement
and an art. The rate at which a company can enhance the variety of goods
and services it offers, as well as the way in which they are created and
delivered, is the actual indicator of its success. Because of the numerous
and varying ways in which project participants might affect the project’s
result, risk is notoriously difficult to assess. The typical project scenario
involves a project team working together within the corporate framework.
The varied influences of individuals and parties on your progress mean that
you can never be totally certain of the speed or direction of your project.
Project Management 91
Risk need not always have a negative effect on the person. The chances of
winning a Western European or American state lottery are incredibly slim.
Banks and fund managers that lost billions of dollars on foolish schemes
include some of these skilled investors. Investing in increasingly cutting-
edge financial products carries a bigger risk of failure than success. One
would like to assume that we would be satisfied to let risk and investment
experts determine the benefit or risk of an investment or project. Although
it may seem implausible, many businesses pay little attention to how their
employees perceive risk, especially when it comes to risk management. Risk
analysis frequently amounts to nothing more than a gut instinct, the belief
that one has just made a wise purchase. Few people would openly admit to
being risk averse or seeking in any form.
Figure 4.1. Political and societal unpredictability.
Source: https://media.springernature.com/lw685/springer-static/image/art%
3A10.1007%2Fs11192-020-03416-6/MediaObjects/11192_2020_3416_Fig4_
HTML.png.
4.3. BANKS
Investment banks (Figure 4.2) frequently claim that their foreign exchange
trading operations are risk-hedging, but in reality, they are just betting that
their open positions will increase in value (Geyfman & Yeager, 2009).
Since both profit and loss are canceled out during a hedging investment, a
perfect hedge has neither. Short-term market speculation, which is a risk-
seeking tactic, is how banks and corporations that acknowledge losing
money on hedging operations have lost money. Similar to this, businesses
that hire personnel on a temporary basis solely by offering more and higher
compensation are not risk-averse. In reality, these businesses increase the
likelihood that employees will be drawn to them for the wrong reasons,
such as greed, by raising wages in their industry. The potential drawback is
that employee turnover must have an impact on the project’s health because
loyalty to the organization is typically shorter than the length of the most
recent pay check. The practice of screening employees is not always present
in businesses that are seen as well-run. Therefore, the organization and their
projects must be at risk due to critical project staff that lack self-control.
We have seen instances where project members who engage in risk-taking
behavior must be considered as staff who engage in excessive drinking, drug
use, prostitution, and other immoralities. A business that has minimal control
over its employees must be thought of as risk averse. A lot of computer-
based technology has been developed that fall under the risk management
category.
Figure 4.2. Investment banks.
Source: https://cdn.corporatefinanceinstitute.com/assets/investment-banking-
diagram.png.
The UK Institute of Actuaries and Institute of Civil Engineers (ICE)
(Figure 4.3) developed RAMP (Risk Analysis and Management of Projects),
a more recent approach of managing business risk, specifically to manage

project risk (Allan & Davis, 2006). It is specifically intended to stop or lessen
the risk or effects of cost overruns, schedule delays, or quality failures.
The RAMP technique attempts to classify various business hazards before
assessing and limiting their possible effects. It works analytically first before
enforcing risk management or containment, as appropriate, for the current
project context. This includes the initial idea, as well as implementation and
conclusion. Ad hoc operations sadly become less appealing when there are
millions at stake and professional reputations are at stake. Best practices,
protocols, and checks are incorporated into the processes to lessen the
likelihood of failure. Since they are not industry-specific, RAMP aims to
manage any sizable project, such as construction or the delivery of a clear
final product. In some ways, bureaucracy and paperwork are inevitable,
but since there are significant financial and human resources at stake,
procedures are created to minimize the likelihood that something will slip
through the cracks. Without a reliable system of checks and controls, there
is a high likelihood that people may forget or ignore crucial details. These
are especially helpful when there are numerous participants and we need
to establish standards or continuity. To ensure that the final performance
trends toward the design objectives, change controls and quality reviews are
essential. Key definitions of product, service, and process planning are needed
at the outset. Despite alterations in people, materials, and the environment, a
documentation tracking method keeps the project on schedule.
Figure 4.3. UK Institute of Actuaries and Institute of Civil Engineers.
Source: https://www.ice.org.uk/media/pqhnnzz5/fish-building.jpeg.
4.4. PROJECTS
Large projects frequently have numerous tasks ongoing at once; there is
not always a clear distinction between project phases. The traditional
methods can occasionally provide the mistaken impression that projects
advance smoothly and proceed to completion. Perhaps this isn’t the case.
Throughout history, the same errors have been made. Some tasks ought to
never be finished. The projects should never have been launched in the first
place, the final product is completely wrong, or the cost-benefit analysis
demonstrates the projects’ lack of value. Such ventures must be stopped in
their tracks or abandoned before they squander your company’s precious
resources. The old models are being questioned due to the complexity of
combining various project stages and the rise in the specialized project skills
required. In the past, a lot of project scheduling and budgeting exercises
were geared on mechanistic forecasting and control. For many reasons, a
housing complex is typically created as a prototype. To demonstrate the
clients, the architect will create a cardboard or acetate mock-up. This can
be manufactured using satisfactory endorsement. The structures don’t have
to be finished simultaneously. The first should be finished before the others.
This will enable any design flaws. The requirement for self-financing via
the sale of finished selling homes before construction is complete to cover
the costs of building acquired thus far. Real estate sales need the use of
show houses, as they gain notoriety and draw clients. There is a custom of
inviting potential purchasers to show homes to increase exposure. Revenue
is generated far before the remaining construction has been completed.
Other concepts have emerged recently, although a lot of them have
included prototyping techniques. One illustration is rapid application
development (RAD) (Coleman & Verbruggen, 1998). This is comparable to
prototyping and incorporates its fundamental ideas. However, RAD uses a
more rigid and rigorous technique. The installation of packages or existing
products for customization has grown in popularity. This essentially consists
of a toolkit or partially developed product that you may customize to meet
your needs. It is frequently believed that producing these packages will
be quicker and less expensive than attempting to develop the entire thing
from scratch. In computer software systems where software packages are
purchased off the shelf, this technique is common. The capacity to quickly
advance along the learning curve without incurring the large start-up costs
associated with creating the product from scratch is what appears to be
advantageous. This will not always be the case; there are many instances
where purchasing packages and then customizing them has turned out to be
more expensive than creating the entire project from scratch.
4.5. FUNDS
Raising the necessary funds to complete a project is one of the major
difficulties or hurdles. The use of venture financing is frequently advocated,
particularly for technology ventures that are commercial or in the preliminary
stages of R&D. It is important to recognize the scope of this issue because
venture capital markets in other countries are not as developed as those in
the United States. When there is no functional prototype or patent, this task
is more difficult. The type of project they are working on must be understood
by both the project manager and the project owner. There are several types of
project inertia for every project and every project type. There are those that
start out slowly but finish quickly. Some initiatives, on the other hand, start
out quickly yet take an incredibly long time to finish. Neither the project
owner nor the project manager being aware of the type of project inertia
is one of the primary risks in project management. As a result, they might
invest excessive amounts of time and money at the beginning or finish of
the project. The nature of the sector and the types of project inertia present
must be understood by an experienced project manager. Business is by
nature a risky endeavor since there are dangers lurking everywhere. There
is a common misconception that because projects dedicate set quantities of
resources, risk cannot be effectively taken into account without degrading
the final product. A power generator, for instance, should not be constructed
in an area where thunderstorm activity is known to occur. The issue of
performance or project quality emerges if the project’s costs and timeline
have already been agreed upon and fixed. One solution is to externalize the
risk of a power outage during thunder by including provisions in insurance
policies that safeguard the plant in such circumstances.
A risk manager may not always be welcomed by a firm or client. They
face resistance, much like a pest control operator. Calling them in carries
some social shame because it’s equivalent to admitting you have a problem.
Controlling your workforce, particularly if they are unskilled, incompetent,
or dishonest, is a key component of risk management. Your project success
may be in jeopardy because of some of your workers who hold key project
positions. Someone working for your organization may be unintentionally
committing project errors, disclosing private information, accepting bribes,
or incurring losses in secret. However, nobody actually wants the general
public to know they have pests in their home. By soliciting perspectives,

many businesses try to balance out prejudices or individual errors. On a
specific area of risk, such as maritime insurance for shipping crude oil
around the Indian Ocean, we can solicit the opinions of experts. The group
is asked to rank their subjective assessments of the risk. It is hoped that the
biases of the other experts in the sample will balance out their own. Their
comments can be compiled into information that helps us determine what
we believe the anticipated cost will be in the future.
There are political, regulatory, and market conditions. This area of
study involves a lot of disciplined thought, work, and legal requirements to
control how businesses and organizations are run. Your ability to function is
constrained before you run into legal snags or unauthorized political protests
that could jeopardize the success of your enterprise and your brand. The
project could be harmed by counterparty risk, commercial conflict, poor
communication, and technological failure. For the project to be successful,
human performance, skill availability, competence, and motivation are
crucial components. While risk cannot be completely eliminated, it can be
managed under certain circumstances. Certain risks can be avoided, and
the project manager has influence over these. The environmental risk is
largely outside of one’s control, but we can learn to operate better where
the law allows us to make our project more efficient. This interaction is
typical of customs, tax, and operating license authorities. It’s conceivable
that restrictions will occasionally be used against your project. However,
you can take further safeguards for unforeseen events, such as having more
reserve money or insurance, to lessen the impact of regulatory damages. In
order to better absorb project shocks, the project manager is recommended to
adopt risk management steps to try to avoid the risk, to accumulate reserves,
and to establish a network of contacts. There are numerous methods for
conducting risk assessments. We can experience the phenomenon either up
close or from a distance with them. We can observe a tornado’s devastation
from a safe distance; we can study a business process by carefully examining
the current system; past experiences may be documented in company files,
reports, third-party company analytical reports, or newspaper accounts in
electronic or paper format. Interviews bringing people with the most first-
hand experience of the phenomenon into face-to-face sessions to determine
the nature and extent of the risks.
The implementation of new policies can have a big impact on how a
project run. Political risk exists on two different levels, the first of which
is project-level. Although neither their actions nor the impacts may always
be immediately visible within the project, the interactions of various

organizations and administrative agencies in the market will have an impact
(Posner, 1972). When the project team and support staff were defined
too narrowly, some projects ended up failing. Key staff may determine
the overall project’s success or failure. These individuals may have been
properly recognized in advance or overlooked during project analysis or
design. These individuals may not be readily apparent as members of the
project team, but their participation, exclusion, or underperformance may
have a significant detrimental effect on the project as a whole. Backup
team members, or those working in the office or corporate headquarters
performing administrative duties, must be included when defining a
project team. However, this perspective of the project environment must be
expanded to take into account the larger context of the fringe supporters who
may have considerable input that is not immediately apparent. The obscurity
of the project landscape makes it difficult to identify these important project
stakeholders. Other people have a propensity to desire to join the action
even when they are not legally or morally entitled to do so. Their demand
could be perfectly reasonable perhaps to make amends for an earlier error or
it could be a bribe or payoff demand that is reinforced by a threat. The truth
is that for the project to go as intended, members may need to be included by
default. This inclusion can only be accomplished after a thorough assessment
of how they might help or hurt the project.
Through a variety of risk management techniques, an investor has
options for guarding against probable loss (Rehman & Anwar, 2019).
Proper business ventures are deliberate endeavors that unite individuals and
interested parties in the pursuit of mutual objectives and profit; they are not
careless bets or swindles. A genius investor could be dishonest, unlucky, or
even genuinely clever. They were later exposed to be scammers who either
made up trading profits or used illegal insider knowledge to manipulate
the market. Investors can reduce their nominal returns by taking risk into
account, which will provide them a more accurate picture of the project’s
health. By implementing hedges, risk management aims to shield the
investor from an unfavorable change in foreign exchange rates. Similar to
this, a company can strive to prevent insolvency when faced with a decline
in demand by diversifying its products or markets, or by splitting the risk
with partners. These steps are deliberate attempts by the investor to lessen a
chance shock, not components of chance.
Public discomfort is a frequent occurrence when interest rates rise and
mortgage holders must make larger monthly payments. Many firms take
out loans of one kind or another with floating interest rates; the changes
in the rate could be disastrous. The net present value or actual rate of
return on project investments is directly impacted by the interest rate. A
variety of interest rate derivative products are available for investors to
choose from in order to hedge against an unpleasant rate increase due to
the expanding scope of global trade and the creation of innovative financial
products. Most investors steer clear of short-term bets by diversifying their
investments over a longer period of time, investing in a variety of stocks and
bonds. Additionally, fixed-rate loans are becoming more widely available.
Examples include mortgages, which have interest rates fixed for a set time,
like two years, but then increase to a maximum rate, like 10.85%, after the
fixed period has passed. The advantage for the client is that he can budget his
limited resources to prevent changes in interest rates, which cannot increase
to the point where they bankrupt mortgage holders. It is possible to say that
the consumer has adopted a risk limiting or risk mitigation plan.
The project owner or leader might ask a series of questions to the
customer to screen them and determine what kind of credit performance
they will likely face. To create a picture of the expected credit risk, the
credit screening uses a standard template with points for each element and
pass/fail judgment boxes. The customer could be the project owner; thus,
subcontractors and the project manager should confirm that the customer
has a solid credit history before beginning work to ensure timely completion
and payment of all employees. For someone who wishes to open a trading
account with a broker or investment bank, a straightforward template
would resemble this. Screening is based on the assumption that the bank or
organization initially wanted to screen the client. Giving unauthorized soft
loans to chosen friends or associates of the company is a common practice.
Although the British TSR2 supersonic fighter project (Figure 4.4) is
sometimes acknowledged as a technological achievement, the World War
II government considered it to be a monetary disaster (Reed, 1970). Similar
to the Grand Canyon, the Channel Tunnel is a feat of engineering but not
often one of business. Numerous instances of projects running out of money
or being canceled are reported. These occurrences frequently originate
from political and business decisions made by the project owner and other
connected parties and are not always within the project manager’s control.
One of the disturbing trends in management science is the occurrence of
projects running later than expected. The increased interconnectivity of
adjacent projects is another cause of scheduling difficulties. The project
manager or owner may not be solely to blame for such failures. Thus, it
might be claimed that Charles Babbage’s 19th-century Analytical Engine was

partially a scheduling mistake. His project would have produced the first
computer in history that could resolve moderately challenging mathematical
equations, making it significantly more sophisticated than his earlier engine.
Budgetary issues and the technical inadequacy of Victorian engineering to
create parts with the necessary accuracy prevented the development of his
Analytical Engine. The NASA space shuttle was a textbook example of a
program that was running behind schedule and had to make compromises
on safety in the futile attempt to get back on track.
Figure 4.4. British TSR2 supersonic fighter project.
Source: https://upload.wikimedia.org/wikipedia/commons/0/09/BAC_TSR.2_
XR219_Warton_11.06.66_edited-2.jpg.
4.6. INDUSTRIES
In high-tech industries like pharmaceutical or computer hardware
and software, this is typically a cause of failure or underperformance.
Companies engaged in cutting-edge research and development (R&D) are
referred to as being on the cutting edge of technology, as well. Usually,
project commencement is approved once it reaches a set of required or
desired performance thresholds. When these thresholds are not met, it
frequently suffices to end the project in its early stages. An example of one
of these abandoned yet once ambitious endeavors is biotechnology. Even
the most anticipated medications, like Viagra tablets for treating impotence,
will have some negative effects (Gallagher & Chapman, 2010). British
Biotech, for instance, was fined $50,000 by the US Securities and Exchange
Commission for its publicity releases for its cancer drug called Marimastat.
Companies must exercise extra caution when obtaining regulatory approval
for pharmaceutical products since delays and schedule risks might arise
in the areas of a drug’s therapeutic effects, the reliability of its testing,
consumer safety, and regulatory authority decisions. Another example is
the Iridium satellite phone system’s introduction. Projects that originally
appear promising may face a minefield of technology. Different levels of
influence are occasionally exerted on businesses and organizations within
an industrial sector. An industrial directive or fine may exert pressure on
a project to change its course of action. This could be done to lengthen the
testing time, as in the pharmaceutical business, to force a modification in the
design of automobiles or buildings, or even to revoke the project owner’s
operating license.
For instance, it could be a decision made by the Federal Aviation
Authority (Figure 4.5) regarding operating standards and flying safety. The
options typically include appealing the regulatory decision in court, paying
any fines, changing the location of operations, or closing up. Operational risk
thus has an impact on or even takes precedence over other considerations.
The project is seriously at risk from a project manager or project owner
who lacks integrity. Once more, the model may have been a fine concept,
but its implementation was subpar. Smaller projects must be evaluated on a
cost-benefit basis, where you must determine whether the costs of creating
a contract are excessive given the amount at risk. Unexpectedly many
businesses start projects without a comprehensive contract; frequently, a
letter of intent is sufficient to guarantee the production and order for the
beginning of a significant project. Small and medium-sized businesses, as
well as solo enterprises, frequently lack the resources, money, time, people,
and legal knowledge to form contracts (Dvorsky, Belas, Gavurova, &
Brabenec, 2021). So, there is still a chance that they won’t get paid for their
services. Knowing where the risks are and how likely it is that you will
run into them is risk analysis. Knowing where not to fly and how to sail
safely around icebergs are both examples of risk management. Project risk
management is the application of knowledge; it is not pseudoscience.
Figure 4.5. Federal aviation authority.
Source: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c8/Seal_
of_the_United_States_Federal_Aviation_Administration.svg/1200px-Seal_of_
the_United_States_Federal_Aviation_Administration.svg.png.
4.7. THREATS
A map of potential threats and the damage they might create is what risk
analysis is like. Using the map, risk management determines how to avoid
the dangers. Recent years have seen an increase in coordinated efforts to
define risk and risk management approaches. The RAMP or Risk Analysis
and Management of Projects system (Figure 4.6), which was introduced by
the Institute of Civil Engineers (ICE) and the Institute of Chartered Actuaries
in the UK, is one such instance (Hallikas, Virolainen, & Tuominen, 2002).
They have made a clear effort to offer a project framework to define and
lower risks. The goal is to combine risk analysis and risk management in the
context of project operations in order to recognize and address risk factors
that could cause substantial delays or overspending in projects. The system
develops a thorough and comprehensible framework for project control and
risk detection. RAMP operates by focusing on describing and quantifying
risks throughout a project’s life cycle. RAMP and comparable approaches
may be seen by some as a collection of common sense. However, RAMP is
superior in many ways since it gives some of the project’s more unpredictable
parts a structure. RAMP seeks to compel the project participants into a
logical set of procedures and provide them the ability to continue having
planned risk evaluations throughout the project life cycle; the goal is not
to make paperwork and controls halt project development. The cost of
good project risk management must be low, meaning that the value of risk
management must outweigh the expense of getting there. Risk management
is a tool used to keep the project on track and within budget. A construction
project for a toll road bridge serves as a case study of RAMP in action.
The unpredictability of an outcome where the entire investment cost will be
higher than the project’s benefit or result poses a risk to the business plan.
The possibility that the project schedule will take longer than expected or
not be delivered at all depends on risk as well.
Figure 4.6. Risk analysis and management of projects system.
Source: https://static.javatpoint.com/tutorial/software-engineering/images/
software-engineering-risk-management-activities.png.
Within the project cycle, risk fluctuates with time. Work done in the
feasibility stage can lower risk to the degree where we can reasonably
expect that the result will be more valuable than the investment. We must
continue to keep in mind both what has been agreed upon and what is still
subject to change. We must modify the contract, and either the contractor or
the customer may incur significant costs. In contrast, a cost-reimbursable

contract allows the project owner to change the goal but does not fix the cost
or the timeline. Flexibility is allowed, but not to the point that the project is in
risk of disintegrating. In this way, project contracts strike a balance between
structure and change. Project management is the process of merging the
many resources that are available; it entails preparing to accomplish a task
or create a final result. It is risky on a daily basis. There is always a necessity
for prior research. Risk management, in certain ways, adopts a risk-neutral
mindset; it never tries to take an extreme stance. The practice of identifying
risks and adopting proactive steps to perform better under current business
conditions is known as risk management.
Risk management should always be included from the beginning and
is not an optional add-on that is just good to have (Chapman & Ward,
2004). Throughout the course of the project, it is an ongoing structural and
iterative process. The contemporary project manager can profit from risk
management. Thus, participants with better risk management can enter the
market earlier to take on more rewards in cases where the yield curve is
overestimated. The risk-return ratio should be appropriately calculated during
the initial risk analysis stage because overestimating or underestimating
profit, costs, or risk usually results in some sort of loss. Most projects run
far over their allotted budgets, which is one of the major dangers they face.
Even for seasoned professionals, mastering project metrics is exceedingly
challenging. The estimation process is quite complicated when it comes to
probability, task timetables, and revenue and cost streams. Under project
risk management, predicting the future can be scientific, but it can also turn
toward the creative or talented. Some project risk management professionals
are better at estimating schedules and expenses and risk metrics.
If the project is smaller, simpler, and easier, you can take savings out of
this example; otherwise, you can include contingency expenses for project
unknowns to arrive at a revised estimate. The scheduling process will be the
same. The objective is to be better equipped to handle events as they arise
rather than to foresee most of the outcomes or to accurately predict all future
events. Being overextended without backup resources during the course of a
project renders us vulnerable to unpleasant surprises. Nevertheless, the client
or project owners are the ones who originally choose the budget, if only
because they are in charge of the money. The strategic long-term budgets
are established by the project owner or directors and must be implemented
at the lower project operational levels (Shenhar, Dvir, Levy, & Maltz, 2001).
We refer to these as top-down budgets. The project risk is that top managers
who don’t comprehend the nature of the project or technical challenges at

the operational level have a serious communication problem. Then there
are project managers who are unable to comprehend the resources available
or the broad business goals on a corporate level. The components, labor,
and timing of the activities and deliveries will all be totaled up, along with
a margin for project management services. The highest management can
be asked to approve this budget. Iterative budgeting, when the planned
budget is modified by top management and the project manager until it is
agreeable to both parties, is more typical. Your project team or departmental
specialists can provide you with their predictions of the costs associated
with each of their sub-tasks. The final estimate is calculated by adding up all
of these expenditures, managerial and integration charges, and a buffer or
contingency fund for the project’s unknowns.
4.8. UNCERTAINTY
Most of the uncertainty and a significant amount of risk are removed from
the contract by fixed costs. The downside risk is that the contractor’s actual
costs could increase over the project, which would result in poor profits
or worse. When contractors are frequently affected by strikes or material
shortages, fixed-cost contracts are preferred since the client is bound by a set
price even while staffing costs and capital equipment costs are dangerously
rising. The fixed price is typically increased as a result of a force clause that
allows such events to be deemed beyond the contractor’s control. If the client
or project owner accepts a high price when actual labor and material costs
are lower than anticipated, they may be in error. This is a typical situation for
corporate workers who receive a fixed amount for expenses, such as $100 per
night for hotel lodging and $40 per day for meal allowance for project work
away from home, regardless of their actual costs. The client may potentially
save money if hotels and meals were less expensive. The drawback of this
is that if contractors are billed for labor in man-days instead of hours, they
have no motivation to reduce the cost of their labor and materials. When it
is discovered that contractors overcharged the client by inflating their costs,
this strategy loses favor. However, it is still frequently employed when the
cost of raw materials is well-known and largely stable. This is frequently the
basis for price quotes from carpenters and other trades people working in
small businesses. It was employed by NASA when it first began to explore
space. The Channel Tunnel is an impressive engineering achievement,
but it does not inspire confidence in people who first purchased shares
of Eurotunnel based on the prospectus, expecting a higher rate of return

(Morris, 1989). These types of project overruns serve as a good example
of the necessity of contingency reserves to cover project tasks that have
beyond initial estimates. This can be the result of unforeseen circumstances
or overly optimistic budgeting. An immediate reaction might be to set aside
a sizable sum of money to meet most expenses, as if saving for a rainy day.
We’ll demonstrate how doing so can be inefficient if the project no longer
requires that specific amount of contingency cash. Therefore, the restricted
resources ought to be made available for use in more fruitful endeavors.
If not, upper management is not effectively prioritizing the project. This
may be the case if a project lacks sufficient or important project champions
within management to support it, or if a project crosses over onto another
person’s patch and causes friction within management. Political battles can
be challenging. The ability to fight is essential for success. On the other
hand, there are numerous occasions when initiatives should be abandoned
in order to prevent resource waste or damage. A performance bond is a legal
guarantee that the project will be completed on time, as planned, and to the
client’s or project owner’s expectations for quality. It serves as protection
against performance failure. A good-performance bond or payment might
be obtained in advance from the contractor to put greater pressure on them
to produce work of a high caliber. The project manager may be required to
provide a satisfactory performance guarantee, which can be provided by
a bank or credit institution functioning lawfully in the host country where
the project is headquartered, in order to ensure that the project’s progress
is maintained. This is done so that, in the event of a dispute, the contractor
cannot put pressure on the bank or credit organization to not honor the bond.
4.9. CONTRACTS
Writing bond contracts may be simple; receiving payment for bonds drawn
from a bank may also be simple; but, receiving payment for insurance
bonds may be more challenging because they must be verified by insurance
company investigators (Black & Cox, 1976). There will likely be legal power
struggles over what these mitigating circumstances are and whether clauses
can be legally invoked. Additionally, there have been situations where the
customer attempted to deny the contractor’s bond. The client could not
have tried to pay the project manager or contractor at all. The performance
bond is only used as a justification for delaying payment. Formatting and
mailing an invoice are simple; collecting money is more challenging. For
the more challenging or forgetful client, reminder phone calls and faxes may
be necessary. Working with screened or reputable clients is one strategy
to reduce the risk of credit or default. Bad debtors find it more difficult
to conduct business in this community because their reputation precedes
them. If they cross the line, you may quickly spread the word by putting
it out there. Another strategy is to hone your writing abilities and learn to
compose professional letters of reminder and threat of legal action. If you
have to go all out, it’s advantageous to establish a good working relationship
with a reputed law company or barrister. Another option is to build up a
relationship with a larger organization. If the debtor refuses to pay, you can
use all of the resources to threaten legal action. In most circumstances, an
agent working for a bigger corporation has the power to obtain payment. This
is undoubtedly an option and will depend on your specific situation. Smaller
businesses might not use such techniques due to financial constraints.
This demonstrates that a company’s reputation is a valuable commodity
that even the most difficult client is reluctant to lose quickly. However, the
client can still be willing to argue with the project manager to obtain even
the smallest discount or insignificant concession. It’s interesting to observe
how important reputation or honor are in business. Sometimes shaming a
tough client is the best course of action to deal with a non-payer. If the
company’s upper management is hesitant to support the project, its lifespan
is undoubtedly finite. Projects bring about change, and they are likely to
encounter resistance from all sides. Managers who are unable to handle the
introduction of change run the risk of having their efforts meet a brick wall.
For individuals who manage to become lost in the project documentation,
this has major repercussions. You or your project manager could occasionally
forget or lose sight of activities that need to be completed. Other times,
outside actors who aren’t technically part of the project team can have an
impact on the project. When the initiative faces strong resistance, there may
be enough unkind voices that can garner enough support or wield enough
influence to bring the effort to an end. It is a risk management tool that you
can use to defend both the project and yourself.
4.10. PROJECT MANAGEMENT

Project management is the dynamically shifting process of making
decisions and reallocating resources to complete the task. A project is either
progressing without issues or is at a standstill if funding and labor allocation
do not change. One backup plan for launching a satellite is to have a rocket
available. Other scenarios have a more negative outlook on human potential;
they rely on stand-by generators or uninterrupted power supplies (UPS)

in the event that an electricity supply provider is unable to offer enough
electricity for a variety of reasons. They are a means of purchasing time if a
complete loss of power is suspected and can be activated when an electrical
power outage is detected. The art of project management also includes the
ability to deal with unanticipated events and their negative impacts. The
management of contingencies is essential in the fight against operational
risk, such as fraud. We may demonstrate that political or commercial leaders
occasionally disregard or put off important IT initiatives in a risky manner
by examining the issues with implementing economic and monetary unity
in Europe. They were well-organized because they had early awareness of
the nature of the risks and issues. As a result, project management lost its
element of chance. Our approach to market dynamics serves as evidence of
how management change is progressing.
4.11. ACCIDENTS
The tragedy and the Munich plane accident in 1958 (Figure 4.7), which
claimed the lives of the majority of the Manchester United football team,
are somewhat comparable. A football squad cannot easily fly on different
aircraft, which is the difference. With military air support, it is easier to
separate counterterrorism personnel. If at all possible, key personnel should
ride in separate vehicles. Have a backup plan in case one vehicle is late
or doesn’t show up. You can never predict when issues will develop. For
instance, those in Russia and certain former Soviet states are severely low-
funded, highlighting some of the challenges faced by state-run businesses
in the transition economies. Among the state personnel who are affected by
the backlog in unpaid payments are doctors and nurses. Under-funding of
public hospitals is more of a norm than an exception worldwide. You may
need to consider insurance, proper first aid, or even stand-by emergency
evacuation services in the event that your team needs to receive intensive
care in these facilities. In all fields of labor, including business, sports,
and the arts, a top boss may abruptly depart from their position. There are
numerous reasons for leaving your job, including disagreements about the
working environment, poor performance, conflicts with co-workers, or the
attraction of better money elsewhere. One of a company’s key concerns is
succession, yet it is frequently not effectively addressed. The loss of a senior
management puts the entire organization under stress and strain, which could
be enough to jeopardize projects and the company’s continued existence.
Top management is frequently preoccupied with other issues and may miss
the warning signs that important employees may be about to quit. Without
key personnel, a project stands the serious danger of performing far below
par. All initiatives must be able to resist the pressure of employee attrition or
turnover, especially longer-term ones.
Figure 4.7. Munich plane accident.
Source: https://icdn.strettynews.com/wp-content/uploads/2020/05/Screenshot-
2020-05-27-at-17.11.58.jpg.
Venture capitalists are willing to make investments and safeguard these
investments through a strategy of diversification and risk taking (Macmillan,
Siegel, & Narasimha, 1985). They will select a group of promising businesses
and anticipate that some of them will fail in the next year or two. However,
the venture capitalist also anticipates that any losses from these companies
will be more than offset if a start-up company succeeds to the point where
it may be listed on the stock market three years later, allowing the venture
capitalist to sell his part and make a sizable profit. It has been demonstrated
in the field of portfolio investing that a well-managed, balanced mix of
hazardous investments can boost potential profits while actually lowering
overall risk. To maximize the possible return while reducing the overall
risk on the portfolio, a minor percentage of a well-balanced fund should
be invested in riskier markets. A lot of interaction with numerous players
takes place in business. These individuals have various responsibilities and
roles, as well as various perspectives on risk. Some people, like accountants,

those with large families, and those who earn salaries, try to minimize risk.
Others, such as explorers, soldiers of fortune, gamblers, and stock market
speculators, thrive on danger and adventure. Each of these individuals has
a unique role to play in their initiatives as well as a unique risk tolerance.
The project position with the highest or most established profile is the client.
That has hardly altered. What has changed is that projects are now frequently
so complicated that the project owner, or customer, is unable to specify the
precise appearance she wants the final product to have. However, the client
must view the project’s objective broadly and must not permit trivial issues
to get in the way of this. The project manager has the attention to detail to
turn this strategic objective into a reality. You must maintain your focus on
the goal.
4.12. MILESTONES
Checkpoints or milestones for the project’s development are crucial for
identifying business plan deviations. Projects, especially long-term ones,
should have the support and involvement of top management, in addition
to being informed about them. Otherwise, the managers risk losing sight
of the project’s objectives and letting it deteriorate. Keep your project on
course and your finger on the pulse. The project manager has occasionally
been contrasted with a government employee (Oehmen, Seering, Bassler, &
Ben-Daya, 2011). While bureaucrats work to make this message a reality,
ministers are zealous visionaries. The project manager must coordinate the
needs of several departments as well as the work of outside contractors
while combining resources, labor, and raw supplies. A successful project
manager sometimes needs to be a great diplomat or politician since the
art of compromise and reconciliation plays a significant role in this. He
or she is responsible for tying up all the loose ends, which will inevitably
result in disagreements and statements from the project participants with
competing interests. An important risk of performance failure could result
from a desire to consummate a contract. Make sure the promises made to
customers by your sales representatives align with what you can provide for
an acceptable profit. The contract may occasionally arrive at the last minute,
making it difficult to carefully read every word before signing. A successful
department is essential to a thriving business. Due to the traditional role
of accountants in regulating cash flow, it serves as the focal point of risk
management operations in smaller to medium-sized businesses.
The actions and roles of both extrovert and introvert types of business
players are combined in a market. Without the functions that each of these
types performs, the majority of businesses would fail. Knowing how to
balance being risk-averse and risk-seeking, as well as when to take risks
and when to avoid them, is essential. When a gambler wins, they may be
hailed as geniuses or, if they lose, as stupid fools. They have to complete
the productive effort and produce the finished goods. In mission-critical
applications, when substantial loss of life is a possibility, proper design and
testing are especially important. They have the most influence on the final
product’s design, but they must cooperate with any requests or suggestions
made by the sales and marketing, accounts, or other departments. When
developing a new product or service, the project is particularly vulnerable
because a lot of money is being spent while there aren’t any obvious sales
or cash inflows. Making sure the project adheres to the proper health and
safety procedures is your responsibility as the project manager. If neglected,
these provide the risk of significant negligence lawsuits, and you also need
to cope with the implementation of new employer liability regulations. Self-
indemnification only addresses a portion of the whole project environment.
Reviewing professional ethics and risk management is really necessary
(Sison, 2000). Even if your direct staff are well-trained and risk-aware,
health and safety risks might still harm you if you work with external
subcontractors. It is not always adhered to those proper standards are applied.
The emotional aspect of health and safety means that it will always be a
delicate subject. However, it is frequently important to make an effort to get
health and safety on the project schedule and to secure the required funding.
Sadly, the perceived risk of injury is frequently considered to be minimal,
and it may take a serious accident for health and safety concerns to become
a top priority. Regulatory agencies must make sure that standards are upheld
and that health and safety training is an integral element of projects.
Both the federal government and local governments establish tax
legislation. They also include capital depreciation, operational taxes, land
taxes, personal and corporate income taxes, as well as tax credits and
deductions. Successful project managers and owners are able to navigate the
regulatory minefield and weigh the advantages of the tax structure against
potential downside tax risk. This kind of stuff shows why it’s important to
proceed cautiously, perform early employee screening, and then assemble
your core team. You can consider expanding once all checkpoints and
gateways have been successfully passed. Even the most prestigious
western companies commit the error of extending generous salaries and
compensation packages to prospective employees without even the most

minimal security checks. To determine where risk management would have
the greatest impact, we need to look at the value-added chain. These days, it
can be enticing to purchase and install a risk management system that uses
a beautiful computer, but this is insufficient on its own. Any proposed risk
management system must first be evaluated for value and suitability before
being properly implemented to meet the needs of the organization. There is
a propensity to use systems improperly based only on appearance.
Unfortunately, as we have seen, when a senior executive is scored by a
salesman’s image and is enthusiastic about his offer, or disregards the risk
manager’s concerns, such questions and a company’s entire risk analysis
can be side-lined. Because project managers are imperfect beings who will
select the most marketable solution, risk professionals are not necessarily
blameless in this situation. Keeping the big picture in mind is in the best
interests of both the project manager and the project itself. Risk analysts
must be able to present their arguments persuasively without overusing
technical language. The last thing a project manager needs to hear is that
nothing can be done because of the anticipated risk associated; instead,
they should be able to offer solutions to issues. There must be a workable
alternative. Staff selection must be carefully considered because organized
projects require it. In the past, it may have made sense for businesses to
assign the sales position to the person who talks the most. To guarantee
that performance objectives are being met, we refer to project control over
the production process as quality assurance, or QA. Internal operational
standards will outline acceptable tolerance levels, performance standards,
and quality thresholds.
CHAPTER 5
ENTERPRISE RISK MANAGEMENT
CONTENTS
5.1. Introduction .................................................................................... 114
5.2. Pillars ............................................................................................. 115
5.3. Opportunities ................................................................................. 116
5.4. Piracy ............................................................................................. 117
5.5. Risk ................................................................................................ 119
5.6. Discrepancy ................................................................................... 122
5.7. FMEA.............................................................................................. 125
5.8. Model ............................................................................................. 129
5.9. Quality ........................................................................................... 131
5.1. INTRODUCTION
ERM has recently experienced substantial growth. The eight most significant
elements influencing this trend are Basel Agreements, September 11, 2001,
Fraud in corporate accounting, Katrina, a hurricane (Figure 5.1), Review
of rating agencies, financial crisis, rare occasions, and Prolonged trends.
The last component covers trends that have emerged gradually over time,
while the first seven elements are notable discrete events and are mentioned in
chronological sequence. Some of the discrete occurrences are related to or start
in the financial services industry (Stroh, 2005). However, as these occurrences
are well-known in the ERM community and have an impact on ERM that
is felt across all industrial sectors, it is beneficial for persons in all sectors to
comprehend them. Understanding the timeline is also important because the
development of ERM has been influenced by the sequence of events.
Figure 5.1. Katrina.
Source: https://www.e-education.psu.edu/earth107/sites/www.e-education.psu.
edu.earth107/files/Unit2/Mod5/Fig%205_512px-KatrinaNewOrleansFlood-
ed_edit2.jpeg.
Enterprise Risk Management 115
The current environment for ERM is the result of the cumulative

influence of events and the business and governmental responses to them.
Basel II, a global standard for risk management, had an impact on the
development of ERM techniques in the financial services industry. A group
of international banking regulators created the Basel Accords as a set of
rules to help risk management procedures. In Basel II, there are three pillars:
Minimum capital requirements, supervisory scrutiny, and market discipline
comprise Pillars 1 through 3.
5.2. PILLARS
Pillar 1 describes how to calculate capital requirements, providing basic
options based on industry averages and more complex options for banks
with more sophisticated operations based on internal models that are tailored
to the company, its operations, and its risks and, for the most part, rely on
management’s own estimates for most parameters. Supervisors are able to
examine the bank’s risk management procedures and risk exposures in Pillar
2, and if necessary, use a multiplier to raise the minimum required capital
determined in Pillar 1 as a result of their examination (Weber, 2012). The third
pillar discusses the proper disclosure of risks. The inclusion of operational
risks in the scope of Basel I was the most significant development, leading
banks toward a comprehensive approach to risk management. As illustrated
by the global financial crisis that started in the United States in 2007, it is
simple to criticize and claim that the Basel Committee failed to achieve
its objectives in retrospect. These accords, however, were largely embraced
and did constitute a development over earlier procedures. Even if the Basel
Accords didn’t achieve their objective of creating a common baseline for
excellent risk management procedures, they did lead to a greater attention on
risk in the banking industry and beyond since other industries looked to the
banking industry as a model for managing risk. Basel II has a clear influence
on and is generally identical to Solvency II, a set of risk management rules
for European Union (EU) insurance companies planned to go into effect in
November 2012 (Lannoo & Valiante, 2012).
By bringing to light four key components of risk, the terrorist attacks
on the United States on September 11, 2001, improved our understanding
of ERM. Since September 11, virtually every institution is more aware
of the potential for a terrorist assault. Many of these organizations have
also considered various terrorist scenarios, especially those that are based
in or close to sizable cities or other potential terrorist targets. They have
considered how an assault would affect their physical assets, personnel,

stakeholders, clients, suppliers, and/or the economy in which they operate.
These exercises have produced improved business continuity strategies as
well as some preventive mitigation. This is advantageous since ERM calls
on management to maintain an open mind to a wider spectrum of potential
future events. The events of September 11th increased awareness of risk
complexity (George, Button, & Whatford, 2003). The aftermath of the
assaults revealed a complex web of interdependencies that is hidden until
a big disturbance makes it visible. There were a lot of unanticipated or, at
the very least, never before considered secondary effects. Although it might
be clear to see now, few would have foreseen how significantly the airline
industry would be affected. Flying is still statistically much safer than other
forms of transportation. The complexity of risk is, nevertheless, significantly
influenced by the human aspect. It is more challenging to explain fear and
other irrational human impulses, which frequently lead to actions that are
against our best interests as a society.
5.3. OPPORTUNITIES
Anyone working in the security industry, for instance, can tell you how
many opportunities arose as a result of the assaults. Businesses that offer
teleconferencing services also gained as a result of the sharp decline
in business travel. Although this is not a novel idea, the magnitude of
September 11th raised awareness of the need to take potential effects into
account when analyzing risk scenarios. The first incident involved litigation
and enhanced the board of directors’ responsibilities and, more importantly,
their financial exposure personally if corporate accounting fraud went
undiscovered. In a WorldCom litigation, it was revealed that a settlement
required 10 outside directors to pay damages from their personal assets
totaling almost 20% of their net worth without being permitted to receive
reimbursement from their directors and officers (D&O) liability insurance
coverage (Pitt, 2005). Similar personal payments from directors were part of
the Enron litigation settlement. These settlements were noteworthy because
they sparked two important trends. First, the added liability made serving on
a board of directors less appealing. The retirement of many directors made
it more challenging for corporations to find new directors. The second, and
more significant tendency for ERM, is that the surviving directors started to
ask management what steps were being taken to guard the business against
significant risks. When corporations embraced ERM, it was frequently the
result of pressure from a board of directors placed on management.
Many businesses utilized process maps to find weak spots in the

reporting process, and some started to use them more widely to find risks
and inefficiencies in other business procedures. Employees were given
more freedom by SOX to uncover and handle some new risks as well as to
fundraise for and solve some well-known problems. Insurance businesses
started establishing ERM programs or improving their current ERM
programs swiftly. Companies were therefore very incentivized to earn a
high rating. Given that most non-financial businesses have lagged behind
the financial services sector in terms of risk management methods, this is a
significant and much-needed improvement. However, as it appeared that the
worst was gone, businesses in all economic sectors started to examine their
ERM programs in order to decide which improvements were most important.
The financial services industry is still very active. The non-financial services
industry is progressing as well, while some businesses do so more quickly
than others. The proactive management of vulnerability to commodity price
swings has also received increased attention from energy corporations
exposed to the low natural gas prices brought on by the recession (Hassel,
2010). The financial crisis has also made it easier for individuals working
in the ERM process to convince management to take worst-case scenarios
into account.
5.4. PIRACY
Piracy (Figure 5.2) is worth mentioning even if it is not a very significant
component because it is another illustration of something that formerly
appeared unthinkable in contemporary times (van Kranenburg & Hogenbirk,
2005). Such occurrences have increased our awareness of the difference
between our attitude prior to a remote incident and immediately afterwards,
as well as how rapidly our mindset and reality may change. ERM is today
and has been for some time a hot topic as a result of all the factors influencing
awareness and implementation of ERM programs. Most businesses have
started implementing ERM, are thinking about implementing ERM, or are
interested in learning more about ERM. Their management is aggressively
looking for information on it, and the boards of directors are asking
questions about it. Even government agencies and non-profit groups are
interested in ERM and how to modify it for their purposes. In order to meet
this demand and serve the expanding ERM market, providers of goods
and services have been spending quickly in growth. ERM is becoming a
more prominent topic in conferences, and some of them are even hosting
entire ERM-focused events. Universities are developing ERM courses for

both students and executives, and they are looking for both subject matter
experts and experienced teachers. Consulting firms and technology vendors
are competing for the limited number of certified ERM practitioners as they
create and grow their ERM products and services. With all this momentum,
it might seem inevitable that ERM will grow into a significant movement in
business and beyond.
Figure 5.2. Piracy.
Source: https://www.ncta.com/sites/default/files/inline-images/graphic-Pira-
cy_09_19-01-%281%29.gif.
It’s helpful to think of risk as being there whenever there is a chance
that an event won’t turn out exactly as predicted. You probably envision
bad outcomes, like losing your career or your health, when you consider
the risks in your life. Risk can be as basic as the possibility of being late
for something on a regular basis due to traffic or bad weather. Risk, on
the other hand, will be defined as any departure from expectations in an
ERM framework. This definition of risk covers both upward and downward
volatility (Annamalah, Raman, Marthandan, & Logeswaran, 2018). For
instance, you would undoubtedly view the potential that your bonus would
be smaller than anticipated as a risk, but you are unlikely to view the prospect
that your bonus will be more than anticipated as a risk. Risk is typically
seen as the potential for loss. Even many ERM practitioners use this as
their primary reference. Loss, however, is an imperfect idea since, as was
previously mentioned, it does not account for upside volatility, which is the
potential for an unanticipated gain. However, loss has a more malicious flaw.
People frequently unintentionally overestimate a risk’s extent or severity
as a result. Sadly, this leads to the duplicate counting of some predicted
losses that should not be included. The risk severity, or impact, should only
contain the excess over the amount expected because our definition of risk
is deviation from expected. The company’s strategic plan baseline financial
projection is likely to incorporate the annual anticipated lawsuit expense.
5.5. RISK
The inability to quantify strategic and operational risks is one of the causes
of this imbalance. When creating risk scenarios for financial hazards, which
take into account quantitative effects on financial results, a sizable amount
of objective market data can be used. There is much less information
accessible regarding operational and strategic risks, which strongly depend
on the specific makeup of the company affected. Popular quantification
techniques can fall short in supporting operational and strategic risks. The
quantification techniques either offer no quantification or, even worse,
drastically overstate how serious a risk is. The notion that financial risks are
the most significant risks that they make up the bulk of the risks that pose
the greatest harm to the organization is a second factor contributing to the
disproportional attention on these risks. Research repeatedly demonstrates
that the majority of a company’s significant risks and greatest threats are
operational and strategic risks. The majority of people who are modeling
have a focus on finances. Their training focuses on managing financial risk.
They have financial risk training and certification. They only have exposure
to financial danger. Even the department’s name and mandate may protect
them from financial risk. Their approaches function best when a plethora of
objective quantitative data is accessible, which is not the case with strategic
and operational risks. In addition, their procedures cannot easily handle
these risks.
One or a combination of the aforementioned variables may be the
cause of the inadequate inclusion of non-financial hazards. Whatever the
cause, this exposes a serious weakness in the majority of ERM programs.

It is impossible to stress how important this is. The majority of the primary
risks are not quantified by these quantitative ERM programs in terms of
their individual and aggregate contributions to the organization’s overall
volatility, in terms of the key indicators. Due to the strong impression that
these partially quantitative ERM solutions are complete, management
mistakenly relies on and misinterprets the data. The amount of accuracy
suggested by the data that the financial modelers of these defective ERM
programs delivered to management gives off this false impression. ERM
is strategic in nature and concentrates on a small number of risks with the
greatest potential to affect the firm. A fair number of critical risks for a
corporation going through the ERM process cycle for the first time could
be between 10 and 30. If management wants to increase support before
implementation, about 10 risks might be suitable for a trial experiment.
However, it takes 20 to 30 risks to get a reliable set of outcomes that may
be used as a basis for decision-making. The precise number of significant
risks that the company should consider depends on how hazards should be
defined and categorized, as well as how to determine an appropriate cut-
off point throughout the qualitative risk assessment process. However, the
quantity of important risks is independent of the organization’s size. If the
two businesses are otherwise comparable, they will have roughly the same
number of major risks. This is so that senior management can concentrate
on a sufficient number of risks at a given moment in a prioritized manner. It
is based on people and their logical focus boundaries.
This stands in sharp contrast to how many businesses now attempt to
approach ERM. Many businesses are under the impression that ERM is just
an expanded version of a Sarbanes-Oxley (SOX) exercise. In reaction to
a string of financial reporting crises, the SOX Act was passed (Bargeron,
Lehn, & Zutter, 2010). Most businesses made a list of every potential risk
to the accuracy of their financial reporting in an effort to comply with SOX.
For larger firms, the list of risks frequently reached the hundreds or even
thousands. Every risk was monitored in relation to data on its mitigation,
including the designation of a risk owner. In order to ensure that the risks
were sufficiently minimized, SOX compliance became a quarterly ritual.
Many businesses made the mistaken assumption that ERM was identical
to the well-known SOX, with the exception that ERM applied to all risks
rather than just inaccurate financial reporting. This false belief is reinforced.
Similar to how some audit firms misrepresent an expanded SOX exercise as
ERM and say it is a component of a governance, risk, and compliance (GRC)

program, this misrepresentation is a contributing factor to the confusion.
Only one risk event can really happen at once. Given how rare each
worst-case scenario is to occur, this might be the case. However, a lot of the
risks taken into account by an ERM program have a moderate possibility. If
only one moderate risk event happens at a time, then every other component
of your organization operates exactly as you would expect it to. For instance,
everything goes according to plan for your product strategy, distribution
strategy, marketing strategy, human resources plan, etc., but your technology
update program is a little behind schedule. More uncertainty exists in reality
than that. Some of the biggest threats to a company’s survival can stem from
several risk occurrences happening at once. The enterprise is in a vulnerable
situation following the initial incident, which raises the possibility of certain
secondary events happening. Risks can also interact with one another to
worsen each other. This is a burst of strikes that come one after another
quickly. Take into account any individuals you may have heard of or known
whose lives abruptly took a turn for the worst. Therefore, if you are not
recording several concurrent risk events, you can be overlooking something
that has the potential to bankrupt the company.
One risk occurrence can cancel out another. Events that could have
both a downside and an upside are included in our concept of risk, so
one event’s financial impact could be mitigated by another. A scenario in
which a negative risk event reduces sales growth by a certain amount, but
a subsequent upside risk event results in an equivalent and compensating
increase in sales growth. This appears to be quite simple. Traditional risk
management evaluates hazards at the level of the local business unit or risk
and determines how to mitigate them based on the management’s judgment,
gut feeling, or, worse yet, arbitrary guidelines that were created decades ago
for unrelated purposes. When using a standard risk management strategy,
some risks may not be sufficiently mitigated, which might be disastrous
if a risk event occurs and the business is not adequately safeguarded. As a
result, money is wasted on extra mitigation that management would have
rejected if the right information had been accessible. ERM, on the other
hand, presents a rational strategy based on the enterprise’s total volatility
and the level of stability, or shock resistance, that management wants. This
is more logical because it reflects how shareholders and other important
stakeholders see volatility: as it manifests itself at the corporate level.
Depending on the organization’s unique risk culture and how they choose to
distribute their overall enterprise risk budget, lower-level decisions can be

made at the business segment.
ERM, however, marks a significant advancement. This indicates that
the entire business spectrum is acknowledged and taken into account.
Risk exposures that do not benefit the company are taken into account for
mitigation. Traditional risk management included this. But with ERM, risks
for which the corporation receives compensation are taken into account for
exploitation, increasing exposure. This broader perspective enables the full
evaluation of each business decision. For a complete risk-return analysis,
the upside risk-taking potential is taken into account along with the negative
risk exposures. The enterprise risk exposure assessments include and take
into consideration upside volatility. As a result, ERM is able to pinpoint
the locations and levels of additional risk that may be accepted within the
context of acceptable risk-return trade-offs. This contains a crucial risk-return
relationship that is sometimes absent from conventional risk management
programs and even conventional company management strategies. For those
working in risk management, the significance of this cannot be emphasized.
They are no longer avoided by company decision-makers as the bearers of
bad news but rather welcomed at the planning table. They are invited to
participate in meetings where decisions are made at the corporate level and
in the business segments. With a framework for integrating risk and return,
risk experts can now provide value to crucial decision-making procedures
like strategic planning.
5.6. DISCREPANCY
This discrepancy between the ERM program’s internal reality and what
is presented to external stakeholders poses a serious danger (Blume,
Lim, & Mackinlay, 1998). Consider a situation where a company’s stock
price suddenly drops by 50% as a result of a danger that none of its rivals
experienced. Currently, management is being examined. The management’s
estimate of shareholder value, or business value, is taken into account, but
only to the extent that it has an effect on secondary stakeholders’ levels
of satisfaction. For instance, rating agency restrictions must be considered
because a lower rating could have a negative influence on value when
looking for risk-to-value trade-offs that might maximize corporate value. In
order to maximize corporate value, most corporations have long since moved
away from AAA ratings, believing them to be excessively expensive and
redundant. The market has recognized this movement. Another illustration
would be that if regulators are not completely satisfied, they might take
action that would diminish the value of the company. The ERM process
cycle’s first stage is risk identification. It entails identifying the major
risks that pose the greatest possible threats to the company. This requires
condensing a lengthy list of potential dangers into a manageable number
of significant risks. Using qualitative risk assessments that are based on
internal judgments of the possibility and seriousness of each potential risk,
this is primarily accomplished.
The primary risks are quantified in the second stage of the ERM process
cycle on both an individual and integrated level. In order to do this, an
ERM model must be used to calculate the potential effects of various risk
scenarios on certain critical KPIs. Following completion of this, enterprise
risk exposure measurements are produced by quantifying the effects of
integrated risk scenarios, which involve many risks occurring at once.
Once a risk appetite has been established, choices on whether to enhance or
decrease risk exposures can be taken. The integration of ERM into normal
decision-making processes, such as strategic planning, tactical, and strategic
decisions, and transactions, falls under the second category. Risk messaging
is the fourth stage of the ERM process cycle. Internal risk messaging and
outward risk messaging are the two different types of messaging included
in this. This is an effective way of communicating internally, and it sends
a clear message to management that risk and return need to be taken into
account jointly. Once risk exposures are monitored by the departments,
business units, and individuals that generate them and are represented in
incentive compensation, it becomes obvious that increasing the firm’s risk
exposure will increase the expected return.
For a strong ERM program, good risk governance is a prerequisite,
but it is not sufficient. Even if a corporation has created and put into place
what looks to be a strong risk governance structure, that alone cannot tell
us much about what is actually happening. A hollow ERM program can
have all the risk governance components in place around it, similar to a
complex freeway system that is empty of traffic. ERM framework is more
fundamental and directly related to the effectiveness of an ERM program.
Before going through the ERM process cycle at least once, just the most
fundamental risk governance structure is necessary initially. It varies from
firm to company how ERM develops, is embraced, and is integrated into
its essential processes. It is difficult to write the entire risk governance
framework needed to support ERM activities until it is known how they will
actually be carried out. It’s crucial to first comprehend the ERM process
steps in order to grasp risk governance. Only within the context of ERM
operations can the many essential participants’ roles and duties be discussed.
The same is true of the organizational structure, rules, and practices that
make up risk governance, along with roles and responsibilities. They can
only be discussed once the ERM process as a whole has been well defined
and comprehended. These match up with all risk categories, which for the
majority of businesses include financial, operational, and strategic. A large
portion of these possible risks are merely irrelevant. The business’s chosen
strategy serves as a natural filter, removing unimportant risks. In other
words, the strategy will decide which risks are relevant to the organization
and which ones are not.
There are many objective external quantitative experience data for the
primary hazards for which building risk scenarios is mostly objective. The
vast majority of the major hazards in this category is monetary concerns.
For instance, think about market risks. We have decades of experience
working with daily data on the major stock markets’ volatility. We can
create a thorough, smooth, continuous distribution of historical risk
scenarios for market risk as a result. Creating risk scenarios for these kinds
of issues is largely objective (Miller & Waller, 2003). The comprehension
of the risk event, its likelihood, and its financial repercussions is largely
based on historical experience. A set of deterministic risk scenarios are
chosen by management from the continuous distribution, which involves
some subjective judgment. The major risks, however, for which creating
risk scenarios is primarily subjective, are those for which there is either no
external, objective quantitative experience data, or for which there are only
very few such data that are easily available. The majority of the major hazards
in this category are operational and strategic risks. Consider the strategic risk
associated with strategy execution. By adapting the failure modes and effects
analysis (FMEA) (Figure 5.3) method from the manufacturing industry,
which heavily incorporates input from internal subject matter experts,
management creates a set of deterministic risk scenarios (von Ahsen, 2008).
Figure 5.3. Failure modes and effects analysis.
Source: https://www.onupkeep.com/images/raster/learning/maintenance-tools/
fmea-matrix.png?cbh=e50368192c1ffbc11c427fa1512b5adc.
5.7. FMEA
The FMEA technique can be useful in risk scenarios that are largely
objective. Data from the past is frequently lacking. Experts in the field can
also contribute their expertise and intuition, which can be very valuable to
the process. Combining the two methods is frequently the most effective
technique for these largely objective risk scenarios. The exposure to
corporate risk must also be measured. The distribution of all potential
effects on the baseline company value from simulations including one
or more events, or one or more risk scenarios occurring concurrently, is
known as enterprise risk exposure. Because more than one variable might
diverge from the strategic plan during any given period in business, this is
a more accurate and comprehensive portrayal of the firm’s risk exposure.
The impact of risk interaction, or correlation between risk scenarios, is a

further risk-related parameter that we need in order to do this calculation.
Positively associated hazards are more likely to occur together than their
probability alone would suggest, while negatively correlated risks are less
likely to occur together and independently occur (uncorrelated). We are able
to calculate the potential financial impact of individual risk events, as well
as that of several simultaneous risk events, on firm value and other important
indicators once risk correlation has been established. First, though, we must
take into account risk management strategies, another natural filter that
lessens the financial impact of major threats. Tactics for risk management
are actions that lessen the likelihood and/or gravity of risk events.
When defining risk appetite, management is simply attempting to
ascertain the level of risk that the enterprise’s aggregate shareholders, who
are frequently a highly diverse group with varying viewpoints, expectations,
and investment needs, desire. Each member of the ERM committee
contributes a unique viewpoint to this activity (Daud, Yazid, & Hussin, 2010).
Since each member of the ERM committee is an individual, he or she has
a unique emotional sense of how much risk the company should be taking.
Intellectually, however, everyone is considering a similar set of measures in
addition to the overarching statistic of firm value, which promotes agreement
on the concept of risk appetite. As you can see, altering your method or plan
has an effect on the filters below. This in turn alters the calculations used to
determine the baseline firm valuation and the enterprise risk exposure. This
demonstrates how the value-based ERM approach enables management to
assess alternative risk decisions, both strategic and tactical, before they are
taken by quantifying their influence on the important KPIs, enterprise risk
exposure and the baseline company value. Because management is informed
on the effects of each decision alternative on risk and return, decision-
making is fully supported. This is one of the value-based ERM process’s
most useful and unquestionably most distinctive components. This pairing
of risk and return components is a crucial component supporting decision
making more broadly.
In order to help in the risk appetite consensus meeting, management
typically adds some instances of how the enterprise risk exposure can
be adjusted by readily available strategic or tactical maneuvers to the
enterprise risk exposure information that is supplied to the ERM committee.
Consider the strategic planning process, a crucial component of value-
based management, to understand this. Management creates a strategy
that, if carried out well, will raise the firm’s worth. A financial prediction
for the strategic strategy typically serves as its foundation. The Plan is a
static, one-scenario prediction of the future that is stated as though it will
occur exactly as predicted, without a single doubt. This is a little unfair
considering that the work done by the various business segments to develop
the Plan frequently entails some excellent scenario analyzes, such as SWOT
analyzes and sensitivity analyzes, frequently with robust quantitative
workups (Gurl, 2017). When the ERM program is initially established with
just the company’s main business sector in mind, this is most frequently
the case. This is particularly prevalent in financial services companies with
a variety of businesses, some of which must have the necessary capital on
their balance sheets and others of which do not. Amounts of capital that
must remain on the balance sheet to fund ongoing operations and cannot
be used to finance expansion in the future are referred to as necessary
capital. Various stakeholders, including regulators, rating services, and
management itself, all have their own methods for defining and determining
the appropriate amount of capital. To guarantee that all stakeholders are
satisfied, the corporation frequently holds the highest of these amounts.
Financial services firms that focus primarily on banking or insurance
typically employ a capital-based ERM framework, using capital as their
principal performance indicator. It makes sense why these kinds of firms
would gravitate toward a capital-based strategy. For them, it is a significant
metric. It is also a statistic that results from risk management, as the amount
of capital that is needed is determined by how much risk the company is
exposed to. Unfortunately, this makes implementing an enterprise-wide
ERM program impossible for financial services organizations with non-
financial services operations. Due to the absence of capital requirements in
these non-financial services sectors, a capital-based approach is inapplicable.
Consider a bank holding company that has both a consultancy division and
a retail banking division. A capital-based ERM program is put in place. The
amount of additional capital required that the risk exposure generates is
their primary criterion for measuring risk exposure. Although the consulting
industry plainly generates risk, it does not provide the necessary capital
because this area of the firm is exempt from capital requirements. Because
capital requirements are not a standard unit of measurement that can be
used to assess risks throughout the firm, the company’s ERM program is
insufficient.
For these hazards, industry data is frequently lacking. The potential
impact of a company’s strategic plan being wrong or the prospective impact
of bad strategy implementation, for instance, cannot be quantified using any
industry data set. Each organization faces a different risk depending on its
strategy and ability to properly implement it. Industry data is frequently
helpful as supplemental anecdotal information for calculating risk. However,
using industry data as the main foundation for risk quantification is frequently
unsuitable. Depending on the risk mitigation strategies in place, the overall
effect of risk on a business varies greatly. For instance, if one company
has better risk management practices or higher insurance coverage than
another seemingly identical company, the first company will not experience
the same negative effects from the risk event as the second company. Each
organization’s process for dealing with risks can differ greatly. The unique
characteristics of the organization and its risk management strategies are not
taken into account when using an industry data set. Finding the best internal
subject matter experts for the risk in question is the first stage in the FMEA
process. For some risks, this may be the most senior individual connected
with the risk, such as the executive risk owner who is in charge of the risk’s
overall management across the entire organization. Depending on the risk,
litigation or human resources concerns may be the case. But typically, the
individual who is most at risk is the best option.
The identified respondents are then asked to provide a set of risk scenarios
for the major risk in issue as the second step in the FMEA interview process.
For each major risk, there are frequently a number of risk scenarios. Although
upside risk scenarios won’t apply to all significant risks, it’s still vital to take
them into account. These scenarios each represent a distinct deterministic
risk scenario. In other words, these are imagined real-world occurrences
(Kirchsteiger, 1999). Creating particular deterministic scenarios is essential.
It is simpler for interviewers to consider the sequential succession of
potential events and the implications for the business when they can visualize
a specific event occurring. Modifying the plausible worst-case scenario
results in some of the less extreme risk possibilities. The FMEA approach
directs the experts to go through the event in detail and chronologically for
each specific risk scenario. The internal subject matter expert’s knowledge
about what outcomes in the external and internal environment will probably
follow from the original occurrence is extracted through a series of expert-
led questions. The event’s likelihood is determined in the third stage. It’s
challenging since everything is so ambiguous. Additionally, it is challenging
since the interviewers are sometimes used to providing such estimates and
frequently lack a basic understanding of probability. Creating estimations
of the quantitative effects of each deterministic risk scenario on the base
company value is the last stage in the FMEA interview process. Similar to
determining likelihood, getting respondents to feel comfortable generating

estimates can be challenging when assessing quantitative impacts. Another
justification for using an experienced person to conduct the FMEA interviews
is this.
5.8. MODEL
ERM model to shock the baseline firm value, both the likelihood and the
quantitative consequences are inputs used to first quantify individual risk
exposures and then enterprise risk exposure (Wu & Olson, 2009a). The
notion that this information can’t possibly be relevant because it is all based
on mere guesses is a common initial concern brought up in early talks of
the FMEA technique. Although the latter is mostly accurate, the process
does require educated guesses. The ERM process does benefit greatly from
this knowledge. Even highly speculative estimations are vastly preferable
to no quantitative information at all for management. Even though these are
only educated guesses, they are created by people who are familiar with the
risks, frequently by people with decades of personal experience and even
more anecdotal knowledge of risk incidents in the business. The company
employs a lot of intelligent people, and their heads are jam-packed with
priceless information. This valuable knowledge is taken from the subject
matter experts by the FMEA process and presented on the page in a uniform
quantitative way for all major risks throughout the entire organization.
Many times, the FMEA process is the first time the subject matter experts
are asked to consider risk scenarios and potential mitigation, and this
introspective process results in better approximations than had previously
existed anywhere. As a form of sensitivity analysis, ranges around the
estimate are utilized to demonstrate how inaccurate the estimate could be.
A business unit originally objected when an ERM team provided them with
a commercial opportunity based on FMEA data because of the approximate
nature of one important assumption.
The outcomes of the FMEA interviews are documented, which is another
aspect that elevates this knowledge above educated estimates. People are
more careful about the quality of their work when they are aware that their
name is formally associated with it. This happened when SOX was first
put into use. Senior executives were required to sign their first attestation
verifying the certainty of the risk assessments, control assessments, and
financial reports at the conclusion of the first significant effort to collect and
analyze a huge amount of data. As the executives started to scrutinize the
information more carefully to boost their level of comfort before signing,

the quality of the information started to somewhat improve at this point. In
the beginning, just one or two experts contributed to the FMEA information
collection. The FMEA data is shared with other employees of the organization
and published. As more people offer their insights, the data are improved and
corrected as a result. This is very similar to Wikipedia’s impact, which reaps
the rewards of shared information producing a general consensus. A relative
comparison of risks can be made using the FMEA process. For all risks,
the FMEA exercise is conducted consistently across the organization, and it
quantifies the possible impact of each risk. Although the relative risks of each
risk scenario are evaluated using subjective estimations, the information is
more potent when taken as a whole since relative risks are more dependable
than any one assessment. Priorities frequently change to those hazards that
are comparatively more impactful as a result of comparison study.
Only qualitative information is used in the first traditional ERM
technique, which prevents decision-making based on the information. The
value-based approach, in contrast, quantifies all significant hazards. The
value-based approach also quantifies them in terms of how they affect the
value of the company, which strongly aids decision-making. These problems
are also solved by the value-based strategy. The information is accessible
because the business creates its own data mostly using internal staff. This
information is widely available since management is always aware of the
one or two individuals who are most exposed to a certain risk and has access
to them. Additionally, because it is based on the unique circumstances
within the company, the data created is company and culture specific. The
third conventional ERM approach uses risk capital as the primary indicator.
There are two methods: The first employs a method that is not risk-based
and, worse yet, occasionally measures changes in exposure in the wrong
direction. Because it starts with risk scenarios relevant to the organization
and because the ERM measures correctly the level of exposures, it is clear
that the value-based ERM strategy is risk-based. Top salespeople and
managers pass away as a result of a catastrophe during an internal meeting.
The future revenues that these salespeople were expected to produce were
factored into the value-based ERM approach’s baseline company value. As
a result, the lost revenue would be completely reflected in the assessment of
the risk, which is the shock to the baseline.
Simultaneous multiple risks are ignored in traditional ERM systems
utilizing silo techniques, and their interactivity including offsets and
exacerbations (Wu & Olson, 2009b). The enterprise risk exposure graph
produced by the value-based ERM approach, on the other hand, completely

represents this by directly quantifying various risks and their interactivity in
the ERM model. The value-based ERM strategy addresses the inefficiencies
in many standard ERM programs brought on by a lack of centralized
coordination and cross-departmental communication. A high level of ERM
coordination and cross-pollination is ensured by the structure offered by
the value-based ERM methodology and the unifying aspect of the business
value metric. Any relevant area of the company is identified, and inputs
from that area are included, in the development of the risk scenarios. The
value-based approach also makes use of a central ERM model that business
units can access from anywhere in the company to determine the marginal
impact of any risk decision. Last but not least, defining risk appetite from
the top down and cascading down to risk limitations results in enterprise-
wide coordinated approaches by risk type. For ERM, there are two essential
aggregate metrics. Enterprise risk exposure comes first, followed by risk
appetite. While the latter is a management-defined item, the former is
a computed item. The current degree of overall enterprise volatility is
represented by enterprise risk exposure. The highest level of corporate risk
exposure to which management would prefer the business to be exposed is
known as risk appetite. Because the metrics used to determine risk appetite
should coincide with the metrics used for enterprise risk exposure, the two
aggregate metrics should be mirror images of one another. Remember that
each of these aggregate metrics is actually a full distribution of possible
outcomes, which may be represented by a number of metrics, each with a
variety of thresholds and accompanying likelihoods.
5.9. QUALITY
The quality of the qualitative risk assessment portion of the risk identification
process step is diminished by failing to consistently define all hazards
according to their source (Burkov, Burkova, Barkhi, & Berlinov, 2018).
For the qualitative risk assessment, survey respondents are asked to rate
the likelihood and severity of potential major risks using a qualitative scale.
Participants in the qualitative risk assessment must have a precise description
and a shared knowledge of the risks they are assessing in order for the survey
results to be useful. Unfortunately, it frequently leads to misunderstanding
when risks are determined by their results. Different survey respondents
may imagine a different source of risk when contemplating a particular risk
characterized by its consequence, and as a result, the chance and severity
scores will be offered on an inconsistent basis. The risk mitigation phase

of the risk decision-making process step is also hampered by inconsistently
defining all risks according to their sources. The majority of risk mitigation
is done at the source of risk, even though part of it is related to the. Therefore,
it might be challenging to assess risk mitigation measures when you don’t
know the cause.
All of these problems are solved by consistently classifying hazards based
on their source. Due to a shared knowledge of the precise source of each
risk, it enables survey respondents to provide qualitative risk assessments
with uniform scoring. It makes it simple to pinpoint the right subject-matter
specialists in charge of creating risk scenarios for every single risk source.
It offers a clear way to think about specific risk scenarios that can follow
logically from their source. It offers the capability to create comprehensive
risk scenarios. Finally, it enables assessment of all available mitigation
measures, most of which take place at the source. The degree of support for
the ERM program is communicated, letting invitees know they should give
it some attention and make time for it in their schedules. This can include
backing from the CEO, the board of directors, other top executives, as well
as any heads within the participant’s specific industry. The backdrop for
the exercise and the connection between survey participant efforts and the
broader ERM program are provided by outlining the significance of the
qualitative risk assessment to the overall ERM program. Respect for survey
respondents is shown by emphasizing the need for their valuable feedback,
which is based on their understanding of the industry, their experience, and
their expertise.
Unfortunately, a harmful misperception about ERM is that it can
successfully scan the environment for unidentified risks and provide a high
level of protection from such unpleasant discoveries. The fact that these
threats are the most feared contributes to this mistaken assumption. A
primitive fear is the abrupt appearance of a dangerous event that catches
us off guard. The fact that chief risk officers are frequently let go after a
significant risk occurrence shows how many individuals erroneously believe
that ERM can shield them from unforeseen hazards (Hessami, 1999). This
would be justified if the risk event that manifested was one that should
have been known, given more priority, or more successfully managed, and
the ERM program was poorly conceived or administered. Although there
have been occasional instances of firings under these conditions, it hasn’t
always been the case. In many other instances, senior management either
mistakenly felt that ERM could shield the company from unanticipated risks
or they thought that shareholders shared this delusion. We shall constantly

be exposed to the element of surprise because it is an unavoidable truth of
our existence. ERM is not, and cannot be, designed to stop the emergence
of unanticipated events that could harm or even destroy the organization.
Setting appropriate expectations from the outset of ERM adoption and
implementation is crucial for the CRO and the ERM team.
It just offers to organize and utilize information about the hazards we are
aware of and to help us understand how we weigh risk versus benefit. We are
tempted to accept people who provide a system that can make us safe since,
unfortunately, we have such a high value for avoiding unpleasant surprises.
Naturally, there are individuals who take advantage of these incentives by
asserting that they have a system that can spot unidentified threats. They
frequently offer complex approaches and assert that high-level mathematics
can uncover hidden data, improving the detection of unidentified hazards.
With a satellite called Sputnik, Russia, the United States’ principal adversary
at the time, became the first country to enter space in 1957. The United States
improved its math and scientific curricula and revitalized its space program
because of President Kennedy’s strong leadership, appropriate identification
of the issue, and capacity to acknowledge it openly. America was able to
reclaim its competitive edge in space exploration and related technologies
as a result. Directly addressing this risk is unlikely to be successful. Instead,
then mentioning the conduct directly, one strategy is to draw attention to
the deficiencies that result from the behavior. To question if the company
is conducting enough competition analysis is one example. The business
segments can directly address this or the ERM team can do so indirectly
through the emerging risk identification process. Another example would
be to question how often outcomes are benchmarked against important
competitors. This can help the society regain some realism and shed its
exclusive mindset.
Another risk that requires special consideration is the risk of concentration.
Concentration risk is sometimes defined as having too much risk exposure
in one sector due to a lack of variety in the investment portfolio. A typical
illustration is having a large portion of your assets invested in a single asset
class, such real estate in one specific area. A bank’s loans being concentrated
in a single industry area is another illustration. The concentration simply
expresses the degree of exposure to a certain source of risk. For instance,
concentration risk associated with stocks is correctly characterized and
categorized as equity market risk, where the risk’s concentration component
just raises questions about the extent of exposure to equity market risk.
CHAPTER 6
CORPORATE GOVERNANCE AND
RISK MANAGEMENT
CONTENTS
6.1. Introduction .................................................................................... 136
6.2. Compliance .................................................................................... 137
6.3. Business.......................................................................................... 138
6.4. Liabilities ........................................................................................ 141
6.5. Payments ........................................................................................ 143
6.6. Laws ............................................................................................... 146
6.7. Funds.............................................................................................. 148
6.8. Cost-Savings ................................................................................... 152
6.9. Principles........................................................................................ 153
6.10. Claims .......................................................................................... 154
6.11. Information ................................................................................... 159
6.1. INTRODUCTION
The ideas of due diligence and corporate governance are becoming more
and more significant in today’s business world. Both ideas have expanded
in terms of their application and significance. As a result of the international
regulatory and voluntary frameworks that are forming, their application
has in fact begun to overlap. From simply economic beginnings, they have
expanded to include a variety of business behaviors (Greuning & Brajovic-
Bratanovic, 2022). Furthermore, regardless of their size or location, all
organizations should prioritize these concerns in light of the ongoing
corporate scandals that make headlines and highlight the need for better
corporate governance.
It is imperative for business success to comprehend and appreciate
corporate governance (Figure 6.1) and due diligence. Like anything else,
due diligence procedures must have a beginning point. Each party to the
deal must be willing to start a due diligence process if there are discussions
about a potential merger. But this is when the lines between what constitutes
due diligence might blur. Prior to any informal or official conversations in a
merger situation, there would typically be a large amount of due diligence.
The necessary diligence is to ascertain whether there is sufficient data to
support discussions regarding a potential merger. Therefore, there is never a
single phase with a single beginning point for every due diligence exercise.
Figure 6.1. Corporate governance.
Source: https://www.researchgate.net/profile/Suhaimi-Sarif-2/publica-
tion/314153284/figure/fig2/AS:667699281657859@1536203322240/Key-ele-
ments-of-corporate-governance.png.
Corporate Governance and Risk Management 137
6.2. COMPLIANCE
All businesses will engage in some type of due diligence, whether formally
or informally. Larger organizations, of course, require a more formal,
structured approach. An excess of people each doing things their own way
might lead to a surplus of data with no information. Smaller organizations,
on the other hand, might conduct all of their business informally, making
a lot of impromptu decisions without any notes or documentation. It is
important for any firm to comprehend how due diligence benefits everyone.
Traditionally, management has this responsibility because they establish
the company’s rules, practices, culture, and methods of doing business. A
legal questionnaire and disclosure documents that have been attested by
the candidate are the first steps in the normal traditional process, which is
followed by a review, compilation, or audit of financial data (Andersen &
Choong, 1997). A regulatory agency records search is typically carried out.
Numerous public records are typically searched. Research is frequently
added in areas like the candidate’s industry niche, as well as occasionally
the media. Additionally, additional research is occasionally contributed
by getting in touch with other business and governmental organizations.
In order to streamline the transaction, warranties, and indemnities have
evolved throughout this procedure. For instance, it is possible that the
vendor is ignorant of any flaws or problems that surface during the due
diligence procedure.
The fact that the material discloses how the target has been managed is
another significant advantage of the legal due diligence procedure. It may
consider the history of the target and applicant as well as their goals, as
well as their chosen organizational structure, whether that be a corporation,
partnership, or owner manager business. There are many smaller acquisitions
that draw the attention of the due diligence process, even though many
due diligence exercises involve very large transactions. While some of
the process’s concerns are better suited to larger transactions, others are
applicable regardless of transaction size. For instance, the administration of
the company will be reflected in late or inaccurate returns to the authorities,
such as the Inland Revenue and corporate registers. They might also point
to money problems, as in the case of late financial statements filed with
corporate registrations. Furthermore, as said, the information gathered
during the due diligence process can be an invaluable instrument for
continued management of the target after the sale is finalized. It should be
highlighted that there are more people who benefit from the due diligence
process due to the constant pressure from regulators, security exchanges,
and stakeholders. It is crucial that the intended user of this information be

taken into account when the parties are defining the procedures for the due
diligence responsibilities. For instance, there are often precise forms and
formats for data presentation when a government regulator is involved.
Recasting the material numerous times only to satisfy the regulator’s
obsession with precision will be exceedingly annoying and more expensive.
Accurate and timely information can satisfy shareholders, investors, and
stakeholders, but they are typically more interested in the big picture or
bottom line. Making sure that staff are not overlooked in this process is
crucial. All employees who earn remuneration from the company, including
clerks, middle managers, management, and associated parties, like hearing
about it. Reports can be prepared as part of due diligence without infringing
on privacy or legal requirements.
When conglomerate acquisition was simpler, managing overlaps was
frequently limited to financial control. But when a synergistic acquisition
occurs, it can also be necessary to integrate the marketing, manufacturing,
and IT activities. As a result, the transaction is significantly riskier and
more complicated. However, despite how intimidating they may seem, this
risk and complexity are an important aspect of corporate life that must be
effectively managed. There are several causes for this. The ability to complete
a successful acquisition is likely to become a competitive advantage at the
strategic level as businesses increasingly turn to this strategy for obtaining
growth and differentiation (Elahi, 2013). Even overall data suggests that deep
integration only occasionally happens, all acquisition types do experience a
number of important alterations. The most frequent modifications are those
that have symbolic significance and signify advancement to the employees
and the city. As a result, acquisition integration tends to focus on early
indications of success, which is a less risky and preferable approach to a
longer-term involved integration which may take time to signal success,
given the focus on share price and city evaluation that drives much business
strategy, not least because the share options link between senior management
and company stock price.
6.3. BUSINESS
The type of business or transaction being considered in some situations will
limit or restrict the amount of due diligence that is accessible or necessary.
In contrast to a private firm where there has been no such public disclosure,
the offering circular or document of a publicly traded company that is
subject to ongoing disclosure requirements to its shareholders, governing

regulator, or exchange will be different. The due diligence that can be done
on a recommended bid for a company will also be very different from that
available for a hostile bid, where the offeror company is simply denied
access to the pertinent internal financial and management information and
must impose a number of conditions on the bid that it will have the authority
to change or modify depending on what is learned or obtained during the due
diligence phase of the bid process. The quantity of investment or financing
to be made accessible, the return or pricing of the investment or financing,
and the investment or financing’s structure will all be determined through
the due diligence process. Additionally, the due diligence process always
requires an alignment of expectations, risk, and reward, and interests.
Conflicting interests exist. What a firm or business may consider to be a
fair return on an investment may be very different from what an investor
or financier may want (Robinson, 2012). The ability to produce the return
based on the expectations set will also be addressed by the alignment of
interests, in addition to the price issue. The evaluation of external factors,
which have an impact on return and reward, is another concern. These
factors can be systematic like interest rates, inflation, and political events,
common to the business and industry as a whole, or they can be unique to
the business or industry and can be compared to other businesses. Thus,
risk can be identified and isolated before being evaluated in relation to the
anticipated return, a procedure known as risk adjusted return. There will be
differences in the importance placed on the crucial financial research tools
utilized by equity investors and lenders alike. An equity investor will be
more interested in profitability ratios looking at return on capital and return
on equity than a lender who will be examining financial risk ratios like
interest coverage and interest coverage adjusted for cash flow and debt to
equity ratios. The critical ability of the business to pay its obligations as they
become due and to turn over its inventory or assets in a sufficient number
of days to generate cash flow and be viable and profitable are problems that
both will be concerned with.
Of course, each organization will place a different focus on one or
more of the financial ratios. They are also affected by fashion trends. When
forecasts and projections were the only factors utilized to determine value
and investment during the late 1990s technological boom, for instance, many
of these key financial parameters were abandoned. This strategy inevitably
lost favor in the middle of 2007, when lenders discovered that they had
insufficient security during a market slump brought on by the collapse of
the subprime sector and falling liquidity levels. It is common for a corporate
finance transaction to involve a combination of equity, debt, or variants
of both, and this will prompt a proper examination of the appropriate
combination and pricing. To ascertain the proper ratio of each and the
associated risks, a well-known formula is the weighted average cost of
capital. Numerous aspects will need to be taken into account when deciding
whether or not to invest, fund, or carry out the transaction as well as when
analyzing the business or transaction overall. A team of experts from several
disciplines would evaluate these issues as part of the crucial due diligence
process, which would also involve looking into various aspects of the
business or transaction. The due diligence process will differ significantly
from one firm or transaction to another, thus the first information requests
or the framework for the inquiry and study will need to be adjusted to the
particular business or transaction. The evaluation and structuring process,
as well as the final success or failure of the proposed investment or finance
for the business or transaction, will be significantly influenced by the due
diligence process (Das & Teng, 2001).
Depending on the business or transaction being proposed or considered,
the due diligence process will first take a high-level approach before
reaching down to a more in-depth and distilled consideration of the various
issues affecting the value of the business, frequently after sifting through a
myriad of legal, technical, and commercial issues. These factors will then
serve as the foundation for a report or reports that will ultimately be used to
make investment or credit choices. The due diligence team would be made
up of a variety of professional consultants, typically including expertise in
law, finance, technology, the environment, insurance, and actuarial work.
As soon as it is practical, these advisors should be hired so they have time
to fully address the pertinent issues. The lending institution or investment
bank will usually be in charge of leading the due diligence process and
coordinating the due diligence team. The team conducting the due diligence
exercise needs to receive precise instructions regarding the goal and
restrictions of the exercise. The team will be better able to streamline the
exercise, concentrate on the pertinent issues, and make it more time and cost
effective if they are aware of what the company or transaction includes and
what the exercise’s goals are. The due diligence team must be informed of
these plans and tactics if a firm intends to purchase a target with the goal
of launching or building a hotel with a casino or another type of property
that will be developed and sold. The investment corporation wants to know
from the due diligence process whether these tactics are feasible and what
difficulties they include. It is frequently incredibly surprising how far along
advanced transactions can go before important corporate finance problems
are identified. Thus, high level information overviews are advised from
the very beginning. The business’s regulated status and compliance with
regulatory requirements would be at the heart of this transaction. The
framework for how the transaction is financed, organized, documented, and
finished can then be negotiated and agreed upon based on the facts revealed.
6.4. LIABILITIES
The liabilities would be quantified, the price adjusted or the purchase price
deferred, and the disclosures warranted as being complete and accurate in
themselves once disclosures are made, for example, as regards pending
litigation, breaches of overdraft facilities, or arrangements with creditors.
This would ensure that the extent of the liability is correctly provided for
(Dullaway & Needleman, 2004). The exchange of secret undertakings is a
crucial step at the beginning of the due diligence process. These set up the
atmosphere where lenders or investors are safely given price-sensitive and
important information about a business or transaction without running the
danger of the information leaking into the public realm and lowering the
business’s worth and reputation. The suitable environment must be created
since only complete disclosure will allow for the proper examination of the
proper risk and reward. The due diligence team and its advisers are often
ring-fenced, and each member is required to give their commitment to
uphold the engagement’s confidentiality requirements.
Doing proper due diligence on the business owners or management or
making sure the proposed funds to be invested in or lent to the business as
part of the corporate finance transaction are clean are the first steps in any
corporate finance transaction. The evaluation of the appropriate sources of
finances flowing into and out of a commercial activity would thus be included
in the exercise. Additionally, the professional members of the due diligence
team will typically be subject to independent disclosure obligations and may
be required, if they have concerns or suspicions, to disclose information to
regulatory authorities without consulting the client or other due diligence
team members. If a regulated adviser misses money laundering when they
should have noticed it or had reason to suspect it, they may have committed
a money laundering (Figure 6.2) offense.
Figure 6.2. Money laundering.
Source: https://www.unodc.org/images/money-laundering/images_website_up-
date/Money_Laundering_Cycle.png.
Any due diligence engagement’s conditions should be extremely clear
on this point, and any confidentiality agreements will undoubtedly include
an exception for disclosure (Trakman, 2002). Financial data that has been
provided and the related financial ratios contain a wealth of information.
Whatever the interpretation of the entries and financial ratio calculations,
there is still a lot that could be hiding behind the numbers. The facts gleaned
from a thorough study will be crucial in the ongoing discussions about the
structure and cost of financing. Accounts should, at the very least, be audited
in accordance with best accounting practices and local law. Examining any
caveats or qualifications on the audit reports, as well as a pattern of frequent
changes in auditors, is an essential component of historical analysis.
Likewise, management accounts should at the very least embrace accounting
principles and procedures that are in line with the audited accounts. The
strength of the accounting systems used to record information, the accuracy
of the postings, and the consistency and dependability of the basis on which
postings are produced are of greater importance. It’s important to properly
examine revenues. Contracts may be signed and bills issued even when there
is no underlying delivery or delivery agreement. A rigorous examination is
also required to ensure that the true costs of revenues are disclosed, rather
than being hidden to artificially inflate earnings and profitability.
6.5. PAYMENTS
For unique payment provisions, such as advance payments that do not
necessarily require delivery or performance, capital obligations must
be carefully addressed. The actual cost, delivery, and execution must
be compared to financial estimates based on the projection of capital
expenditures and sources of cash for the payment of such expenditures
(Black & Cox, 1976). A planned capital financing might only be sufficient
to cover working capital needs and fall short of meeting the company’s
capital requirements, which are crucial to its future growth. Management
frequently exaggerates the genuine working capital requirements in an effort
to increase profits and returns. The worth of the stock and the ongoing work
should be determined without taking profits into account but accounting
for potential losses. It is crucial to physically inspect the inventory to make
sure that the raw materials and goods are not out-of-date or redundant and
that the value is appropriately recorded in the books. On-site stock checks
at transaction closings are not unusual. It is important to carefully review
all contingent, disputed, and other liabilities, including claims arising from
contracts, as well as any defaults or cross-defaults that may occur under
current borrowing facilities as a result of the financing. The effects of any
defaults should also be carefully considered.
The country in which the firm is located, as well as the country of the
lender or investor, will have different tax effects. The tax consequences of a
transaction or investment may have a significant impact on pricing, such as
the withdrawal of previously held reliefs or the crystallization of charges, or
the understatement or overstatement of deferred tax liabilities and tax assets
as reported in the books of accounts. Tax is a crucial component of the due
diligence process. It will be necessary to evaluate previous tax calculations
and take the transaction’s effect into account. This will frequently influence
how the transaction is set up, such as through the purchase of shares or assets,
financing through debt or equity, delayed consideration, or installments, in
order to maximize tax savings. The full range of applicable taxes, such as
income or capital gains taxes, estate or inheritance taxes, value-added tax or
sales or service taxes, as well as customs and excise duties and fees, would
be covered by the tax review. An examination of the anticipated impact
would be required in each scenario. For instance, value-added taxes may
be applied to asset acquisitions, loans may be subject to withholding taxes
on interest due, and foreign exchange controls may apply to offshore equity
investments, resulting in punitive departure fees. It would be typical to see
tax warranties and representations addressing the problems of concern as

well as complete tax indemnities being offered in respect of any liabilities
or contingent liabilities expected to arise as part of any documentation
created after such a review. It is important to thoroughly analyze all previous
borrowings, including debentures, overdrafts, and loans made available to
the business. The total amount of borrowings and the additional debt must
not exceed the authorized limits for the existing facilities and must fall
within the range set forth in the business’s charter. If not, the constitution
must be changed before the company can use the new facilities.
The current amenities ought to be maintained and used (Bin, Crawford,
Kruse, & Landry, 2008). The default provisions of the facilities and the
effects of revisions should be thoroughly examined in the terms of the current
facilities. Covenants must be made that the business has not violated any of
the terms of the existing facilities, and if it has, pertinent disclosures must be
sought. It can be required to subordinate the existing debt or make sure that
the existing debt is given priority as part of the transaction when new debt
is made available in addition to the existing debt. The company would have
signed a number of other commercial contracts, often with its distributors,
suppliers, export agents, and marketing agencies. These agreements could be
crucial for commercial activities and sales. As a result, it is critical to confirm
the validity and existence of these contracts, determine the responsibilities
under each, and confirm that the business is not in default or would become
in default as a result of the transaction. Particularly, unpaid debts like money
owed or payable would need to be taken into account. This may be a very
laborious and drawn-out process. The contracts’ termination clauses could be
unfavorable, come with long notice periods, or become effective following a
change of management. Additionally, extra caution will need to be exercised
if the business has guaranteed or indemnified any third party in relation
to liabilities of a group company or otherwise. Powers of attorney, option
agreements, indemnities, comfort letters, credit extensions, credit grants, or
any other instrument that might, as a result of the transaction, become an
obligation for the business should be carefully evaluated.
If one wants to obtain the license’s assignment, they must make sure that
the license is not personal to the person in whose favor it is granted, in which
case it could not be possible to assign or sublicense the license. Once more,
the list of things that can and cannot be registered may vary by country.
According to the UK Patent Office, computer software may be eligible for
patent protection if it has a technical effect, which is commonly regarded
as improving technology. It must also primarily be used in the technology
industry. Establishing the point of origin of the IPR is crucial. Particularly

in cases where the IPRs (Figure 6.3) are not registrable, warranties, and
representations should be made. Some jurisdictions may have an additional
need for registering ownership, license, or sub-license of the IPRs within
a specific time frame. Additionally, care must be taken to ensure that
any technology or information used by the company does not violate the
intellectual property rights (IPRs) of third parties and that it is authorized for
use by the company (Hanel, 2006). Confidentiality agreements should bind
staff members handling sensitive data.
Figure 6.3. IPR.
Source: https://www.researchgate.net/publication/339481869/figure/fig1/AS:8
62458134671360@1582637451115/Different-types-of-IPR.png.
Normally, when a business, in whole or in part, is transferred to another,
existing regulations will preserve the interests of the employees. The same
terms and conditions apply for the automatic transfer of the personnel.
The provisions of such legislation will not apply to transfers that do not
include a business transfer. As long as the employer company remains the
same, the regulations will not have an impact on the transfer of shares. Any
rights and obligations resulting from employment contracts, including all
collective agreements established on behalf of employees, are transferred to
the new employer as part of a business transfer. However, benefits related
to occupational pension plans would need to be transferred separately.
Irrespective of the magnitude of the enterprise, regulations may still be
applicable. Any transaction involving a change in ownership must also
take into account consulting with trade or employee union representatives.
A lender or investor may then seek to obtain substantial warranties and

assurances from the company owners and management that can be relied
upon and are included in the risk return analysis after having completed a due
diligence exercise. These are frequently the subject of intense negotiation and
have the power to make or break a contract since they affect how liabilities
are allocated and how the risk-reward equation is balanced. The guarantees
may be expressed as indemnities, which are promises that, in the event of a
certain liability, a loss will be covered or made good. Indemnities are always
given in cases of tax liabilities on share sales, legal claims, environmental
concerns, dubious claims, third-party liabilities, and any other situation
where there is a chance that a liability could arise. Due diligence should be
conducted with a specific goal in mind because it is an essential component
of any acquisition, investment, or loan. The goal will rely on the investment
strategy employed by the investor or just the anticipated lending risks.
Determining the actual risk and reward relationship should be the focus.
6.6. LAWS
Laws governing product liability might vary greatly between jurisdictions.
Because strict responsibility may be the basis for product liability legislation
in some countries, carelessness may not even need to be shown (Henderson,
1983). Potential liability to businesses could be limited. Even though the
bulk of high-profile cases have occurred in the USA, it is important to note
that upcoming legal changes in the UK and the rest of the EU may broaden
the potential for extensive litigation and potentially multi-million-dollar
damages that are frequently seen in the USA. Product liability is not the
only area of litigation risk. In fact, there are a wide range of potential causes
for litigation, some of which can be connected to the proposed transaction
and others might be completely unconnected. Money laundering first came
under criminal inquiry in the USA in 1919. As it was not common practice
for banks to inquire about the source of cash prior to making deposits, tax
evasion was prevalent at the time. The Bank Secrecy Act of 1970 (BSA), also
known as the Currency and Foreign Transactions Reporting Act, mandated
that banks create a paper trail. Other laws governing money exchange and
financial accounts were passed in the USA after the BSA was passed. The
Money Laundering Control Act of 1986 established money laundering as
a criminal offense in the USA (“EBSCOhost | 33768853 | The Criminal
Prosecution of Banks under the US Bank Secrecy Act of 1970,” n.d.).
This Law Society guidance note makes it clear that a professional legal
adviser does violate the law by tipping off if he or she discloses information
to a client under privileged circumstances, such as when providing the
client with legal advice, or to any third party in connection with ongoing
or anticipated legal proceedings. The guidance paper states that the legal
advisor is not required to inform the clients that he or she has reported or
plans to disclose something to the FIU. Legal counsel should withdraw from
the case and carefully examine following the Law Society’s standards while
making a report to the FIU if they consult with their client about making a
report to the FIU and the client objects. When a legal advisor informs a client
that they have made or plan to make a report to the FIU while providing legal
advice to the client or acting in connection with present or anticipated legal
procedures, they are not breaking the law. The Law Society has also said
that the aforementioned is true for both transactional activity and litigation.
Additionally, it should be mentioned that regulatory and reporting
standards, which have an impact on stakeholder and insurer confidence, are
the main external factors. As small businesses and small and medium-sized
enterprises (SMEs) deal with the implications of today’s business environment
and scrutiny of bureaucracy, regulation, customers, non-governmental
organizations (NGOs), as well as the media, the issues and concerns that
were previously only the purview of large businesses have snuck into those
of small businesses and SMEs. While a jurisdiction’s company law controls
businesses that have been formed there, that jurisdiction’s securities rules
and regulations apply to businesses, investors, and middlemen engaged in
the purchase or sale of securities there. For instance, in the energy industry,
two-thirds of companies with primary listings on overseas exchanges also
have secondary listings on US stock markets. The majority of the big
listed corporations also have their primary listings on US stock exchanges
(Risman, Salim, Sumiati, & Indrawati, 2017). Therefore, modifications to
US requirements have a significant impact on how business is conducted
in general. Insurance can cover a sizable amount of any financial damages
brought on by policy violations. Protection of premises from intrusion by
unauthorized individuals has risen on the corporate agenda in recent years.
Employees, clients, subcontractors, etc., now demand a certain level of
protection from the possibility of a random intrusion. Budgets now include
expenditure for reducing this risk since it has become necessary. It applies
to integrity risk as well. There are several instances of unethical, and
occasionally illegal, behavior by people or organizations within corporations
that has negatively impacted a company’s reputation, if not its viability.
There are a few well-supported cases that the IBE has identified. While it
may not always be able to ensure the avoidance of such unethical behavior,
as is the case with other aspects of corporate governance.
In order to learn how other businesses, manage the values and goals
that National Grid has defined as being crucial, a set of questions would
be devised. The benchmarking research would include information on the
environmental policies, organizational structure, financial management, and
business goals for contaminated site management. To perform the survey,
it would be crucial to compile a list of numerous comparable businesses.
The businesses might all be situated in the UK or they could also be spread
across the USA or other nations. Additionally, all utilities or other connected
businesses may be included in the company. The final benchmarking
goals would rely on how National Grid defined the values and goals that
were considered crucial. Active investors will alter their investments in
accordance with how they choose their stocks. A passive investor will hold
all of the stocks inside an index, whereas a passive investor will invest in
accordance with an index and may alter how much of a certain stock is
kept. This strategy is typically used by funds that need to adopt a low risk
profile and are quite substantial in size. Since retirees and pensioners often
invest passively, almost all major private equity firms in the USA invariably
count pension funds among their top investors. In the form of employees
and retirees, Ford Motor Company’s profit-sharing model also contributes
to the emergence of a sizable number of passive investors. More recently,
Citigroup increased the scope of its microfinance initiatives in Bangladesh
by collaborating with BRAC, a countrywide anti-poverty NGO that has 5
million members, the majority of whom are women. Citigroup secured a
pool of millions of low risks, passive investors for more than half a decade
by providing BRAC access to $180 million over a six-year period.
6.7. FUNDS
Active funds carry a lot more risk than passive funds do. Their first
responsibility as a pension fund is to give their members fair compensation.
Furthermore, major pension funds are increasingly being held accountable
for their members’ quality of life in addition to their fiduciary obligations to
them. One illustration involves Baker Hughes. Baker Hughes works in the
process and oilfield industries. Additionally, it produces, markets, and sells
other goods as well as offers services to sectors of the economy unrelated
to the oilfield or continuous process industries. A suggestion to apply the
MacBride Principles in Northern Ireland was recently included in a proxy

statement. The principles do not advocate for quotas, reverse discrimination,
divestiture, or disinvestment. They’re designed to promote impartial US
investment in Northern Ireland. Exxon Mobil’s six suggestions addressing
social responsibility issues and ChevronTexaco’s resolution asking reporting
on renewable energy are two more examples. In response to attempts by
activist shareholders to apply this pressure tactic to BP, the company started
posting instructions for members’ requisitioned resolutions on its investor
center website. This was done to make clear the differences between UK
law and US law, particularly the UK ban on shareholder resolutions that are
merely opinion-based. Nevertheless, it is obvious that events in one country
affect trends and choices in other countries, particularly given the strong
influences of technology and the media at play.
The business advantages attained by companies that adhere to effective
due diligence methods and excellent corporate governance can be observed
in bottom line performance and stakeholder confidence. Businesses that
run their operations ethically and with consideration for these ideas are
increasingly acknowledged to be better managed overall. Additionally, they
are intimately related to the other well-known objectives of sustainable
development. In light of this, an organization will need to determine if its
management program is in line with its best practices policy, taking into
account pertinent advances in risk management as well as current corporate
governance best practices. Regarding current operations, the potential
of lawsuits weighs heavily on many people’s business lives and can ruin
relationships with clients, lenders, and suppliers. The business’s internal due
diligence and corporate governance management difficulties are impacted
by this.
The reader should keep in mind that the approach being taken to due
diligence and corporate governance is that these concepts are designed to
enable the establishment and development of a sound, healthy firm in which
sustainable decisions may be made. Understanding the options that are now
available to lessen the effects of such confrontation is crucial because it
is challenging to avoid conflict in today’s litigious corporate environment.
This can help with a litigation policy so that management can try to avoid
the negative effects on a corporation, no matter how big or little, by
diverting resources. Many companies make an effort to ignore the realities
of impending disputes and prospective court cases. A company must make
sure that someone in the organization assumes responsibility for this area
of running a business from the start and that they have a clear strategy for
managing litigation. This is especially true now, when corporate governance

issues are receiving more attention and call for transparency in all business
dealings. For instance, a realistic overview of the conflict resolution trend and
alternatives should be sought through authorized advisers or organizations,
as many businesses do not actually have in-house legal knowledge to assist
with such a strategy.
Comprehensive changes were made to the way civil cases are prepared
for and handled in English courts in April 1999. The County Courts, the
High Court, and the Court of Appeal are all subject to the civil procedure
rules (CPR), also referred to as the Woolf Reforms (Jones‐Parry & James,
1998). They were designed to guarantee the effectiveness, fairness, and
accessibility of the civil judicial system. The parties must cooperate with
the court to advance the main goal. The court may actively manage cases in
order to further the main goal. Previously, the parties or more specifically,
their attorneys, controlled practically all aspects of case administration.
Parties that were recalcitrant could be asked to approach the courts to issue
orders giving them directions. The court now largely has the initiative in
deciding how quickly the lawsuit will move forward. There is currently little
room for the parties to withdraw, and there is less room for the attorneys to
take advantage of their clients. It is reasonable to anticipate that a typical
commercial dispute will take 18 to 24 months, and frequently more, to reach
a trial from the date that proceedings were issued. Unquestionably, many
of the CPR’s reforms are welcome, long needed, and beneficial to litigants
and, in some situations, lawyers. Now, litigation can move more quickly
toward its end. The ability of the parties or their attorneys to manipulate the
system or cause delays has decreased. However, the expense of litigation is
still considerable, and it appears that many lower-value lawsuits have been
discouraged by the reforms.
Law firms typically have a tendency to specialize, at least on a
commercial basis. The majority of the largest law firms in the UK are
located in the City of London, and some of them have more than 1,000
fee earners in addition to support personnel. They frequently have a highly
diverse spectrum of knowledge under one roof, yet despite their public
denials, they are frequently more expensive than smaller businesses. They
do, however, have certain benefits. Sometimes it is impossible to find the
necessary skills elsewhere. Sometimes a team is needed, and the issue may
even call for working every day of the week, including holidays. Rarely are
smaller businesses able to offer this degree of urgent service. Consider a less
expensive option if the matter doesn’t require the knowledge and assistance
that a large business may offer. Additionally, many companies discover that
using one company entirely is not always required or practical, and that
adding a little competition might be beneficial. Many lawyers overlook
the fact that there is a sizable hidden cost to litigation. Complex litigation
necessitates constant collaboration between the attorneys and their client.
The client is frequently expected to contribute significantly and consistently.
This can consume a lot of the client’s time, energy, and there are financial
considerations as well. The client should think about whether investing the
necessary time and effort in their business would be a better use of their
resources. The client should be clear about the goals of the case and make
sure that everyone has agreed to them. Make sure the attorneys outline their
approach to the litigation, when they could seek a settlement or engage in
mediation, the scope of their fee arrangement, and how they intend to keep
the client informed of developments.
By establishing a budget with the attorneys in advance and possibly
during the course of the case, some of the financial unpredictability
associated with litigation can be reduced. The opposition’s actions may have
a significant impact on the litigation’s cost, pace, and direction. As a result, it
is challenging for attorneys to predict with accuracy how the adversary will
act and react, and as a result, how much it will cost to win or lose a case.
The best the attorney can typically do is either give an estimate that accounts
for everything that could go wrong or give updated estimates for each stage
of the litigation as the case moves forward, including likely maximum and
minimum amounts. The client must be prepared to cover the expenses and
risks if they want an estimate that doesn’t allow for growth. If the litigation
proceeds without issues, this indicates that he or she will have overpaid. It is
a little different when attorneys submit bids for bulk work that could include
hundreds of conflicts over time. It is not in the client’s best advantage to bind
the attorney to a fee schedule that tempts the attorney to spend less time on
the case than it merits, and it is not in the lawyer’s best interest to accept
work that turns out to be unprofitable. The attorneys should always be able
to give accurate predictions of the future costs on an ongoing basis.
It can be required to involve international attorneys when issues occur.
Their costs might be more difficult to manage. For a UK-based company, for
instance, they might be less expensive than their UK equivalents, but they
might charge on completely different principles. In the event that a second
language is involved, the client can anticipate paying a little bit extra to
enjoy the luxury of a foreign lawyer reporting to and getting instructions in
the client’s native tongue. The price of having text professionally translated
will be high. If a client doesn’t already have a solid working relationship
with an overseas attorney in the relevant nation, they should think about
asking UK solicitors with an international practice to hire foreign attorneys
on their behalf. Some of the larger companies have offices abroad. Some big
and little legal firms are members of one of the international bar groups that
give them access to reliable foreign peers. Although hiring UK lawyers will
result in higher costs, they are more likely to be aware of potential dangers.
They should be able to make all the necessary inquiries on the client’s behalf
and avoid unpleasant surprises about costs and fees. They will make an
effort to be economical. In some cases, a portion of their price may even be
reimbursed as recoverable expenses in successful international litigation.
6.8. COST-SAVINGS
The sooner the better from a cost-savings perspective if the problem can
be resolved without going to trial. The closer the case is to trial, the more
expensive it becomes (Potkany, Stasiak-Betlejewska, Kovac, & Gejdos,
2016). In the UK, most commercial attorneys view it as part of their duty to
settle the case as fast and inexpensively as feasible and, whenever possible,
to avoid the high costs of a trial. They are typically good negotiators and
may begin settlement negotiations without running the danger of their client
viewing it as a sign of weakness. The subject of settlement can typically be
brought up by the lawyers without necessarily implying that their clients’
direct instructions are required. Even still, it doesn’t hurt to periodically
remind the attorneys that settlement is preferable to trial if there aren’t
any fundamental legal issues or points of principle at stake. Lawyers are
frequently charged with prolonging legal proceedings to raise their fees. It
cannot be emphasized enough that the optimal course of action in terms
of due diligence and corporate governance is generally to avoid disputes.
Although it may seem like common sense, avoidable business disputes
nonetheless arise frequently, even when both parties conduct their company
with integrity. Misunderstandings are frequently the cause of conflicts. In
most business ventures, the participants focus on all the great aspects of the
enterprise rather than giving any thought to how issues will be resolved if
things do not go as planned. Agreements, contracts, and other business papers
should be carefully designed to account for potential misunderstandings or
problems. Paying a lawyer later to clean up the mess is typically significantly
more expensive than paying a lawyer now to help create something that will
minimize the chance of difficulties emerging.
The client can be confident that if their attorney initiates the conversation,
they will push the opposing party into hiring legal representation as well,
decreasing the likelihood of an early settlement, at least temporarily. In many
jurisdictions, this is the case. Even while the parties may not acknowledge
it, there is frequently an emotional barrier to resolution in business. A party
may feel that they have been mistreated, or it may just be a personality
mismatch. If something has occurred and emotions are too intense to
allow resolution, the topic should be removed from the parties control, i.e.,
change the negotiating team. An offer to settle a dispute or an offer to accept
less money than requested may be interpreted as weakness, but not if it
is made in the right way. Until a deal in principle is reached, negotiators
might also seek official approval to settle from the board of directors or
their management. Lawyers might offer advice during talks while remaining
silent. Keep in mind the importance of what is occasionally referred to as
a commercial settlement, in which the agreed-upon debt or obligation is
returned by ongoing or expanded commerce between the parties.
6.9. PRINCIPLES
Together with the natural justice principles, such legislation establishes
a general framework of guidelines that generally restricts the scope for
judicial involvement or intervention. The courts stay out of the picture,
only getting involved when it is allowed and absolutely essential. In many
foreign nations, an arbitration award may be enforced as such. It can be put
into effect in the same way as a court order. If necessary for the purposes of
enforcement, it may be converted into a court judgment, for instance if it is
to be enforced abroad in a nation where a foreign judgment but not a foreign
arbitration award may be executed. An arbitration award can frequently
be enforced abroad more easily than a judicial verdict. Heavy commercial
arbitration can involve a team of expert witnesses, senior junior lawyers,
leading counsel, and junior counsel who have been briefed for the hearing.
The price tag may be as high as what would be paid in court. Additionally,
the parties are responsible for paying the arbitrators’ daily fees. The price
of renting a room and other amenities for the hearing may also be involved.
Even if there are court costs associated with litigation, the judge will preside
over the case for the entire duration without charging extra. The courtroom
is free of charge. In addition to the tribunal members’ costs, at least one
international arbitration body imposes significant administrative expenses.
For creating an administrative structure in which the arbitration reference
can take place, certain trade organizations that offer an arbitration procedure
to their members levy a nominal fee. Others don’t charge anything, leaving
all administrative matters to the parties and the tribunal to handle, usually
with some standardization of fees. If the parties can agree on a single
arbitrator, the cost of arbitration can be greatly decreased. But occasionally,
if they cannot agree among themselves and there is no organizing body
with a predetermined procedure for this event, they can at least agree on
who will appoint the arbitrator on their behalf. Even with the CPR reforms,
the process can be fairly slow and expensive when one is dealing with an
obstructive opponent in another nation. In certain situations, the High Court
has appointment powers.
6.10. CLAIMS
For modest claims, certain organizations offer a unique process. For claims
under $50,000 USD, the London Maritime Arbitrators Association (Figure
6.4), whose arbitrators frequently handle complex issues, has a small claims
procedure (Steele, 2010). This process offers a straightforward, fixed-price
resolution service. In accordance with this approach, the arbitrator decides
the dispute solely based on the documents submitted, i.e., without holding
an oral hearing. The parties have a significant amount of control over
how quickly an arbitration reference can move forward. With everyone’s
cooperation, the process can be completed in a few weeks, often even less, if
the dispute is to be decided by a single arbitrator solely based on papers. The
hearing date may need to be set months, potentially even a year or more in
advance if the tribunal consists of three professional arbitrators who are very
busy attorneys and solicitors, very busy expert witnesses, and witnesses of
fact who have similar issues. With good faith on both parties, it is probably
accurate to argue that arbitration is typically quicker than litigation before
UK courts and unquestionably far quicker than litigation before some
foreign courts. The goal of mediation is to help the disputing parties reach
an amicable resolution of their disagreement by enlisting the help of a
neutral third party, the mediator. While using certain methods, strategies,
and talents to assist the parties in negotiating an amicable resolution of their
disagreement without going to court, the mediator does not have the power
to render any decisions that are legally binding on the parties.
Figure 6.4. London maritime arbitrators association.
Source: https://www.acerislaw.com/wp-content/uploads/2021/05/How-to-Initi-
ate-LMAA-Arbitrations.jpeg.
As a result, mediation and arbitration are very different. Contrary
to arbitration, mediation does not entail the making of a factual or legal
determination or the creation of a final, binding judgment. An agreement to
participate in mediation will not be enforceable, in contrast to agreements to
arbitrate disputes. There isn’t a lot of mediation law yet, but it could change
in the future. In most cases, the principles of natural justice do not apply to
mediation. The skill of the mediator comes in assisting both sides to come
to an understanding regarding how a conflict should be resolved. Mediation
will not succeed if there is no desire to settle. Sometimes the parties will
come to the realization that at least some of the difficulties between them
can be settled, leaving the court with fewer or shorter matters to address.
There are no absolute laws. Different mediators operate in various ways.
The mediator usually attends meetings where all parties involved convene in
person. The mediator outlines the process that will be followed. The parties
shall determine if they desire the presence of their counsel. Then, each party
briefly summarizes the facts of their case and outlines the relief they want.
There can be a time limit set. The mediator will then visit the parties in their
separate rooms, most likely more than once, to discuss the case and try to
identify any potential points of agreement or major barriers to resolution.
Except when expressly authorized or requested to do so, the mediator will
not reveal what has been discussed to the other party. The mediator will
communicate opinions, advice, and, ideally, offers. In order to ensure that
the parties are focused on resolving the dispute, the parties may be given a
deadline for the completion.
In comparison to the alternatives, arbitration might be quite inexpensive.
Modest fees must be paid to cover the mediator’s services and the cost of
the facilities if the mediation is administered by a court or a professional
mediation group. The Central London County Court provides excellent

service at very fair prices (Lupson, 2002). The only additional expenses
are the cost of the parties’ lawyers and the cost to be put on executive
time for the parties themselves because the procedure is anticipated to last
less than a day and won’t typically include the engagement of advocates
or expert witnesses. It is customary for the parties to stipulate upfront that
regardless of the outcome, each will cover half of the mediation fees. The
main goal of the Leggatt suggestions was to give tribunals a more organized
framework. There would be first-tier tribunals inside that framework, such
as those for immigration, health, and education. Corresponding appellate
tribunals would exist for these. However, some contend that because of how
time-consuming employment tribunals have grown, they should have their
own framework. They pertain to the employment tribunal system task force
recommendations. Similarly, due to concerns about disability discrimination,
education tribunals’ roles and workload are rising. There is fear that a single
tribunal system would be too burdensome and would result in a dilution of
expertise, even if the Leggatt plans would eliminate the notion that tribunals
are not independent from their sponsor government departments. This is a
specialty field that has to be pursued independently if needed.
Of course, the issue of late payments is not unique to the UK. The majority
of EU Member States, for instance, experience payment delays. Generally
speaking, all business debts are subject to the laws of the EU member states.
Along with the presence of a legislative right to sue, the existence of the
legal frameworks required for a creditor to effectively enforce such a right
is obviously important for business. The expense of seeking the interest is
a major deterrent for firms from exercising their entitlement to it, as was
before mentioned. It is obvious that the less likely interest will be claimed
and the less effective legislation will be in changing the payment culture, the
more expensive and time-consuming the legal process. As an illustration,
even if the principal debt is paid, interest can still be automatically levied
in Sweden and pursued through the courts if it is not paid. There is a
summary court process for uncontested claims. The claim is sent to court
for litigation if it is contested. The debtor receives notice of this and has
eight days to pay or raise an objection or defense; otherwise, a summons
will be issued. If a claim for interest is accepted, the debtor is required to
pay interest as well as costs associated with pursuing the claim. However,
with continuity planning, all of these measures which may include corporate
decision-making, security, health, and safety, resilience in production lines,
etc., are most effective when they are all a part of a relatively seamless risk
and impact understanding and management process. Even the difficulties
faced by continuity planners and risk managers are comparable. Both risk
management and business continuity management are commercial issues
that also deal with the unique difficulties of acceptability and urgency. Every
discipline is changing on its own. They would benefit much by cooperating
more closely and each offering helpful support to the other.
After an occurrence, such a spill or an industrial accident, legal
responsibility issues frequently flow into public relations challenges.
Regardless of the real environmental impact, a spill that makes front page
news will undoubtedly result in more serious repercussions for a firm.
Naturally, when they feel that the problem was not handled appropriately, an
aggrieved party or someone who believes they are damaged, is more inclined
to file a lawsuit. Changing such a view requires a strong public relations
plan. It is insufficient to merely respond to an EHS issue (Brown, 2014).
The crisis needs to be handled. A firm is more likely to come under intense
scrutiny if it is not ready to deal with the public and if senior management is
not responding in a way that reassures the public that the company has things
under control. Government enforcement, such as criminal investigations
and prosecution, as well as third-party lawsuits, such as citizen suits, are
some of the ways that government scrutiny can take place. Some businesses
have spent a significant amount of money working with competent public
relations agencies and attorneys to build EHS crisis management plans
(Figure 6.5).
Figure 6.5. EHS crisis management.
Source: https://blog.lnsresearch.com/hs-fs/hub/136847/file-1378873204-jpg/
images/lns_ehsdiagram.jpg?width=375&height=403&name=lns_ehsdia-
gram.jpg.
However, it is typical for an organization to simply accept the plan and
store it, certain that it would be available when needed. Everyone involved
in handling an EHS crisis, from the second shift process operator to the
CEO, needs to be aware of both the plan’s contents and, more crucially, their
specific position within it. It takes considerable consideration, planning,
testing, practice, and updating to create the type of organization needed to
handle an EHS crisis (Irani et al., 2002).
6.11. INFORMATION
Information is affected by outdated data, such as contact or health information,
which can result in significant delays and either an over or underreporting
of data to agencies and the general public. Due to outdated data, even
sophisticated organizations with well-thought-out crisis management
policies can face substantial liabilities. A new process chemical’s material
safety data sheet, which OSHA and the EPA both require to be kept, might
not be included in the plan, which could result in an incomplete report to the
EPA during a process release and a sizable fine. A release that spreads to an
adjacent neighborhood could have considerably more terrible repercussions
due to the outdated knowledge. Additionally, EHS managers are frequently
given control over completely new facilities and divisions in this era of
frequent company mergers and takeovers. EHS mishaps are more prone
to occur during these times of transition because EHS may be temporarily
disregarded due to staff changes and other factors. Ironically, most EHS
managers can’t concentrate on integrating crisis management strategies
because they are just too busy integrating daily EHS functions. Unfortunately,
this can cause significant issues in the wake of EHS accidents. Finally, there
are numerous new laws, regulations, and policies at the federal, state, and
municipal levels that may be relevant in an EHS emergency. Most businesses
keep track of new EHS regulations and implement them into operations, but
many neglect to update their crisis management systems and strategies to
reflect these new regulations.
Despite the fact that many businesses have in-house EHS attorneys
with specialized knowledge, many are already overburdened with daily
regulatory issues, briefing management on important issues, managing
litigation, and examining EHS issues in deals. Despite their best efforts, it is
simply not possible for these people to consistently participate in EHS crisis
management planning (Carrithers, DeHart, & Geaneas, 1998). Furthermore,
a lot of in-house attorneys travel extensively. Incorporating an experienced
outside attorney into the team has major benefits because they are likely to
have seen numerous strategies created by various clients. The competence
of a lawyer is required both before and during a crisis due to the numerous
legal obligations and issues involved. Additionally, the attorney can help
the corporation prepare comments for the media and government agencies,
even though they won’t actively take part in information distribution during
a crisis. Additionally, the attorney can help if the inquiries turn into criminal
investigations. Additionally, a lawyer can start creating a record that can be
used in the future, assist in internal investigations of fundamental causes,
and possibly safeguard those investigations through privilege. A lawyer

who is well-liked by the responding agencies can also be very helpful in
reassuring them that the corporation has the situation under control.
In addition to supporting business operations in the face of security
breaches, security risk assessment also involves the prevention of terrorism
through the assessment, analysis, and application of operational strategies to
protect property, personnel, and information from the infiltration of terrorist
activities that aim to weaken the economy by undermining individual
businesses. For enterprises of all sizes, security measures are becoming
more and more crucial to the process of due diligence. The security of
citizens’ goods and services in a globalized business environment is still
a concern for governments. Most modern companies engage in some type
of commerce that could influence international trade. This can include a
variety of things, such as frequently employing foreign nationals and having
staff that is familiar with the complex immigration requirements, as well
as holdings in foreign investments, such as pension plan offerings or the
intricate corporate structures of multinational corporations. All industries
need continuity of operations since it identifies the key human players who
will be required to maintain the operation of the core business processes
in the event of an emergency. Business owners are now getting advice that
might help them ensure that their profit margin is not damaged or is very
slightly affected during a chaotic moment.
CHAPTER 7
SUPPLY CHAIN RISK MANAGEMENT
CONTENTS
7.1. Introduction .................................................................................... 162
7.2. Supply Chains................................................................................. 163
7.3. Integration ...................................................................................... 166
7.4. Risk Management ........................................................................... 166
7.5. Outsourcing.................................................................................... 168
7.6. Production ...................................................................................... 173
7.7. Strategies ........................................................................................ 174
7.8. Variables ......................................................................................... 177
7.9. Scorecard ....................................................................................... 180
7.1. INTRODUCTION
Moving items along a supply chain has been a part of military organizations’
history, and this is still the case as evidenced by the deployment of American
personnel to Iraq and Afghanistan. But not all businesses involved in supply
chains are military. Lean manufacturing practices used by Toyota, make-
to-order operations used by Dell, and ground-breaking retail practices used
by Walmart rely on supply chains that are connected by computer systems
between various source businesses (Manuj & Mentzer, 2008). As consumers,
supply chains offer a lot of advantages to all of us. The numerous potentials
for efficiency that global connection offers producers of goods and services
must be taken advantage of. These chances, however, come with dangers
and are not free. Some supply chains are very straightforward; for example,
bananas harvested in Costa Rica might be sent right to the Cayman Islands-
based plantation owner. A farmers’ market in Nevada can receive beans
that were picked in California. However, the majority of products need
to be processed extensively, particularly foods and medicines, partly for
preservation and partly for safety reasons. Standard Oil has a lengthy supply
chain that connects refineries and oil wells all over the world. Even more
intricate supply chains were used by steel producers, starting with various
types of mines, and continuing through various processing facilities, blast
furnaces, open steel production ovens, rolling mills, and steel yards, which
in turn supplied a wide range of manufacturers (Figure 7.1).
Figure 7.1. Supply chain risk management.
Source: https://www.researchgate.net/profile/Ceyhun-Ozgur-2/publica-
tion/339366297/figure/fig2/AS:860417945522176@1582151032610/Supply-
Chain-Risk-Management-Framework_W640.jpg.
Supply Chain Risk Management 163
7.2. SUPPLY CHAINS

Different people will define supply chains in a variety of ways, although
proximity and exclusive connections may be important. Supply chains do
not include in-plant mobility. You might believe that the presence of several
owners is significant. However, as companies like Standard Oil, U.S. Steel,
and Alcoa have had enormous vertical worldwide supply chains, a supply
chain not characterized by numerous owners (Ellram, 1991). On a personal
level, you could theoretically take herbs from your own garden to treat a
headache. A supply chain would not be involved in that. The majority of us
prefer the dependability and security of buying aspirin from a recognized
retailer. A convoluted supply chain is involved with packaged aspirin. As time
goes on, it gets harder and harder to come up with ideas that don’t include
supply networks. Fewer people today are growing up on farms; instead, the
majority of people live in cities, where food supply systems are essential.
Supply chains are appealing because they provide access to a system’s most
economical sources. Many manufacturers, merchants, and other business
organizations now have more chances than ever before to become more
effective. The cost of transportation and the additional risk brought on by
globalization have always been the trade-offs. People who lived along the
Baltic Sea built one of the more intriguing supply chains nearly 1,000 years
ago. However, robbers, notably Vikings, frequently interfered with the
profitable business. The Hanseatic League was established to defend traders
against pirates and offer safe havens for traders in their trading posts. A
precursor to supply chain risk management was this.
The camel caravans that traveled the Silk Road (Figure 7.2), which
connected Europe and China, were extremely perilous. Traveling by water
was once one of the ways to dodge bandits, and shipping is still the main
route to move goods along supply lines. However, simply crossing a body of
water will not protect you from crime because piracy is almost as old as the
industry it preys upon. Most pirates have historically operated on the thin
line between authorized legality and capital offense. Instead, they would
exchange their large excess of money and silver for anything they desired
from the rest of Europe, supplying the market for wool and food production
in England, France, and Germany. However, piracy is still a major problem
today. In the last 10 years, the number of pirate raids has quadrupled.
Hotspots of piracy now are, of course, off the coast of Somalia; nevertheless,
northern Indonesia has always had a problem, and the Caribbean has a
significant drug supply chain industry. The fight against piracy is receiving
increased focus from the world’s warships, particularly in the region
surrounding the Straits of Hormuz, which is crucial to the petroleum supply

chain. Germany’s supply lines for Volkswagen, Porsche, and BMW were
troubled in January 2011 by soaring demand. Volkswagen was forced to
cease production due to a lack of engines and other parts. This was brought
on by rising demand in China and the United States rather than a natural
calamity, a war, or any other unfavorable reason. Supply must be maintained
for manufacturing and contemporary consumer retailing operations. We as
customers can benefit greatly from supply chains. Shipping over supply
chains has enabled competition to result in better products at reduced costs.
Producers can acquire the greatest resources and process them at the lowest
cost by outsourcing.
Figure 7.2. Silk road.
Source: https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/Seiden-
strasseGMT.JPG/1200px-SeidenstrasseGMT.JPG.
Almost every activity has a number of unanticipated side effects. For a
Spanish refiner, the least expensive option might be to purchase crude oil
from Libya. However, that low cost also carries a little danger of political
unrest. Government confiscation might be less likely in Nigeria than in
Libya. On the other hand, Nigeria can have increased local crime issues that
consume the anticipated savings. Therefore, Venezuela may be a source of
crude oil for the refiner. The issue of political instability then reappears. As a
result, the refiner might go back to Libya only to discover that war has broken
out, negating all of that source’s cost advantages. Supply chains look for ties
that will last. There are several transient disturbances in real life. Political
disruptions have been discussed, but nature has a much greater capacity for
spectacular disruption than politics. There are many risks associated with
supply chains, which can be divided into internal and external problems
like market prices, rivals’ actions, manufacturing yield and costs, supplier
quality, and political issues. Supply chain companies must be concerned
with hazards coming from all angles. Opportunities in any corporation
depend on how well that organization is able to manage risks. The majority
of natural risks are managed either by insurance, which has its own costs, or
through diversification and redundancy. The organization must decide while
taking into account all trade-offs, just like with any other business choice.
Historically, this has involved the costs and benefits elements. Society
is increasingly heading toward complicated decision-making contexts
involving consideration of both ecological and social justice considerations.
There are more opportunities to control risk sources when dealing with
external risks. Political systems in the past have been impacted by particular
supply chains. There are other petroleum companies that come to mind,
as well as arms companies like Alfred Nobel’s. While most supply chain
participants can’t be counted on to be in control of political hazards like
wars and regulations, they may influence the conditions that contribute to
labor unrest. Organizations in the supply chain are projected to have an even
stronger impact on economic variables. The advantage of monopolies or
cartels is their capacity to affect pricing, even though it is not anticipated
that they will be able to regulate exchange rates. Business organizations
are also in charge of creating product portfolios in dynamic marketplaces
with product life cycles and technologies that give competitive advantage.
The dangers result from the skills of competitors in an unending race. The
supply chain organization and its members are more directly responsible
for internal risk management. Organizations in the business world are in
charge of managing their structural, production, and financial capacities.
In addition to carrying out their social obligations, they are in charge of
programs that ensure appropriate workplace safety, which has been shown
to be cost-effective for enterprises. It is necessary to coordinate actions
within supply chains with vendors and, to a lesser extent, with customers.
Information technology offers practical instruments for managing the
interchange of supply chain information. The duty of supply chain core
organizations to manage risks associated with the trade-off between greater
participation made possible by Internet connections and the dependability
provided by long-term relationships with a smaller group of suppliers who
have demonstrated their reliability is another crucial factor.
7.3. INTEGRATION
Vertical integration with contemporary cross-organizational supply chains
was the traditional method of commercial organization (Spekman & Davis,
2004). Of course, this also resulted in them accepting the risk that went along
with it, but at the time, the prevalent belief was that the more they managed
their operations, the more they could control the hazards. As a result,
enormous monopolies developed vertical supply chains that linked mines,
processing, transportation, and various types of production to various levels
of marketing. Facility sitting was a factor in supply chain considerations.
The location of minerals determined where mines would be built, although
refining and other processing plants might be situated anywhere. In order to
balance costs, manufacturing is typically traded off against logistics costs for
moving raw materials to processing facilities or finished goods to customers.
The way business is done today is very different. Supply chain members have
replaced the vertically integrated company partnerships of the 19th and early
20th centuries with cooperative agreements. Thus, supplier choice becomes
crucial in addition to facility location. Being more competitive is the main
goal, and as a result, services associated with the production of the products
are prioritized. Additionally, there is a focus on bringing specialists together,
with a dynamic integration of frequently separate companies cooperating to
provide goods and services. The distinction between goods and services is
fading, making the previous division of labor obsolete. Commoditization
of goods and services now takes into account factors like quality, delivery
efficiency, dependability, and risk in addition to price.
7.4. RISK MANAGEMENT

Risk management in supply chains has been prompted by global rivalry,
technological advancement, and the ongoing hunt for competitive advantage.
This is due to the addition of additional forms of risks to those present in
conventional vertically integrated firms as a result of the integration of
various organizations into the supply chain. These days, supply chains are
frequently intricate networks with hundreds of thousands of players. Both
the strategic level and the tactical level have made use of the expression.
In this way, risk management can go beyond simple asset preservation or
risk avoidance and instead concentrate on finding better ways and means
of achieving organizational objectives. The coordination and collaboration
of processes and activities across functions within a network of enterprises
are of relevance to supply chain risk management. Supply chains allow
manufacturing outsourcing to benefit from comparative advantages around

the world and expand the range of products. Inherent in this more open,
dynamic system are numerous risks. A process is a way to complete necessary
tasks. Risk is an ill-defined concept that calls for creative thinking about what
could go wrong. Taking that concept, a step further, risk management creates
strategies for handling contingent hazards in the event that they materialize.
As with every company decision, the advantages of risk mitigation must be
evaluated against the costs of protection.
Operational risks and disruptions are two examples of hazards in supply
chains (Kleindorfer & Saad, 2005). Inherent uncertainties for supply chain
components including customer demand, supply, and cost are included in
operational hazards. Disasters such as meltdowns at nuclear power plants,
wars, and hurricanes provide a danger of disruption, as can economic
crises. Operational risks are the main focus of most quantitative studies
and methodologies. Disruptions are significantly harder to model since they
are more spectacular, less predictable, and unpredictable. Planning for risk
management and responding to disruptions are typically qualitative. By
lowering inventory holdings, which act as a form of insurance against supply
disruption, manufacturing increases efficiency. Smart systems are frequently
blamed in the media for slow production. There were supply problems even
though safety inventories were bigger. Lean safety stock risks are likely more
than covered by the savings from lower inventory costs. Various strategies
can be used to mitigate supply chain risks. Typically, purchasing is given the
duty of maintaining supply continuity and cost management. At the expense
of greater inventory holding costs, buffers in the form of inventories exist
to help reduce risk. High transaction costs, protracted purchase fulfillment
cycle times, and pricey urgent orders are the results of traditional practice,
which relies on excess inventory, many suppliers, expediting, and frequent
supplier changes. More visibility in supply chain operations is made possible
by newer risk management strategies, which incorporate tactics like supply
chain alliances, e-procurement, just-in-time delivery, greater coordination,
and others. Although there may be greater costs for the items and more
security concerns, supply chain risks are decreased. Supply chain risk
involves both strategic and tactical components. Strategically, a network of
supply chain actors can help to improve the control of supply risks through
initiatives like locating backup sources of supplies during emergencies.
Demand can be moderated to some extent through tactics like rollovers and
product pricing. Strategically, more product variety can guard against product
hazards. Systems that increase information visibility among supply chain
participants can also help people better manage risks. Choosing a supplier
and allocating orders are examples of tactical options. Other tactical choices
include product promotion, information sharing, vendor-managed inventory
(VMI) systems, and cooperative planning, forecasting, and replenishment.
7.5. OUTSOURCING
The outsourcing (Figure 7.3) of non-core services offers cost benefits to
supply chain core firms. Supply chain networks are impacted by a number
of things (Cho & Chan, 2015). Along with options for network design
and interactions, choices must be made about which sources to use, how
to distribute orders, and what contractual arrangements are necessary.
An efficient supply chain network must be configured, have products
assigned to facilities, customers assigned to the appropriate facilities, and
production and shipping volumes and schedules planned for each facility.
In 2003, an electrical grid failure in the northeast of the United States left
50 million people without power for around 30 minutes, extending from
Ohio, Pennsylvania, and New Jersey up through Ontario, Canada. Passenger
rail transportation, international air travel, and financial markets were all
disrupted, however essential services were kept running by the 20% of the
electrical system that was still operational. Ohio power lines being struck
by trees caused the outage, it was said (Coleman, 2019). Other catastrophes,
such as hurricanes, earthquakes, terrorism, and political instability, will
significantly disrupt supply systems.
Figure 7.3. Outsourcing.
Source: https://cdn.wallstreetmojo.com/wp-content/uploads/2021/10/Steps-To-
Outsourcing.jpg.
Demands, supplier yields, lead times, and cost uncertainty are operational
risks in order allocation in the supply chain. As a result, not only do certain
suppliers need to be chosen, but regular purchases from them also need to
have quantities set. While supply chains offer their members a number of
beneficial advantages, they can also lead to coordination issues. Coordination
of information systems can mitigate some of the negative effects, but profit
sharing is still a concern. A few of the risks that producers face includes
shifts in demand due to a variety of factors. Despite having one of the most
regular demand patterns in the world, the food business still experiences
fluctuations in the demand for particular products. Recent concerns about
the safety of food, particularly spinach, cherry tomatoes, and many other
grocery items, have had a significant impact on this demand. The global
concern over mad cow disease persists, particularly in South Korea and
Japan. Variety is a good way to control product risk and can be utilized to
gain market share and cater to different market segments. The fundamental
concept is to diversify products to cater to the unique requirements of each
market group. Even though it is anticipated that this will improve profits
and market share, it will also result in higher manufacturing and inventory
costs. Dell’s make-to-order method is one solution to address the possible
inefficiencies in product variety. Until an order is received, this method
avoids wasting time or money assembling a product. Dell has an extremely
adaptable production structure that enables them to produce on demand,
which has proven to be a very profitable core competency. Additionally,
they don’t squander money on inventory, but they do cause inventory issues
for their suppliers who must deliver items immediately. In the retail sector,
Walmart has also been quite effective in this regard.
Today’s prosperous retail businesses prioritize providing excellent
customer service. Retail companies can offer better services that are used
throughout supply chains. To manage supply networks, many different
control schemes have developed (Guo, Zhang, & Gao, 2020). The iconic
bullwhip phenomenon was caused by the conventionally disorganized supply
chains of the 1980s, which lacked information sharing and independent
inventory management systems. The bullwhip phenomenon results from
an overestimation of demand brought on by the irregularity of orders from
supply chain components further down the line. Increasing information
sharing throughout the supply chain was a logical first step to take in order
to reduce the inefficiencies brought on by the bullwhip effect (Chen, Liao,
& Kuo, 2013). The advantages of better forecasting and production planning
have been proposed as solutions in a short-season environment. Systems

for sharing and coordinating information that are more comprehensive have
also been suggested. Information sharing, which includes action plans to
enable forecast alignment for long-term and capacity planning, is the first
sort of cooperation among supply chain participants to reduce bullwhip
risk. By increasing visibility, this planning makes demand more predictable.
Faster information sharing across businesses has not, however, been without
its challenges. Slow item-level replenishment and slow order placement
are issues. An order could be placed in this complicated setting even after
a product has been sold. Additionally, big shipments are frequently used
for the delivery of tiny things, which might cause issues. Short lead times
and strict service-level criteria put a strain on the supplier’s ability to react
quickly. Most of the advantages of a well-managed inventory system are
also eliminated by preventing such stock-outs through bigger stocks.
In VMI (Figure 7.4), the supplier is in charge of overseeing a retailer’s
inventory. This is a common sight in supermarkets (Beheshti, Clelland, &
Harrington, 2020). Up until it passes the checkout counter, businesses like
Pepsi, Coke, and well-known potato chip manufacturers are the owners of
the item. Thus, the supermarket acts as a middleman between the producer
and the customer. The producer has more control over product placement
through VMI, and they typically sign agreements that limit competition. We
can refer to this as channel coordination. The supplier manages the stock at
the shop based on sophisticated information obtained through electronic data
exchange (EDI) or the Internet. VMI has been proved analytically to perform
better than conventional supply chain systems. VMI, which outperforms
conventional local inventory management, maximizes the supply chain’s
overall revenues. Consolidating shipments can help VMI become more
efficient. Additionally, it enables retailers to increase the range of goods
they provide in a specific retail location, enhancing brand profitability
for both retailers and vendors. Many businesses have started using VMI.
However, VMI has occasionally been given up. Insufficient visibility across
the entire supply chain is one potential problem. When producers provide
significant quantities of often renewed products under somewhat consistent
sales conditions, VMI has been found to operate well. These conditions
may result from advertising. Additionally, it has been discovered that VMI
performs better when customers are less likely to buy alternatives in the
event of stock shortages.
Figure 7.4. Vendor-managed inventory.
Source: https://www.refrigeratedfrozenfood.com/ext/resources/Technolo-
gy-Showcase/Technology-Showcase3/PathGuide-VMI-Lifecycle-feature.
jpg?1558621068.
The bullwhip effect (Figure 7.5), however, which affects standard retail
inventory control, causes excessive stocks when demand volatility is strong.
However, VMI can perform worse than conventional retailer-managed
inventory when replacement is desirable. Continuous replenishment (CR)
is an automatic replenishment program where a supplier replenishes a
retailer’s inventory based on the retailer’s stock level information and actual
product usage data. Larger shops in the US and the UK have adopted CR
since it was first tested by Walmart in 1995 (Shi, Katehakis, & Melamed,
2013). Suppliers can base inventory decisions on sales projections rather
than fluctuations in inventory levels. By requiring supply chain participants
to exchange more data and information, as well as to adopt standard
methods and performance metrics, CR improved VMI. This encouraged
group decision-making, responsibility, and performance-based incentives.
Inventory turnover and customer service levels have both been said to have
improved under CR. However, CR still has the potential to have gaps because
it may not always represent stocks across the whole supply chain. The main
aspect of CR that is missing the most is manufacturer forecasts of upcoming
retail events. Manufacturers appear to be receiving excess inventory from

retailers and distributors. While CR enhanced VMI, additional advantages
were also accessible.
Figure 7.5. Bullwhip effect.
Source: https://media-exp1.licdn.com/dms/image/C4E12AQH6nG3mSIPJ0g/
article-cover_image-shrink_600_2000/0/1600748417337?e=1658361600&v=
beta&t=MNQYSsHsws_tipon3BEtvmqK5KjknslYSTJruYGgbZQ.
To delay the point of product differentiation, postponement relies on
design principles including standardization, commonality, and modular
design. Based on overall demand, a more generic product is created, with
customization applied to specific goods later in the production cycle. This
makes it possible to respond to unique product demand in a more flexible
manner. This approach, which has also been used by Xilinx, Hewlett-
Packard, and Benetton, was demonstrated by Nokia’s response to the Philips
fire in 2000. Postponement increases product flexibility and a company’s
capacity to manage suppliers. To benefit from safety stock for important
products without incurring the cost of having large stocks for all things,
strategic stock is used. Examples include Toyota, which stocked cars at
important distribution points to guarantee a plentiful supply in specific
areas which did the same with appliances. This enables improved customer
service standards without incurring exorbitant inventory holding expenses.
The Centre for Disease Control employs similar tactics for purchasing
medical supplies. Increasing product availability through strategic stocks
enables speedier response. Through a variety of vendors, the flexible supply

base strategy reduces the risks associated with exclusive sourcing. Hewlett-
Packard produced inkjet printers at facilities in Singapore and Washington
State, using the cheaper Singapore facility for base volume and the more
expensive Washington facility for unpredictable demand. By enhancing
supply flexibility, it has made it possible for some volume slack to be used
to deal with supply disruptions. The make-and-buy approach is conceptually
similar to the flexible supply base strategy; the difference is that it also
considers external production as a potential source of supply. This was
Hewlett-approach Packard’s while manufacturing DeskJet printers, which
were mostly outsourced to a Malaysian manufacturer with some production
taking place in Singapore. This idea is famously used in fashion apparel by
Zara. The advantages are identical to those of a flexible supply base.
7.6. PRODUCTION
Even if production cannot be transferred, economic supply incentives can
be applied. Due to uncertain demand and government pricing pressure,
the supply of a certain type of flu vaccination on the U.S. market was
curtailed. A bacterial contamination in one of these companies’ production
lines caused them to be discontinued in October 2005, which resulted in an
anticipated shortage of 48 million flu injections and subsequent rationing
to high-risk populations. Economic supply incentives could encourage
more involvement in this market, preventing shortages in the future. A
similar situation is InterCon Japan, which has a monopoly relationship with
one major supplier. Intercon Japan provided Nagoya Steel with financial
incentives, including minimum order quantities, technical guidance, and
market demand data, to help them create a new steel method for producing
cable connections (Tang & Tomlin, 2008). By maintaining price pressure on
its original supplier, Intercon Japan was able to expand product availability
and promptly modify order quantities. An approach that ensures delivery is
flexible transportation. There are many methods to do it, including using
multimodal transportation. Seven-Eleven Japan urged its logistics partner
to diversify by establishing a network of ships, helicopters, motorbikes,
bicycles, and trucks. This made it possible for Seven-Eleven Japan to send
rice balls to Kobe earthquake victims quickly in 1995 (Chopra, 2017).
Transport using many carriers guarantees a constant flow of commodities.
When faced with regional political upheavals, alliances of cargo planes have
been able to swap carriers rapidly and also enable less expensive delivery.
The third transportation tactic is the employment of various routes, which

enables momentary bottlenecks to be avoided.
7.7. STRATEGIES
Strategies for managing revenue include dynamic pricing and promotions.
Revenue management gives the company more control over product demand,
allowing it to influence the products that customers choose. An approach
based on anticipating consumer product demand based on display position
is called dynamic assortment planning. By regularly manipulating product
positioning, supermarkets are able to exert more control over consumer
demand. The gradual leakage of new items without official announcements
is known as silent product rollover. Instead of requesting products that have
been discontinued or run out of supply, this encourages customers to choose
things that are still in stock. Swatch, which only creates products once, and
Zara, which quietly introduces new fashion lines, are two examples of this
method in action. All items can be substituted for one another, which makes
it easier to deal with demand fluctuations and supply or demand disruptions.
It is helpful for firms to start by determining their level of risk tolerance.
No company is immune to danger. They shouldn’t cover every danger with
insurance either. Organizations are designed to take on risks in situations
where they have the capacity to do so. They are unable to handle all risks,
therefore top management must decide which ones they expect to encounter
and which ones they are prepared to take on. All hazards must be taken into
account throughout the risk identification process. Within their sphere of
authority, each manager should be in charge of continuing risk identification
and management. A risk matrix can be created once the risks have been
recognized. The method of risk management is how those hazards that have
been recognized are controlled. The distribution of suitable responsibilities
according to roles determines how effective this procedure is. A high-level
group within the organization that keeps an eye on important new markets
and products can monitor it. The enterprise risk management structure must
work as intended, thus a systematic internal audit as part of the risk review
process is frequently contracted out to outside suppliers. In order to balance
risk and return, supply chain management requires numerous decisions.
Making decisions about sources to use, products to provide clients, and
appropriate delivery modes are all part of supply chain management.
Additionally, choices must be made on the kind of information technology
to buy, whether hiring a consultant is wise, which vendor’s software will be
acquired from, and which kind of software will be used. Before describing the
straightforward multi-attribute rating technique for multi-criteria selection
decisions, I will first go over some fundamentals of creating hierarchies of
criteria.
An initially vague problem is transformed into a set of precise elements,
relations, and operations by structuring. Value serves as the objective in
the most basic hierarchy, with available options branching out from this
value node. When there are more branches coming from a single node
than a predetermined number, hierarchies typically incorporate additional
layers of objectives. According to cognitive psychology, people struggle to
assimilate too many different branches. Identification of the overarching
fundamental objective comes next. Combining particular essential goals,
such as lowering costs, reducing harmful health effects, and reducing harmful
environmental effects, can serve as the overall goal. Regarding essential
goals, means objectives should be mutually exclusive and exhaustive as
a whole. Decision-makers shouldn’t accept the options that are presented
to them. The traditional approach to solving an issue is to come up with
potential solutions before concentrating on goals. This approach frequently
assumes that decision-makers are forced to make only one of several
available options. It is proposed that a more successful strategy would be
for decision makers to use objectives to generate options based on what
they would like to accomplish and why objectives are significant. Numerous
other factors have been noted as having potential significance in supplier
management. Along with risk and profit, fundamental operational criteria
also include delivery performance, quality, and warranty performance.
Reserve capacity, supplier process competency, and labor relations history
are examples of process factors. Hazardous waste management, the ability
to reduce pollution, and the control of hazardous emissions are examples
of green factors. Segmenting suppliers can be used as a starting point for
choosing a supplier for a specific item as well as a tactical technique to help
suppliers boost their output.
As we’ve seen, supply chains offer a lot of potential dangers. To model
those hazards, one must take probability into account, which necessitates
the use of Monte Carlo simulation (Figure 7.6), an established analytical
method (Deleris & Erhun, 2005). Simulation models are collections
of presumptions about the connections between model constituents.
Simulations can be process or time-oriented. Utilizing probabilistic inputs
for components like demands, interarrival periods, or service times allows
for the inclusion of uncertainty. These probabilistic inputs require probability
distributions with specific parameters to be used as descriptions. The normal

distribution, the exponential distribution, the log-normal distribution, and
various other distributions can all be used as probability distributions. A
simulation run is a sample of the infinite population of outcomes that a given
model might produce. The quantity of trials is decided after a simulation
model is constructed. To verify simulation models and create simulation
trials, statistical methods are used. Spreadsheet programs like Excel can be
used to implement a variety of financial simulation models. Spreadsheet
models’ simulation capabilities can be greatly increased by using a variety
of commercial add-on packages that can be installed to Excel, such as
Frontline Solver, or Crystal Ball. These add-ons feature the ability to
correlate variables, quickly choose from standard distributions, aggregate,
and display output, and other helpful tasks. They also make it very simple to
reproduce simulation runs.
Figure 7.6. Monte Carlo simulation.
Source: https://kanbanize.com/wp-content/uploads/website-images/kanban-
resources/monte-carlo-when-explained.png.
Although supply chain networks bring significant economic advantages,
there are related risks as well. These risks can be caused by a variety of
things, such as industrial mishaps, geopolitical unrest, natural disasters, and
market failure. Based on historical statistics, some of these dangers can be
explained in terms of probability distributions. Others call for a subjective

evaluation from experts who can be located. A good method for modeling
outcomes from inputs with probabilistically stated probabilities is Monte
Carlo simulation. Analysis of the trade-offs between costs and support levels
is necessary for planning. Each of these risks had unique requirements for
logistical support as well as vulnerabilities. Mission severity, which reflects
the level of enemy activity and the physical characteristics of the terrain,
and magnitude are important factors. The mission intensity closely relates
to the amount of logistical support required. Numerous tools have been
developed in risk management to assess the likelihood of loss. The process
of identifying, evaluating, and prioritizing risks, followed by a coordinated
and cost-effective resource application to reduce the likelihood and impact
of unfavorable events, is known as risk management. This is a thorough
understanding of risk management that addresses all potential threats to a
company. It is a fact that one must assume some risk in order to expect
payment or profit. The secret to effective risk management is to pick the
risks that you can control and find a means to decrease, eliminate, or insure.
When faced with a problem that can be solved by a linear function
according to a set of linear constraints, LP offers the optimal, or best possible
solution. These and other significant operations management issues can be
modeled using linear programming to find more effective business practices.
Even while LP has many advantages, it has a somewhat high cost because
it can only be used to simulate specific categories of choice problems.
Usually, this entails putting scarce resources to alternative purposes. The
choice issue must be written in linear functions, which has the disadvantage
that since the optimal answer is sought, even little changes in the assumed
coefficient values might have a significant impact on the final solution.
Models for linear programming comprise variables and functions in terms
of these variables, as well as functional constraints. To create an LP model
of It is typically easy to focus on the decision to make in a decision problem.
Things that the decision-maker can control commonly used controls the
proper decision-making parameters. Typically, that will profit. The variables
are those decision-own maker’s problem components.
7.8. VARIABLES
Variables are the elements that can be changed to enhance the objective
function. Usually, they are factors that the decision-maker can influence, like
production levels. They may be the sources chosen or the designated transit
routes in supply chain scenarios. A mathematical statement that measures

something in terms of the variables is called a function. An illustration of a
function is profit. Risk is another illustration. Planners must make sure that
tank farm stockpiles don’t fall too low, endangering the output of the paper
mill. The comparatively cheap inventory keeping cost of slurry helps with
this. However, a lot of tank farm storage space is needed for this. Due to its
high density, slurry can be transported on ships with greater volume capacity.
This makes things more difficult because ships need to be at least 60% full
to prevent harmful cargo splashing in bad weather. Demand and supply
uncertainty is a significant risk issue (Wang & Jie, 2020). This necessitates
routine plan changes. Ships may be delayed by adverse weather or diverted
by spot market activity on the supply side. Demands are unknown principally
due to the variety of supported paper products and the resulting shift in the
product mix of slurry. The system was credited with savings of around $7
million annually, which are anticipated to rise with corporate expansion.
It also boosted predictability and flexibility throughout the supply chain.
Additionally, the DSS allowed the company to avoid making new capacity
investments and lower overall oil usage by more than 10%. The system also
allowed for quick preplanning to handle ship delays, equipment failures, and
other interruptions.
Four entities and a number of data items make up the information
flow in disaster management. The entities consist of a group of human
planners and responders who are assisted by three models of mathematical
programming. The readiness phase used a stochastic programming model
to handle four inputs like disaster scenarios, transportation conditions,
demand projections, and warehouse parameters and produced recommended
inventory levels by supply item as well as suggested warehouse facilities.
The human planning and reacting team received this information and revised
the stochastic programming model in light of hospital priorities. A mixed
integer programming model was used to produce transportation plans using
the output from the updated stochastic programming model (Haug, 1985).
The reaction phase mixed integer programming model used supply, demand,
and transportation conditions data along with additional priorities from the
human team to create transportation plans. This collection of metrics was
put up as a way to connect intangible assets to shareholder value production.
Scorecards, which put a focus on strategic objectives and metrics, have been
used successfully in many corporations and public institutions. The financial
viewpoint can be used to track the performance of particular outsourced
suppliers in terms of their financial and market share metrics. This would
necessitate contracts granting the core supply chain vendor access to the
internal data of the outsourcing provider, which could be troublesome.
The outsourced vendor should handle internal operations, and if they
hesitate, you should go back to the outsourcing market to find a successor.
The performance of the outsourcing provider can be tracked in terms of
service delivery from the viewpoint of the client. It is possible to undertake
joint initiatives to improve processes and increase lines. The primary supply
chain organization can also keep track of how much of their volume is
allocated to each external vendor. To reduce the danger of the outsourcing
vendor failing, it would be wise to keep the volume ratio to each vendor
within the permitted upper limits. You might once more go back to the
market to identify substitute supplies in that eventuality. Potential infiltration
is also present when measuring the outsourcing company’s internal business
activities. The problem is the same as it is from a financial standpoint. The
core supply chain organization may occasionally be able to measure specific
technological and industrial facets of the outsourced vendor through the
development of close contractual connections. In general, it appears better
to let the seller handle these issues. Innovation and learning make up the
last aspect on the balanced scorecard. From the perspective of the primary
supply chain organization, these variables seem appropriate to measure. All
participants in the extended supply chain will benefit from collaborative
efforts to engage with outsourced vendors. The main notion is that the
organization can monitor these metrics over time to obtain a thorough
picture of all four organizational performance views.
To track the effectiveness of the enterprise in strategic decision analysis,
different types of scorecards such as company-configured scorecards or
strategic scorecards have been suggested to integrate into the business decision
support system or expert system. Taking risks is essential to conducting
business, even though they must be handled. Profit, by definition, necessitates
taking some risk. At Mobil, Chrysler, the U.S. Army, and countless other
corporations, scorecards have been successfully used in conjunction with
risk management. A wide range of elements with the potential to have an
impact on an organization’s operations, procedures, and resources make
up enterprise risk. Economic change, changes in the financial markets, and
risks in the political, legal, technological, and demographic contexts can
all have an impact on external factors. While most of these are out of a
particular organization’s control, they can be prepared for and protected
from using tried-and-true methods. Among other internal hazards, these
include production disruption, fraud, system failure, and human mistake.
Systems are frequently believed to be in place to identify and manage risk,

yet for a variety of reasons, erroneous data is produced. Other applications
of the balanced scorecard as instruments for measuring performance from a
bigger, more strategic viewpoint have also been shown. Internal auditing in
accounting and governance of mental health both use balanced scorecards.
In supply chains for shipping, ports are clearly important. The
management of ports can be crucial in facilitating processes that affect
businesses and governments that depend on customs duties and need to
promote economic activity. Cargo movers are businesses that have the tools
and infrastructure necessary to carry out the physical labor involved in
imports and exports. For trade activity to function, knowledge management
is crucial. EBITDA gauges profitability, which is crucial for businesses in
the port industry to keep an eye on (Alcalde, Lopes Fávero, & Takamatsu,
2013). Asset profitability is measured by ROA. These financial indicators
offer a way to spot any system flaws. Traffic expansion is one of port clients’
strategic goals. Indicating profit or a loss before taxes, GVA calculates
the difference between a company’s inputs and outputs. An indicator that
measures cargo transported in by volume is mean terminal productivity.
Trucks transporting and/or receiving cargo are delayed on average by
gate attention. The outcome of exploitation gauges a company’s annual
operations. The daily approval rate of electronic documents focuses on the
ratio of approved to total documents as well as the number of documents
that are approved in a single day. Exploitation was considered as having a
negative impact on average gate attention and mean terminal productivity,
whereas a larger percentage of authorized electronic papers was seen as a
contributing reason to an increase in average gate attention. Mean terminal
productivity was thought to have a favorable impact on both traffic flow and
GVA. The average gate attention rate was considered to be helpful in raising
GVA. Improved traffic movement was thought to have a good effect on
ROA, whereas GVA impact was thought to have a role in boosting EBITDA
(Banerjee & Gupta, 2017).
7.9. SCORECARD
The balanced scorecard was used to evaluate overall performance in a
petroleum supply chain. Traditionally, the emphasis has been on financial
indicators, but a firm’s sustainability does not solely depend on its ability
to be profitable (Martinsons, Davison, & Tse, 1999). Financial metrics are
not directly tied to operational effectiveness or strategic performance in any
way. The structure for balanced scorecards was modified to fit a petroleum
supply chain. Features in petroleum supply systems necessitate a specialized
study. It is well knowledge that crude oil prices fluctuate, necessitating
flexibility on the part of those involved in the petroleum supply chain. The
preservation of crude oil quality is crucial. Similar multi-criteria analysis
has been suggested by others to improve supply chain balanced scorecards.
By enabling a single number for entire organizational performance, as in
the construction example, this version of the balanced scorecard was meant
to give a more comprehensive application. Here, comparing organizational
performance with that of rival organizations from each aspect was a specific
goal. A quoted price with an exchange rate distribution, a probability of
product failure, a probability of company failure, and a probability of
political failure were all taken into account in that scenario.
CHAPTER 8
SUSTAINABLE BUSINESS AND RISK
MANAGEMENT
CONTENTS
8.1. Introduction .................................................................................... 184
8.2. Risk ................................................................................................ 185
8.3. Goals .............................................................................................. 186
8.4. Managers ........................................................................................ 189
8.5. Factors ............................................................................................ 191
8.6. Assessment ..................................................................................... 192
8.7. Activities ......................................................................................... 197
8.8. Processes ........................................................................................ 199
8.1. INTRODUCTION
An entirely new set of business regulations that have a significant impact
on the long-term sustainability of organizations has been imposed by the
turbulent and uncertain economic and political climate. In this situation,
firms have begun concentrating on cost-cutting and risk-management
measures to gain a competitive edge (Brillinger, Els, Schäfer, & Bender,
2020). Only companies with a strong infrastructure, a healthy workflow,
and effective procedures that are interconnected throughout the organization
can guarantee sustainable business performance. The interaction between
organizational processes must therefore be examined for risks, and if
processes are contracted out to a third-party provider, risks must also be
evaluated between the organization and the outsourced processes. Perils
that pose a threat to the organization are added to the risk handling strategy
after being detected, assessed, and analyzed, and resources are assigned to
take preventive measures. Failure Mode Effects Analysis is one of the most
effective risk assessment techniques now in use, mostly in the engineering
and medical sectors. By creating a process for regulating risks and evaluating
if threats are impending, this strategy greatly lowers the expenses associated
with handling risks (Figure 8.1).
Figure 8.1. Sustainable business and risk management.
Source: https://sustainableenviro.com/media/sites/2/2018/10/Managing-Food-
System-Sustainability-Risk-1080x551.jpg.
Sustainable Business and Risk Management 185
8.2. RISK
Risk appetite, risk tolerance, and the organizations’ response to risky
situations were all assessed in order to prepare for conversations about risk
assessment in SMEs and major corporations. Based on data gathered during
interviews with managers and specialists with experience in risk assessment-
related fields across various business sectors, the comparative analysis
between the two types of organizations and the relationship between risk
assessment and the organizational context were conducted. Results from
interviews with managers and CEOs were used to accomplish goals relating to
risk identification and determining the function of performing risk assessment
at the interaction between business processes in organizations and between
the organization and outsourced business processes. Based on feedback from
managers who have adopted or are testing the proposed risk assessment
model, follow-up surveys were used to validate the model and assess its
effects. In today’s fiercely competitive business environment, managing a
business requires new guidelines (Paxson, 1992). Even though the operational
level is where the majority of the risks relating to business sustainability are
created, managers must still keep an eye on and maintain control over all
business operations in order to successfully implement new strategies that
guarantee the organizations’ competitive advantage or, in some cases, even
business survival. An increasing number of firms create strategies employing
the process method to balance performance metrics amid financial crises.
Business processes are groups of interconnected, interacting tasks that convert
resources or inputs into outputs. Each process is planned as a component
of a workflow that is monitored and regulated in order to add value to the
organization. To accomplish business goals and support the organization’s
mission and vision, business processes connect people, expertise, and
technology. Research on techniques for developing, implementing, carrying
out, and monitoring process activities has been done in-depth.
To ensure that information is accessible throughout the organization,
organizations must update and maintain standard operating procedures as
well as other documents pertaining to applying processes in accordance
with the established approach. Documentation and control procedures
frequently relate to requests from clients or other interested parties or to
legal requirements. In order to ensure business sustainability, measuring the
critical performance indicators and developing strategies around the same
variables are no longer sufficient. As a result, organizations have begun
concentrating on managing processes and changing objectives in accordance
with process results. Depending on how closely they are integrated into the
process of creating customer value or how the organization is structured,

business processes may contain either core or supporting activities. Every
process gathers and changes inputs to produce results that add value in
accordance with corporate goals. Across the organization, interactions
between processes happen despite structural departmental barriers. The
goals of the marketing and sales operations are to meet customer needs
while making a profit when selling goods and services. Pricing, quantity, and
timeline are all factors that must be taken into account, as well as planning
costs, production time, market launch time, and productivity. Sales activities
entail preparing and providing goods and services directly to the customer.
Market share, turnover, client satisfaction, number of business
partnerships, number of repeat customers, number of new clients, number
of clients placing a single order, marketing campaign effectiveness, and
marketing risk levels are among the business performance indicators related
to marketing. Performance indicators for sales activities include risk levels,
mounting, and service expenses, storage costs, non-conformities charges,
and delayed deliveries. Clients, creditors, competitors, and shareholders are
the key external environments with which an organization interacts. Within
the company, processes carried out by senior management, the contract
management team, and the quality assurance team all interact with marketing
and sales processes (Piercy, 2010). Risks in marketing and sales are typically
associated with not meeting customer needs and requests, delaying production,
giving customers incomplete presentations of products or services, or having
a poor external communication system. These risks can result in client loss,
fines, lower turnover, lower sales volumes, and even legal action.
8.3. GOALS
The primary goals of the contract management team are to create performing
contracts while meeting the needs of the clients and adhering to laws and
regulations. The important performance indicators concern total contracted
value, offering process performance, and process risk levels. A contracting
team and a legal team are typically included in the contract management
department to guarantee that all contracts are compliant with the law. The
department uses checklists, the Pareto analysis, risk assessment, and risk
management as approaches for achieving business objectives. The primary
process interactions are with business procedures that senior management,
the marketing, and financial teams are responsible for executing. Risks
associated with contracting might be related to undetected or unquantifiable
requirements that result in higher expenses, disgruntled clients, or even

lost business. Consequences of breaching contracts, such as higher prices,
delayed delivery, or unhappy clients, can be taken into consideration as
significant risks (Johnson & Sohi, 2016). Turnover, profit, and payroll
headcount, return on equity, and risk levels are crucial performance
metrics related to financial processes. Other management techniques, with
the exception of financial risk management, are based on the financial
indicators that are computed and examined. All organizational activities,
including those carried out by senior management, contracting, purchasing,
and manufacturing processes, are impacted by and directly interact with
financial processes. The procurement process, which ensures procuring
goods and services from the outside environment, entails sub-processes like
assessing, choosing, and overseeing suppliers; validating the obtained goods
and services; and managing outsourced services. Reducing sourcing costs
and procurement time, ensuring that stockpiles correspond to needs, and
forging relationships with suppliers are the processes’ goals. Cause-and-
effect analysis (Figure 8.2), Pareto analysis (Figure 8.3), check lists, and
team analysis are the primary management techniques.
Figure 8.2. Cause-and-effect analysis.
Source: https://www.isixsigma.com/wp-content/uploads/images/stories/migrat-
ed/graphics/394a.gif.
Figure 8.3. Pareto analysis.
Source: https://www.cec.health.nsw.gov.au/__data/assets/image/0005/341285/
Pareto-1.png.
Risks could arise if only one supplier is considered and chosen, which
could lead to higher costs, delayed delivery, and unhappy customers.
Another significant risk that contributes to lower sales and delayed
deliveries is delayed procurement. Other procurement risks include failing
to specify acceptance standards for goods and services and working with
unqualified suppliers, which can result in higher production costs, defective
goods, late delivery, and unhappy customers. The greatest risks are those
associated with flaws and errors that customers report that could result in
complaints. Another production-related risk that negatively affects sales is
delayed deliveries. Other hazards include work accidents that can result in
losing authorizations, declining sales, and losing market share, as well as
manufacturing infrastructure failures that cost money to fix, cause delays
in deliveries, and pollute the environment. Client complaints and reduced
delivery capacity may result from operating with non-compliant or outdated
materials and equipment, employing erroneous product specifications, and
not allocating enough time for verification methods.
The risks that have been discovered can be related to creating non-
compliance, including selling non-compliant items to customers and
turning them into flaws that result in higher expenses, delayed delivery,
and complaints. Other hazards include slow control procedures, delayed
procurement, and client loss as a result of ineffective controls. Products can
be provided with flaws due to unqualified vendors and mistakes in defining
compliance standards for goods and services. Organizational workflows
can be recognized horizontally as procedures linked between departments
as well as vertically as they move from one organizational level to another
(Mendling & Hafner, 2005). Process owners and managers continuously
detect, analyze, and send feedback regarding all process interactions in order
to optimize workflows. The objectives of the organization determine how
organizational business processes interact with one another. This feedback
mechanism ensures that reports are sent from the operational level to the
strategic level, where managers make decisions and create strategies based
on the information they have received. Then, process owners and department
managers put operational plans into place, watch over, examine, and report
on performance indicators linked to the process’s outcomes. As a result, the
process manager is the owner of all process interactions and is responsible
for ensuring their effectiveness while evaluating and managing risks that
may arise at this level. Sharing findings with other process managers and
offering comments is another crucial task for process managers. When
employing the process approach, information about detected and evaluated
risks at each process interaction should also be communicated because there
may be major hazards that endanger the success of the business.
8.4. MANAGERS
Managers can now pursue profitability through higher revenue or
profit margins and boost corporate value by extending their businesses
internationally. Management plans are created with the target markets’
business environments in mind while entering international markets.
Countries and organizations are now interconnected. Organizations have
expanded their operations globally in one of two ways: by exploring new
markets or by outsourcing their operations. To cut manufacturing and service
expenses and boost income by focusing on new global market segments,
corporations must investigate and comprehend international business
environments as well as the key distinctions between their own country and
the nations where they intend to outsource procedures. Although they have
extremely different economies, cultures, and working conditions, advanced

regions like the United States and Europe can be vital markets and provide
significant outsourcing prospects, as can newly growing nations like China
and Africa. Businesses have been moving manufacturing and outsourcing
services to low-wage nations, but knowledge-intensive business services,
such as highly specialized production and services or research and
development (R&D), have not been outsourced.
Managers must first define the organization’s mission, objectives,
strategies, and tactics in order to secure the organization’s mid- and
long-term sustainability and development beyond trade borders. The
organization’s purpose must reflect the management direction and vision
of the organization and must be tailored to the local market of the foreign
country (Lee & Faff, 2009). Managers have been compelled to re-evaluate
plans and include goals that guarantee business sustainability due to changes
in the global business environment. Department managers typically prepare
tactics, which are related to how strategies are carried out. When creating
management strategies, opportunities, and threats are taken into account
in addition to strengths and weaknesses. This model considers the threat
of new competitors, the threat of substitutes, the bargaining power of
customers, the bargaining power of suppliers, and industry rivalry. Finding
new manufacturers or service and support providers is typically involved
in relocating procedures, which must take into account both internal and
external variables.
Each procedure that governs interactions with the new business partners
while taking into account language, culture, shared goals and objectives,
trust, human rights, expectations, and risks must be assigned responsibility
and managed through communication. In order to construct the contract,
senior management manages the connection with the outsourcing company,
conducts discussions, and establishes norms and expectations. Employee
resistance to change and conflicts of interest must be dealt with by talking
with the staff and outlining the dangers, newly allocated jobs, and protocols
as well as how this change will affect them. In order to meet the specified
performance indicator values, the client company establishes its own
objectives, goals, strategies, structures, and protocols, while the outsourced
supplier tailors its activities to the regional business environment. The major
reasons why third-party providers change goals and tactics and reduce the
influence of client businesses are failure to align expectations and failure to
consider how different business settings differ from one another. Reshoring
and back sourcing have gained popularity in recent years. New rules brought
about by political and economic dynamics have had an impact on outsourced

solutions and shown that outsourcing decisions were unsatisfactory.
8.5. FACTORS
The key factors driving back sourcing decisions are service quality, rising
wages and transportation expenses, as well as flexibility. Managers must
first examine the causes of the outsourcing’s unsatisfactory results before
reshoring. There are two main reasons why managers have had to re-evaluate
their outsourcing decisions: poor communication and poor control. These
restrictions may make it impossible to manage business process interaction-
related hazards. Risk assessment continuously examines all influencing
factors to predict and anticipate potential changes both inside and outside the
organization. The determination of business goals and strategy often involves
conducting a risk assessment. To maintain sustainable performance and
boost profitability, quality assurance, and customer happiness, organizations
must recognize, assess, and manage the top impacting risks. Organizations
must develop new strategies for adjusting to the new obstacles in order to
meet corporate objectives in the current economic and political environment,
which has changed all business processes. In order to address new business
possibilities and prevent threats from materializing, it is necessary to conduct
a proactive risk assessment of the uncertainties associated with the changes
in the business environment. There has been a developing basic consensus
that systematic risk management is necessary to address these difficulties.
The most frequent new risks are high risks with low probability of
occurrence, which can result in global supply chain disruptions, market
segment losses, unsatisfactory outcomes of outsourced or offshored
company activities, and even insolvency or bankruptcy. Although there
are various operational risk assessment techniques accessible, many
academicians and experts concur that these tools and approaches have not
been synthesized into a comprehensive management system. As reactionary
responses to risks that have already manifested as unfavorable events,
organizations adopt firefighting strategies; nevertheless, these techniques
are incredibly ineffective and have significant drawbacks in terms of
money, labor, and time. In order to accomplish company goals and maintain
sustainable performance, risk assessment must be carried out proactively
as a collection of integrated operations with the common objective of
monitoring, regulating, and managing risks. Sustainability is intricate and
multifaceted, encompassing a wide range of issues such as stakeholder
satisfaction, habitat conservation, energy use, and financial outcomes.

In respect to the expectations of stakeholders, sustainable performance
demonstrates corporate conformance, compliance, certification, and
reporting in accordance with set standards. Only when risks are managed
by the organizations and significant threats are avoided can sustainable
performance be guaranteed. On the other hand, risks can also result in gains
and be utilized as worthwhile business chances that significantly improve
the likelihood of long-term success for firms. The three most significant
business prospects are improving operational effectiveness, assessing risks,
and raising organizations’ performance metrics. Therefore, businesses may
assure sustainable performance by carrying out a thorough risk assessment
relating to their business processes and putting in place controls for the risks
that have been identified.
By examining potential courses of action, risk assessment is a process
that depends on interactions with all business processes and aids businesses
in setting priorities and making informed decisions. In order to get
dependable, consistent, and comparable results, the process necessitates a
well-structured, systematic, and accurate approach. This strategy makes a
significant contribution to assuring sustained performance. The key elements
that guarantee the effectiveness of risk assessment are leadership through
objectives, participative management, teamwork, and staff involvement
in reaching corporate objectives, as well as transparency and effective
communication. To underline the value of generating and preserving value
inside the firm as well as committing to attaining risk assessment-related
business objectives, standardized risk assessment guidelines have been
described in the specialized literature as well as by numerous companies.
Organizations must take into account its mission statement, corporate vision,
and organizational context in order to produce and preserve value.
8.6. ASSESSMENT
Identifying, assessing, and analyzing risks inside an organization is the goal
of risk assessment, which is a collection of coordinated tasks (O’Donnell
& Schultz, 2005). By providing information about risk profiles, including
risk source and impact on key performance measures, these activities help
people better comprehend risk. Managers may establish sound company
plans and make informed decisions with the aid of risk assessment. As a
result, risk assessment helps firms achieve their long-term goals and improve
their overall business performance. To produce consistent, comparable, and
trustworthy results that are long-lasting, the process needs a methodical and
structured strategy. Individuals responsible for standardizing and assuring
process efficiency through the evaluation of outcomes and the development
of standards, guidelines, and procedures take part in each phase of the risk
assessment process. Business management includes not just dealing with the
repercussions of not meeting goals, but also figuring out what led to the risk
materializing in the first place. This can be done reactively by taking into
account past risks that have already had an impact. The management team
must take a proactive stance and assess potential risks in order to avert risk
materialization. Resources must be set aside for risk identification, analysis,
and estimation before deciding to undertake risk assessment.
Risk assessment is important for accomplishing corporate goals and
should be taken into account at every stage of the decision-making process.
While risk management and assessment are crucial for an organization’s
long-term success, companies must constantly innovate and update
their procedures to deal with the ambiguities and shifts in the business
environment. Experts have been looking into new ways to reduce the expenses
associated with handling risks while also increasing the process’ accuracy
and efficiency over the past several years in an effort to avert the negative
effects of risk materialization. When determining risk levels, the FMEA
method offers considerable benefits for risk management and control, as
well as a significant cost reduction. This is crucial for achieving sustainable
company performance because it prevents resources from being wasted
controlling risks whose materialization conditions may never materialize.
Instead, they can be employed to produce solutions that provide value for the
organization. Examining potential benefits from risk management is another
development in the field of risk assessment. An unclear scenario may result
in both negative and positive outcomes. The FMEA method is generally
used in engineering and medical, and a risk assessment strategy based on
opportunities is not utilized as a standard in companies, thus there are many
opportunities connected to innovation in the risk assessment sector.
By identifying the circumstances that resulted in the materialization of
prior risks, as well as by inferring these circumstances based on the judgment
and expertise of specialists with risk assessment, it is possible to manage
the negative effects of risk materialization. Business performance indicators
are impacted by risk materialization, allowing businesses to identify the
circumstances that indicate a significant departure from expected values.
Risks can therefore be controlled by keeping an eye on the values of these
indicators, and a significant portion of the risks need not be included in the
risk handling plan. If business risks are not managed and risk assessment
findings are not put to use, sustainable business performance cannot be
guaranteed. By using risks as business opportunities, the risk assessment
process is made more effective and adds value for the organization, which has
a significant positive impact on sustainability and business performance. The
organization’s attitude toward risky circumstances, interest in assessing and
managing risks, and risk tolerance, which varies primarily by organization
size, all influence risk-taking. When making strategic decisions based on
the best information available, managers can get assistance from the risk
assessment process. Organizations must decide between an aggressive
strategy that entails taking risks in pursuit of new business prospects and
a defensive risk strategy that is focused on avoiding or managing risks.
For performance to be sustainable, risk assessment needs to be innovated,
improved, and used to address new opportunities brought about by risk
materialization. If the risks that have been identified are examined and new
business prospects can be realized, organizations also have the choice of
spending resources to force risk materialization. This approach can enhance
the outcomes of risk assessments and make them even more valuable as
management tools.
Numerous experts have discussed risk assessment methods, but the
process always involves choosing risk criteria and identifying risks before
doing risk analysis and evaluation to produce the risk profile. The risk
profile must take into account both the potential for negative and positive
effects of risk materialization in order to uncover new business prospects.
The organization is at danger from unacceptable or very high risks, but as
these risks might also present possibilities, they can also be seen as desirable
for corporate growth. In order to measure the impact of taking risks and
utilizing an offensive risk assessment method, it is important to consider
the influence on the business performance indicators. The stability of the
organization depends on managing the tension between an offensive and
defensive risk strategy. A risk assessment focused on sustaining corporate
performance maps both potential positive and negative outcomes of risk
materialization and strikes a balance between defensive and offensive risk
management tactics.
Making the most of both the favorable and unfavorable consequences
of risk materialization is essential to a strategy based on making strategic
decisions while taking into account threats and opportunities. Risks have a
distinct stake or cost for large corporations, therefore organizations like the
majority of large companies that only create defensive strategies to assure
self-protection will likely lose a lot of commercial chances. Organizations

can become unstable when they take chances to seize an opportunity and fail,
and the massive corporations’ lack of flexibility can postpone the return to
the initial condition, resulting in significant losses that cannot be recovered.
Entrepreneurs must make decisions about taking risks in order to assure
the survival of their businesses and the expansion of their organizations.
Organizations have begun spending additional resources to predict both
adverse and advantageous outcomes that occur from risk handling when
deciding between a defensive or aggressive approach when addressing risks.
Risk acceptance criteria are continuously examined, and the outcomes have
always varied from one business to another (Marhavilas & Koulouriotis,
2021).
Organizations have been driven by changes in the economic and
political climate to restructure goals, reduce expenses, develop new ways
to protect resources and assets, as well as to reconsider how they respond
to dangers. Managers were compelled to reevaluate performance indicators
and decision-making procedures due to the increased dangers that the
new challenges have brought with them. These risks now pose a threat to
the organizations’ continued existence. Numerous companies have gone
through various regimes and have consistently changed in order to adapt. By
establishing the legal framework required for entrepreneurs to begin building
businesses, democracy has immediately contributed to an increase in the
number of small and medium-sized businesses. Trade and commerce have
been facilitated by globalization, creating new opportunities for both huge
corporations and small and medium-sized businesses. Despite growth and
great accomplishments, bureaucracy, corruption, and the frequent changes
in politics and the legal environment have always been problems for the
Romanian entrepreneurs. Most major businesses have already included
risk assessment; senior managers and employees are heavily involved in all
procedures connected to risk assessment, including risk identification and
analysis, risk monitoring, and risk management. Comparatively speaking,
big businesses have started or concluded standard operating procedures and
have also started standardizing across divisions and regions. When designing
risk strategies and business growth plans, major firms are more focused on
using the results of risk assessments. This is crucial in order to make the most
of all the resources spent for risk assessment and to avoid any potential bad
outcomes should a risk materialize. Risk assessment is particularly sensitive
to changes in the organization and the business environment, whether it is
done manually or as part of an enterprise resource planning (ERP) program.
The quantity of resources allocated for the process can be influenced

significantly by stakeholders’ and senior management’s opinions on the
value of risk assessment. The research was done to highlight the significance
of the relationship between risk assessment and the organizational context.
Managers and experts from various industries were interviewed, and survey
data was also collected via email-delivered questionnaires. Any business
process must unquestionably have the support of all stakeholders, align
with the organization’s strategy, and vision, and add value to the business.
The synergy between risk assessment and the organizational context has an
impact on risk assessment effectiveness and business performance. Due to
the unpredictability of the world economy, risk assessment has developed
into a crucial instrument for adjusting to ongoing changes in the corporate
environment. Since risk assessment has the capacity to alter organizational
hierarchies of accountability and responsibility, it necessitates a specific
approach to managing people and activities. Senior management makes
decisions on the budget in accordance with the organization’s strategy and
vision, so firms that are focused on the future can allocate more resources
for risk assessment development, such as investments in technology and
human resources. A successful risk assessment protects the organization’s
safety and stability, and maintaining a safe environment lowers staff stress
levels because employees have job security and don’t worry about missed
pay checks or the organization’s survival. Additionally, managers can use
the outcomes of risk assessments as strategic chances to produce positive
business results. An organization that seizes new opportunities, innovates,
and continuously evolves fosters a culture of brave, open-minded, and goal-
oriented individuals.
Business expertise, forecasting skills, and database research are necessary
for risk identification, analysis, and strategy-oriented risk handling; these
requirements can only be met by effective employees; therefore, a proper
and regular staff evaluation method is essential for ensuring the process has
the right people in place. Any business process requires teamwork, openness,
and communication since the organization reports and analyzes information
relevant to process results, and because final choices typically need a
leader’s approval. Building relationships with co-workers and upholding
open lines of communication are essential for the risk assessment procedure.
In order to properly process data and establish risk levels, personnel must
collaborate in order to detect uncertainties, generate estimates about the
likelihood that potential hazards will materialize, and assess their potential
consequences. Access to senior managers can be facilitated by visibility and
positive relationships with other team members. Since a large amount of

data must be continuously acquired, chosen, and processed in order to create
the risk analysis, the degree of automation can also have an impact on risk
assessment. Most respondents suggested using specialized ERP software
and assembling a dedicated team; nevertheless, risk assessment software is
particularly effective since it is quicker at analyzing historical hazards and
determining causes and effects, giving managers and specialists more time
for strategic planning (Henderson, 1992).
In order to detect uncertainties, risk assessment analyzes data pertaining
to the company. As a result, the organizational structure needs to be adjusted
to make it easier for people to communicate, access data, provide data for
risk assessment, and receive the results of risk assessment. Any business
process must be able to adapt to change. Risk assessment must be updated and
upgraded frequently in order to produce correct results; new developments
must be taken into account frequently; therefore, organizational slack has a
significant impact on this complicated and dynamic process. Additionally,
risk assessment allows more time to prepare for potential unforeseen
unfavorable outcomes by assessing risk levels. The organization’s structure
is also impacted by risk assessment because it necessitates access controls
and effective communication amongst all organizational functions.
Regarding creditors, the ability of the company to operate is crucial when
asking for a bank credit line or an extended payment period from a supplier.
Client satisfaction and long-term partnerships depend on effective risk
monitoring and control because clients, particularly partners and supporters
who occasionally base their entire activity on the goods or services provided
by the organization, have a significant impact on risk assessment and want
to ensure that production lines, outsourced services, or other services are not
even stopped.
8.7. ACTIVITIES
By deciding the shareholders’ strategic activities and affecting the
organization’s market strategy, which has an impact particularly on
competition, risk assessment influences external stakeholders. Since a
company’s reputation for economic stability and growth attracts new
customers, investors, and qualified job seekers, risk assessment is closely
connected to the company’s image. One benefit of effective collaborations
is benchmarking, where information about risk assessments may be shared
with corporate partners in order to compare outcomes and streamline the
process. Indicators of local demographics, such as the proportion of the

working population, education level, age, and interests, have an impact on
operations, human resources, and overall business profitability. Changes in
the local demographic have an impact on the caliber of the risk assessment
team (Gilbert & Han, 2005). The income levels of an organization’s
consumers have a direct impact on sales and revenue; economic instability
can expose an organization to a new set of dangers, necessitating routine
supply and demand evaluations. Organizational culture also affects risk
assessment, particularly when it comes to implementation: for a successful
process start-up, accepting changes and working as a team are essential.
When it comes to risk assessment, towns with strong local economies
and reputable, safe enterprises will draw more people looking for stable
employment. A safe workplace also reduces stress and inspires employees,
which results in fewer mistakes and better performance. Risk assessment
affects the sociocultural aspects of the organization by promoting teamwork
among employees, bringing people together, and fortifying bonds. It is
reliant on effective departmental communication.
The ability to process a large quantity of data based on algorithms that
determine risk levels and continuously update the risk registry database has
led to the adoption of risk assessment software packages by many businesses
in recent years. When these kinds of tools are combined with the company’s
ERP system, which allows for the automatic retrieval and selection of data
relevant to each organizational business function, they can be extremely
effective. A reliable communication system also speeds up processing and
makes it easier to acquire data. The majority of those surveyed believe that
risk assessment has given software development organizations additional
prospects. Getting additional funding for technical advancement is a benefit
of risk assessment implementation. Any organization’s infrastructure is built
on procedures that outline the tasks, activities, roles, and regulations that
must be followed inside the business. The importance of process design and
business process management, which are key components in maintaining
corporate sustainability, has been recognized by managers (Salzmann,
Ionescu-Somers, & Steger, 2005). In order to learn more about business
processes and examine them from a sustainability point of view, interviews
with managers and process experts from various firms were conducted. For
each organizational function, the weakest and strongest points in the design
of sustainable processes, as well as the associated hazards, are investigated.
Additionally, interviewees cover the crucial elements that guard against
process halts or failures and share data about organizational profile, core, and
support processes, process description, formality level, staff involvement,

communication, risk evaluation of how business processes interact, control
mechanisms, and continuous improvement techniques. Each of the process
factors that have an effect on sustainability was examined in order to gauge
the process’ level of sustainability.
8.8. PROCESSES
Processes should be codified to improve knowledge and understanding
across the organization in order to be sustainable. A flowchart can be used
to represent business processes as a collection of actions connected by
decision points. The process matrix, which incorporates a series of actions
and regulations based on process data, is another method of representing the
formality of business processes. In recent years, running a firm has faced
new hurdles. To reach the desired values of the performance metrics, new
approaches and procedures must be developed as a result of the financial
crisis. Since business processes are the foundation of every company and
have a direct impact on business performance, controlling risks at the
operational management level is frequently essential to an organization’s
survival. In the current business environment, risk management and process
improvement are crucial. A growing number of managers employ the process
approach as a tactic to reduce risks associated with interactions between
business processes. The primary unacceptable risk that can result from
management activities or after-sales processes interacting with one another
is decreased sales of support services and spare parts. Ineffective business
strategies, improper resource allocation, erroneous budget estimates for
warranty-related expenses, inaccurate offers of spare parts or services, a
failure to monitor faulty items, and a failure to analyze redundant faults are
the main culprits.
Risks associated with management team operations and monitoring
activities are acceptable and relate to additional unanticipated costs during
the warranty period, but risks must be monitored and prevented from being
brought on by gathering data from unrelated sources and failing to keep track
of clients’ needs. Choosing which business processes to outsource in order
to boost revenue and profit margin was one of the biggest issues process
managers faced in previous years. Recently, experts in the field, academics,
and managers came to the conclusion that not all actions about offshore
or outsourcing were profitable for the companies, and as a result, back-
shoring, and reshoring became a new business trend. Recent studies have
revealed that thorough study is required before making a decision, despite

the fact that managers have raced to review and reverse decisions linked
to outsourcing and offshoring. It’s probable that some corporate operations
would need to be outsourced, but organizations would gain more if they
didn’t change their minds about other activities. In order to reduce expenses,
boost sales, and improve profits, managers have begun outsourcing certain
tasks to outside companies. When looking for new outsourcing options or
growing sales markets, businesses choose newly developing nations. While
management has moved manufacturing and support services to independent
contractors or completely owned branches or subsidiaries in low-wage
nations, knowledge-intensive business services are typically preserved
within the corporation.
Managers have committed resources for corporate governance in
order to monitor and regulate process outputs and assure the viability of
the firm. Corporate governance requires firms to recognize and address
any problems that arise during interactions with each of the outsourced
processes, including lowered service quality or the creation of subpar
goods, client dissatisfaction, increased production costs, or wage increases.
Organizations must continually identify, evaluate, and analyze risks at the
interaction with each of the outsourced business processes because changes
in the foreign country’s economic and political environment can potentially
pose a threat to guaranteeing corporate sustainability. Finding effective
controls for international companies and third-party goods and services
as well as understanding the disparities between commercial and social
elements that affect sustainable performance were significant problems for
the organizations. Managers have learned through professional experience
that not all business decisions regarding the use of third-party suppliers in
contracting procedures resulted in added value for the businesses. Numerous
offshored or outsourced procedures with quality problems result in additional
expenses that materially reduce corporate profitability or even cause the
organization to lose money. The key drivers behind businesses beginning
to internalize business activities were rising transportation expenses, taxes,
and labor, a lack of adaptability in terms of meeting client requirements, and
a lack of expertise.
The process outcomes offered by the third-party organization were
not value-adding, which resulted in the highest determined risk levels.
Ineffective and obsolete processes, as well as losing complete control over
the process, are unacceptable risks that must be taken into account in the
risk management plan. Risk levels are higher when an organization interacts
with off-site procedures carried out by a third-party provider since there is a

larger likelihood that control of the process will be lost and service quality
will suffer. Losing control of the process and a decline in service quality are
the two risks that are most likely to occur when processes are carried out
overseas. These high risks are related to expensive labor and transportation
expenses, losing complete process control, declining service quality, and
antiquated and inefficient procedures. The most unfavorable effects of risk
materialization include decreasing income, profit, and productivity, a lack
of new clients or client loss, and the termination of contracts with third-
party providers. The main benefits of outsourcing business processes are
typically cheaper labor costs and operating expenses; regrettably, sometimes
the price of resolving quality-related problems might lead firms to decide
to back source. While risks relating to interactions between organizational
business processes are typically bearable or undesirable, the procedures of
outsourcing and back sourcing involve additional risks that may have an
immediate detrimental impact on the organization. Therefore, firms must
assess the risks associated with all back sourcing and outsourcing procedures
and base their decisions on a thorough risk analysis.
Instead of monitoring these risks and acting only when certain criteria
are met that potentially result in risk materialization, resources are then
used and measures are performed to prevent them. There is no formula that
decides when to take steps to manage significant business risks and lower
risk handling expenses. To find out if detection makes risk assessment more
effective and if it lowers risk management costs with a direct impact on
the business performance measures, interviews with experienced managers
and process experts were conducted. The current market conditions include
dropping pricing and rising quality of goods and services; this naturally
creates a highly competitive company environment with occasionally
smaller profit margins. Any business enterprise makes finding the ideal
cost-quality ratio a top concern. However, doing so carries additional risks,
primarily because there aren’t any backup plans or finances to fall back on
if something goes wrong. In order to remain competitive, businesses have
started to have a larger risk tolerance and take on more risks. The outcomes
of risk assessments are closely related to risk appetite and corporate growth,
making them a crucial tool for enterprises. The FMEA approach can
enhance monitoring and regulating processes and systems by guaranteeing
the correctness of the control mechanisms. As a third attribute in risk
assessment, detection ensures a more accurate and exact evaluation, which
directly affects how frequently hazards manifest and how much it will cost
to manage those risks.
Detection assesses the conditions that determine risk materialization.
By continuously monitoring the organization’s performance indicators,
detection can determine whether specific conditions are met that can result
in risk materialization. Probability of appearance and consequence are
typically estimated by process owners based on their experience and other
subjective data. If risk management expenses were lower, opportunities were
discovered more frequently, and seizing these chances enhanced business
outcomes, organizations would be more willing to take on risk. Utilizing the
FMEA method, organizations can identify which risks are worth handling
in order to prevent negative effects of materialized risks or to force risk
materialization in order to take advantage of an opportunity. When detection
is used, this risk loses appeal to managers seeking for new business prospects.
Monitoring performance metrics impacted by common hazards is necessary
to determine whether risk levels are rising and whether new opportunities
are opening up. These indicators are impacted by the dangers of ineffective
marketing campaigns, a bad company reputation, customers losing interest
in the company’s goods and services, and non-performing contracts.
BIBLIOGRAPHY
1. Quinn, James Brian., (1999). Strategic Outsourcing: Leveraging

Knowledge Capabilities – ProQuest. Retrieved from: https://www.
proquest.com/openview/5916eb65b5da1b52d6f39ae95f401f13/1?pq-
origsite=gscholar&cbl=26142 (accessed on 07 September 2022).
2. Adams, C., Bourne, M., & Neely, A., (2004). Measuring and improving
the capital planning process. Measuring Business Excellence, 8(2), 23–
30. https://doi.org/10.1108/13683040410539409.
3. Adil, M., (2008). Risk-based regulatory system and its effective use in
health and social care. Journal of the Royal Society for the Promotion of
Health, 128(4), 196–201. https://doi.org/10.1177/1466424008092234.
4. Alcalde, A., Lopes, F. L. P., & Takamatsu, R. T., (2013). EBITDA1
margin in Brazilian companies variance decomposition and hierarchical
effects. Accounting and Administration, 58(2), 197–220. https://doi.
org/10.1016/S0186-1042(13)71215-4.
5. Allan, N., & Davis, J., (2006). Strategic risks—Thinking about
them differently. Proceedings of the Institution of Civil Engineers
– Civil Engineering, 159(6), 10–14. https://doi.org/10.1680/
cien.2006.159.6.10.
6. Allen, F., & Santomero, A. M., (2001). What do financial intermediaries
do? Journal of Banking & Finance, 25(2), 271–294. https://doi.
org/10.1016/S0378-4266(99)00129-6.
7. Andersen, J., & Choong, H., (1997). The development of an industry
standard supply-based environmental practices questionnaire.
Proceedings of the 1997 IEEE International Symposium on Electronics

and the Environment. ISEE-1997 (pp. 276–281). https://doi.
org/10.1109/ISEE.1997.605340.
8. Annamalah, S., Raman, M., Marthandan, G., & Logeswaran, A.
K., (2018). Implementation of enterprise risk management (ERM)
framework in enhancing business performances in oil and gas sector.
Economies, 6(1), 4. https://doi.org/10.3390/economies6010004.
9. Anthony (Tony) Cox, Jr, L., (2008). What’s wrong with risk matrices?
Risk Analysis, 28(2), 497–512. https://doi.org/10.1111/j.1539-
6924.2008.01030.x.
10. Aquino, K., & Douglas, S., (2003). Identity threat and antisocial behavior
in organizations: The moderating effects of individual differences,
aggressive modeling, and hierarchical status. Organizational
Behavior and Human Decision Processes, 90(1), 195–208. https://doi.
org/10.1016/S0749-5978(02)00517-4.
11. Baker, T., & Griffith, S. J., (2007). Predicting corporate governance
risk: Evidence from the directors’ &(and) officers’ liability insurance
market. University of Chicago Law Review, 74, 487. Retrieved
from: https://heinonline.org/HOL/Page?handle=hein.journals/
uclr74&id=497&div=&collection= (accessed on 07 September 2022).
12. Banerjee, R., & Gupta, K., (2017). The effects of environmental
sustainability and R&D on corporate risk-taking: International
evidence. Energy Economics, 65, 1–15. https://doi.org/10.1016/j.
eneco.2017.04.016.
13. Baranoff, E., & Sager, T., (2003). The relations among organizational
and distribution forms and capital and asset risk structures in the life
insurance industry. Journal of Risk and Insurance, 70(3), 375–400.
https://doi.org/10.1111/1539-6975.t01-1-00057.
14. Bargeron, L. L., Lehn, K. M., & Zutter, C. J., (2010). Sarbanes-Oxley
and corporate risk-taking. Journal of Accounting and Economics,
49(1), 34–52. https://doi.org/10.1016/j.jacceco.2009.05.001.
15. Beheshti, H. M., Clelland, I. J., & Harrington, K. V., (2020).
Competitive advantage with vendor managed inventory. Journal of
Promotion Management, 26(6), 836–854. https://doi.org/10.1080/104
96491.2020.1794507.
16. Bertinetti, G. S., Cavezzali, E., & Gardenal, G., (2013). The Effect of
the Enterprise Risk Management Implementation on the Firm Value of
Bibliography 205
European Companies [SSRN Scholarly Paper]. Rochester, NY. https://

doi.org/10.2139/ssrn.2326195.
17. Bezzina, F., Grima, S., & Mamo, J., (2014). Risk management practices
adopted by financial firms in Malta. Managerial Finance, 40(6), 587–
612. https://doi.org/10.1108/MF-08-2013-0209.
18. Billing, C., McCann, P., Ortega-Argilés, R., & Sevinc, D., (2021).
UK analysts’ and policy-makers’ perspectives on Brexit: Challenges,
priorities, and opportunities for subnational areas. Regional Studies,
55(9), 1571–1582. https://doi.org/10.1080/00343404.2020.1826039.
19. Bin, O., Crawford, T. W., Kruse, J. B., & Landry, C. E., (2008). Views
capes and flood hazard: Coastal housing market response to amenities
and risk. Land Economics, 84(3), 434–448. https://doi.org/10.3368/
le.84.3.434.
20. Black, F., & Cox, J. C., (1976). Valuing corporate securities: Some
effects of bond indenture provisions. The Journal of Finance, 31(2),
351–367. https://doi.org/10.1111/j.1540-6261.1976.tb01891.x.
21. Black, J., & Baldwin, R., (2010). Really responsive risk-based
regulation. Law & Policy, 32(2), 181–213. https://doi.org/10.1111/
j.1467-9930.2010.00318.x.
22. Blume, M. E., Lim, F., & Mackinlay, A. C., (1998). The declining
credit quality of U.S. corporate debt: Myth or reality? The Journal of
Finance, 53(4), 1389–1413. https://doi.org/10.1111/0022-1082.00057.
23. Bode, C., Hübner, D., & Wagner, S. M., (2014). Managing financially
distressed suppliers: An exploratory study. Journal of Supply Chain
Management, 50(4), 24–43. https://doi.org/10.1111/jscm.12036.
24. Bojanić, T., Nerandžić, B., Stevanov, B., & Gračanin, D., (2022).
Fundamentals of integrated risk management model in business
processes. In: Lalic, B., Gracanin, D., Tasic, N., & Simeunović, N.,
(eds.), Proceedings on 18th International Conference on Industrial
Systems – IS’20 (pp. 310–317). Cham: Springer International
Publishing. https://doi.org/10.1007/978-3-030-97947-8_41.
25. Borgelt, K., & Falk, I., (2007). The leadership/management
conundrum: Innovation or risk management? Leadership &
Organization Development Journal, 28(2), 122–136. https://doi.
org/10.1108/01437730710726822.
26. Boyabatli, O., & Toktay, L. B., (2004). Operational Hedging: A
Review with Discussion (pp. 1–23). Research Collection Lee Kong
Chian School of Business. Retrieved from: https://ink.library.smu.edu.

sg/lkcsb_research/3758 (accessed on 07 September 2022).
27. Bozkus, K. S., & Caliyurt, K., (2018). Cyber security assurance process
from the internal audit perspective. Managerial Auditing Journal,
33(4), 360–376. https://doi.org/10.1108/MAJ-02-2018-1804.
28. Brillinger, A. S., Els, C., Schäfer, B., & Bender, B., (2020). Business
model risk and uncertainty factors: Toward building and maintaining
profitable and sustainable business models. Business Horizons, 63(1),
121–130. https://doi.org/10.1016/j.bushor.2019.09.009.
29. Brown, C. A., (2014). Risk Management System: Practical Development
and Implementation. Presented at the ASSE Professional Development
Conference and Exposition. Retrieved from: https://onepetro.org/
ASSPPDCE/proceedings/ASSE14/All-ASSE14/ASSE-14-686/78121
(accessed on 07 September 2022).
30. Bründl, M., Romang, H. E., Bischof, N., & Rheinberger, C. M., (2009).
The risk concept and its application in natural hazard risk management
in Switzerland. Natural Hazards and Earth System Sciences, 9(3),
801–813. https://doi.org/10.5194/nhess-9-801-2009.
31. Bucheli, M., & Salvaj, E., (2018). Political connections, the liability
of foreignness, and legitimacy: A business historical analysis of
multinationals’ strategies in Chile. Global Strategy Journal, 8(3), 399–
420. https://doi.org/10.1002/gsj.1195.
32. Burkov, V., Burkova, I., Barkhi, R., & Berlinov, M., (2018). Qualitative
risk assessments in project management in construction industry.
MATEC Web of Conferences, 251, 06027. https://doi.org/10.1051/
matecconf/201825106027.
33. Calantone, R., Garcia, R., & Dröge, C., (2003). The effects of
environmental turbulence on new product development strategy
planning. Journal of Product Innovation Management, 20(2), 90–103.
https://doi.org/10.1111/1540-5885.2002003.
34. Cannadine, D., (1984). The present and the past in the English industrial
revolution 1880–1980. Past & Present, 103(1), 131–172. https://doi.
org/10.1093/past/103.1.131.
35. Carrithers, J. R., DeHart, R. E., & Geaneas, P. Z., (1998). Crisis
Management Systems for Emergency Scenarios in International
Operations. Presented at the SPE International Conference on Health,
Safety, and Environment in Oil and Gas Exploration and Production.
https://doi.org/10.2118/46742-MS.
Bibliography 207
36. Chapman, C., & Ward, S., (2004). Why risk efficiency is a key aspect
of best practice projects. International Journal of Project Management,
22(8), 619–632. https://doi.org/10.1016/j.ijproman.2004.05.001.
37. Chen, T. K., Liao, H. H., & Kuo, H. J., (2013). Internal liquidity risk,
financial bullwhip effects, and corporate bond yield spreads: Supply
chain perspectives. Journal of Banking & Finance, 37(7), 2434–2456.
https://doi.org/10.1016/j.jbankfin.2013.02.011.
38. Chen, X., Liu, C., & Li, S., (2019). The role of supply chain finance
in improving the competitive advantage of online retailing enterprises.
Electronic Commerce Research and Applications, 33, 100821. https://
doi.org/10.1016/j.elerap.2018.100821.
39. Child, J., & Tsai, T., (2005). The dynamic between firms’ environmental
strategies and institutional constraints in emerging economies:
Evidence from China and Taiwan. Journal of Management Studies,
42(1), 95–125. https://doi.org/10.1111/j.1467-6486.2005.00490.x.
40. Cho, V., & Chan, A., (2015). An integrative framework of comparing
SaaS adoption for core and non-core business operations: An empirical
study on Hong Kong industries. Information Systems Frontiers, 17(3),
629–644. https://doi.org/10.1007/s10796-013-9450-9.
41. Chopra, S., (2017). Seven-eleven Japan Co. Kellogg School
of Management Cases, 1–14. https://doi.org/10.1108/case.
kellogg.2016.000298.
42. Christopher, M., & Peck, H., (1997). Managing logistics in fashion
markets. The International Journal of Logistics Management, 8(2),
63–74. https://doi.org/10.1108/09574099710805673.
43. Clarkson, P. M., Li, Y., Pinnuck, M., & Richardson, G. D., (2015). The
valuation relevance of greenhouse gas emissions under the European
Union carbon emissions trading scheme. European Accounting Review,
24(3), 551–580. https://doi.org/10.1080/09638180.2014.927782.
44. Code of Business Conduct and Ethics, (n.d.). Retrieved from: https://
www.sec.gov/Archives/edgar/data/1297401/000119312511045757/
dex14.htm (accessed on 07 September 2022).
45. Coffee, J. C. J., (2001). The rise of dispersed ownership: The roles
of law and the state in the separation of ownership and control.
Yale Law Journal, 111, 1. Retrieved from: https://heinonline.org/
HOL/Page?handle=hein.journals/ylr111&id=19&div=&collection=
46. Coleman, G., & Verbruggen, R., (1998). A quality software process for
rapid application development. Software Quality Journal, 7(2), 107–
122. https://doi.org/10.1023/A:1008856624790.
47. Coleman, J. W., (2019). Pipelines & power-lines: Building the
energy transport future. Ohio State Law Journal, 80, 263. Retrieved
from: https://heinonline.org/HOL/Page?handle=hein.journals/
ohslj80&id=275&div=&collection= (accessed on 07 September 2022).
48. Coleman, R., (2011). Operational risk. In: Wiley Encyclopedia of
Operations Research and Management Science. John Wiley & Sons,
Ltd. https://doi.org/10.1002/9780470400531.eorms0591.
49. D’Aubeterre, F., Singh, R., & Iyer, L., (2008). Secure activity resource
coordination: Empirical evidence of enhanced security awareness in
designing secure business processes. European Journal of Information
Systems, 17(5), 528–542. https://doi.org/10.1057/ejis.2008.42.
50. Damanpour, F., & Damanpour, J. A., (2001). E‐business e‐commerce
evolution: Perspective and strategy. Managerial Finance, 27(7), 16–
33. https://doi.org/10.1108/03074350110767268.
51. Das, T. K., & Teng, B. S., (2001). A risk perception model of alliance
structuring. Journal of International Management, 7(1), 1–29. https://
doi.org/10.1016/S1075-4253(00)00037-5.
52. Daud, W. N. W. D., Yazid, A. S., & Hussin, H. M. R., (2010). The
effect of chief risk officer (CRO) on enterprise risk management
(ERM) practices: Evidence from Malaysia. International Business &
Economics Research Journal (IBER), 9(11). https://doi.org/10.19030/
iber.v9i11.30.
53. Deleris, L. A., & Erhun, F., (2005). Risk management in supply networks
using Monte-Carlo simulation. Proceedings of the Winter Simulation
Conference, 2005, 7. https://doi.org/10.1109/WSC.2005.1574434.
54. Dionne, G., (2013). Risk management: History, definition, and critique.
Risk Management and Insurance Review, 16(2), 147–166. https://doi.
org/10.1111/rmir.12016.
55. Dreher, A., & Vaubel, R., (2009). Foreign exchange intervention and the
political business cycle: A panel data analysis. Journal of International
Money and Finance, 28(5), 755–775. https://doi.org/10.1016/j.
jimonfin.2008.12.007.
56. Dullaway, D. W., & Needleman, P. D., (2004). Realistic liabilities
and risk capital margins for with-profits business. A discussion paper.
Bibliography 209
British Actuarial Journal, 10(2), 185–222. https://doi.org/10.1017/

S1357321700002804.
57. Dvorsky, J., Belas, J., Gavurova, B., & Brabenec, T., (2021). Business
risk management in the context of small and medium-sized enterprises.
Economic Research (Ekonomska Istraživanja), 34(1), 1690–1708.
https://doi.org/10.1080/1331677X.2020.1844588.
58. EBSCOhost | 33768853 | The Criminal Prosecution of Banks
Under the US Bank Secrecy Act of 1970, (n.d.). Retrieved
from: https://web.s.ebscohost.com/abstract?direct=true&profil
e=ehost&scope=site&authtype =crawler&jrnl=17531780&AN
=33768853&h =DArjJ5zlwtIlNz8c3Si9 SV4JHWyVl9G1ujo
EKc0ey21gbIOOYBP21 FarBBm9xhr9FeugLGRUx0ZBKEocyRsbV
Q%3d%3d&crl= c&resultNs= Admin Web Auth&result Local=ErrCrl
NotAuth&crlhashurl=login.aspx%3fdirect%3dtrue%26profile%3deho
st%26scope%3dsite%26authtype%3dcrawler%26jrnl%3d17531780%
26AN%3d33768853 (accessed on 07 September 2022).
59. Elahi, E., (2013). Risk management: The next source of
competitive advantage. Foresight, 15(2), 117–131. https://doi.
org/10.1108/14636681311321121.
60. Ellram, L. M., (1991). Supply‐chain management: The industrial
organization perspective. International Journal of Physical
Distribution & Logistics Management, 21(1), 13–22. https://doi.
org/10.1108/09600039110137082.
61. Fidrmuc, J., & Korhonen, I., (2010). The impact of the global financial
crisis on business cycles in Asian emerging economies. Journal
of Asian Economics, 21(3), 293–303. https://doi.org/10.1016/j.
asieco.2009.07.007.
62. Frederiksen, T., (2018). Corporate social responsibility, risk, and
development in the mining industry. Resources Policy, 59, 495–505.
https://doi.org/10.1016/j.resourpol.2018.09.004.
63. Gallagher, C. T., & Chapman, L. E., (2010). Classification, location, and
legitimacy of web-based suppliers of Viagra to the UK. International
Journal of Pharmacy Practice, 18(6), 341–345. https://doi.org/10.1111/
j.2042-7174.2010.00061.x.
64. Gatzert, N., & Wesker, H., (2012). A comparative assessment of Basel II/
III and solvency II. The Geneva Papers on Risk and Insurance – Issues
and Practice, 37(3), 539–570. https://doi.org/10.1057/gpp.2012.3.
65. George, B., Button, M., & Whatford, N., (2003). The impact of
September 11th on the UK business community. Crime Prevention
and Community Safety, 5(2), 49–59. https://doi.org/10.1057/palgrave.
cpcs.8140146.
66. Geyfman, V., & Yeager, T. J., (2009). On the riskiness of universal
banking: Evidence from banks in the investment banking business
pre- and post-GLBA. Journal of Money, Credit, and Banking, 41(8),
1649–1669. https://doi.org/10.1111/j.1538-4616.2009.00266.x.
67. Ghasemzadeh, F., & Archer, N. P., (2000). Project portfolio selection
through decision support. Decision Support Systems, 29(1), 73–88.
https://doi.org/10.1016/S0167-9236(00)00065-8.
68. Gilbert, A. L., & Han, H., (2005). Understanding mobile data services
adoption: Demography, attitudes or needs? Technological Forecasting
and Social Change, 72(3), 327–337. https://doi.org/10.1016/j.
techfore.2004.08.007.
69. Gilmore, A., Carson, D., & O’Donnell, A., (2004). Small business owner‐
managers and their attitude to risk. Marketing Intelligence & Planning,
22(3), 349–360. https://doi.org/10.1108/02634500410536920.
70. Greuning, H. V., & Brajovic-Bratanovic, S., (2022). Analyzing
Banking Risk: A Framework for Assessing Corporate Governance
and Risk Management – Fourth Edition (English). Retrieved from:
https://policycommons.net/artifacts/2232409/analyzing-banking-
risk/2990081/ (accessed on 07 September 2022).
71. Guidara, A., Lai, V. S., Soumaré, I., & Tchana, F. T., (2013). Banks’
capital buffer, risk, and performance in the Canadian banking
system: Impact of business cycles and regulatory changes. Journal
of Banking & Finance, 37(9), 3373–3387. https://doi.org/10.1016/j.
jbankfin.2013.05.012.
72. Gummesson, E., (2005). Qualitative research in marketing:
Road‐map for a wilderness of complexity and unpredictability.
European Journal of Marketing, 39(3, 4), 309–327. https://doi.
org/10.1108/03090560510581791.
73. Gunningham, N. A., Thornton, D., & Kagan, R. A., (2005). Motivating
management: Corporate compliance in environmental protection.
Law & Policy, 27(2), 289–316. https://doi.org/10.1111/j.1467-
9930.2005.00201.x.
Bibliography 211
74. Guo, S., Zhang, W., & Gao, X., (2020). Business risk evaluation of
electricity retail company in China using a hybrid MCDM method.
Sustainability, 12(5), 2040. https://doi.org/10.3390/su12052040.
75. Gurl, E., (2017). Swot Analysis: A Theoretical Review. https://doi.
org/10.17719/jisr.2017.1832.
76. Hallikas, J., Virolainen, V. M., & Tuominen, M., (2002). Risk analysis
and assessment in network environments: A dyadic case study.
International Journal of Production Economics, 78(1), 45–55. https://
doi.org/10.1016/S0925-5273(01)00098-6.
77. Han, Z., & Nigg, J., (2011). The influences of business and decision
makers’ characteristics on disaster preparedness—A study on the
1989 Loma Prieta earthquake. International Journal of Disaster Risk
Science, 2(4), 22–31. https://doi.org/10.1007/s13753-011-0017-4.
78. Hanel, P., (2006). Intellectual property rights business management
practices: A survey of the literature. Technovation, 26(8), 895–931.
https://doi.org/10.1016/j.technovation.2005.12.001.
79. Hanna, R. C., Lemon, K. N., & Smith, G. E., (2019). Is transparency a
good thing? How online price transparency and variability can benefit
firms and influence consumer decision making. Business Horizons,
62(2), 227–236. https://doi.org/10.1016/j.bushor.2018.11.006.
80. Hassel, H., (2010). Risk and Vulnerability Analysis in Society’s
Proactive Emergency Management: Developing Methods and
Improving Practices. Doctoral thesis (compilation), Lund University.
81. Haug, P., (1985). A multiple-period, mixed-integer-programming
model for multinational facility location. Journal of Management,
11(3), 83–96. https://doi.org/10.1177/014920638501100307.
82. Hawtin, M., (2003). The practicalities and benefits of applying revenue
management to grocery retailing, and the need for effective business
rule management. Journal of Revenue and Pricing Management, 2(1),
61–68. https://doi.org/10.1057/palgrave.rpm.5170049.
83. Henderson, J. A. J., (1983). Product liability and the passage of time:
The imprisonment of corporate rationality. New York University
Law Review, 58, 765. Retrieved from: https://heinonline.org/HOL/
Page?handle=hein.journals/nylr58&id=785&div=&collection=
84. Henderson, J. C., (1992). Aligning business and information technology
domains: Strategic planning in hospitals. Hospital & Health
Services Administration, 37(1), 71–88. Retrieved from: https://go.gale.

com/ps/i.do?p=AONE&sw=w&issn=87503735&v=2.1&it=r&id=G
ALE%7CA11892656&sid=googleScholar&linkaccess=abs (accessed
on 07 September 2022).
85. Henderson, T., Kotz, D., & Abyzov, I., (2004). The changing usage of a
mature campus-wide wireless network. Proceedings of the 10th Annual
International Conference on Mobile Computing and Networking, 187–
201. New York, NY, USA: Association for Computing Machinery.
https://doi.org/10.1145/1023720.1023739.
86. Hessami, A. G., (1999). Risk management: A systems paradigm.
Systems Engineering, 2(3), 156–167. https://doi.org/10.1002/
(SICI)1520-6858(1999)2:3<156::AID-SYS3>3.0.CO;2-H.
87. Hofer, V., Leitner, J., Lewitschnig, H., & Nowak, T., (2017).
Determination of tolerance limits for the reliability of semiconductor
devices using longitudinal data. Quality and Reliability Engineering
International, 33(8), 2673–2683. https://doi.org/10.1002/qre.2226.
88. Houston, R. W., Peters, M. F., & Pratt, J. H., (1999). The audit risk
model, business risk and audit‐planning decisions. The Accounting
Review, 74(3), 281–298. https://doi.org/10.2308/accr.1999.74.3.281.
89. Hsu, L., Fournier, S., & Srinivasan, S., (2016). Brand architecture
strategy and firm value: How leveraging, separating, and distancing
the corporate brand affects risk and returns. Journal of the Academy
of Marketing Science, 44(2), 261–280. https://doi.org/10.1007/s11747-
014-0422-5.
90. Irani, V., Fonseca, R., Espinosa, B., Cantarino, A., Botelho, T., &
Slocum, D., (2002). Building a World-Class EHS Management
System after Environmental Crisis. Presented at the SPE International
conference on health, safety, and environment in oil and gas exploration
and production. https://doi.org/10.2118/73903-MS.
91. Johnson, J. S., & Sohi, R. S., (2016). Understanding and resolving
major contractual breaches in buyer–seller relationships: A grounded
theory approach. Journal of the Academy of Marketing Science, 44(2),
185–205. https://doi.org/10.1007/s11747-015-0427-8.
92. Jones‐Parry, D., & James, S., (1998). Banking litigation strategies
after Woolf. Journal of Financial Regulation and Compliance, 6(3),
211–218. https://doi.org/10.1108/eb024970.
Bibliography 213
93. Kirchsteiger, C., (1999). On the use of probabilistic and deterministic

methods in risk analysis. Journal of Loss Prevention in the Process
Industries, 12(5), 399–419. https://doi.org/10.1016/S0950-
4230(99)00012-1.
94. Kleindorfer, P. R., & Saad, G. H., (2005). Managing disruption risks in
supply chains. Production and Operations Management, 14(1), 53–68.
https://doi.org/10.1111/j.1937-5956.2005.tb00009.x.
95. Knechel, W. R., (2007). The business risk audit: Origins, obstacles,
and opportunities. Accounting, Organizations, and Society, 32(4),
383–408. https://doi.org/10.1016/j.aos.2006.09.005.
96. Lannoo, K., & Valiante, D., (2012). Europe’s New Post-Trade
Infrastructure Rules. ECMI Policy Brief No. 20, [Policy Paper].
Retrieved from: http://aei.pitt.edu/37320/1/ECMI_PB_No_20_Post-
Trade_Market_Infrastructure.pdf (accessed on 07 September 2022).
97. Lavastre, O., Gunasekaran, A., & Spalanzani, A., (2012). Supply chain
risk management in French companies. Decision Support Systems,
52(4), 828–838. https://doi.org/10.1016/j.dss.2011.11.017.
98. Lee, D. D., & Faff, R. W., (2009). Corporate sustainability performance
and idiosyncratic risk: A global perspective. Financial Review, 44(2),
213–237. https://doi.org/10.1111/j.1540-6288.2009.00216.x.
99. Lenz, R., (2016). Peer-to-peer lending: Opportunities and risks.
European Journal of Risk Regulation, 7(4), 688–700. https://doi.
org/10.1017/S1867299X00010126.
100. Linsmeier, T. J., Thornton, D. B., Venkatachalam, M., & Welker, M.,
(2002). The effect of mandated market risk disclosures on trading
volume sensitivity to interest rate, exchange rate, and commodity
price movements. The Accounting Review, 77(2), 343–377. https://doi.
org/10.2308/accr.2002.77.2.343.
101. Luo, Y., & Tung, R. L., (2007). International expansion of emerging
market enterprises: A springboard perspective. Journal of International
Business Studies, 38(4), 481–498. https://doi.org/10.1057/palgrave.
jibs.8400275.
102. Lupson, I., (2002). An underwriter is entitled to a fair presentation of
the risk. Australian Product Liability Reporter, 13(3), 22–24. https://
doi.org/10.3316/agis_archive.20023849.
103. Macher, J. T., Mowery, D. C., & Simcoe, T. S., (2002). E-business and
disintegration of the semiconductor industry value chain. Industry and
Innovation, 9(3), 155–181. https://doi.org/10.1080/136627102200003

4444.
104. Macmillan, I. C., Siegel, R., & Narasimha, P. N. S., (1985). Criteria
used by venture capitalists to evaluate new venture proposals. Journal
of Business Venturing, 1(1), 119–128. https://doi.org/10.1016/0883-
9026(85)90011-4.
105. Mainelli, M., (2004). Ethical volatility: How CSR ratings and returns
might be changing the world of risk. Balance Sheet, 12(1). https://doi.
org/10.1108/bs.2004.26512aab.003.
106. Manuj, I., & Mentzer, J. T., (2008). Global supply chain risk
management. Journal of Business Logistics, 29(1), 133–155. https://
doi.org/10.1002/j.2158-1592.2008.tb00072.x.
107. Manworren, N., Letwat, J., & Daily, O., (2016). Why you should care
about the Target data breach. Business Horizons, 59(3), 257–266.
https://doi.org/10.1016/j.bushor.2016.01.002.
108. Marhavilas, P. K., & Koulouriotis, D. E., (2021). Risk-acceptance
criteria in occupational health and safety risk-assessment—The state-
of-the-art through a systematic literature review. Safety, 7(4), 77.
https://doi.org/10.3390/safety7040077.
109. Martinsons, M., Davison, R., & Tse, D., (1999). The balanced scorecard:
A foundation for the strategic management of information systems.
Decision Support Systems, 25(1), 71–88. https://doi.org/10.1016/
S0167-9236(98)00086-4.
110. Medina, J., Muller, N., & Roytelman, I., (2010). Demand response
and distribution grid operations: Opportunities and challenges. IEEE
Transactions on Smart Grid, 1(2), 193–198. https://doi.org/10.1109/
TSG.2010.2050156.
111. Mendling, J., & Hafner, M., (2005). From inter-organizational
workflows to process execution: Generating BPEL from WS-CDL. In:
Meersman, R., Tari, Z., & Herrero, P., (eds.), On the Move to Meaningful
Internet Systems 2005: OTM 2005 Workshops (pp. 506–515). Berlin,
Heidelberg: Springer. https://doi.org/10.1007/11575863_70.
112. Miller, K. D., & Waller, H. G., (2003). Scenarios, real options, and
integrated risk management. Long Range Planning, 36(1), 93–107.
https://doi.org/10.1016/S0024-6301(02)00205-4.
Bibliography 215
113. Miller, K. D., (1992). A framework for integrated risk management

in international business. Journal of International Business Studies,
23(2), 311–331. https://doi.org/10.1057/palgrave.jibs.8490270.
114. Mishra, S., Raut, R. D., Narkhede, B. E., Gardas, B. B., &
Priyadarshinee, P., (2018). To investigate the critical risk criteria of
business continuity management by using analytical hierarchy process.
International Journal of Management Concepts and Philosophy, 11(1),
94–115. https://doi.org/10.1504/IJMCP.2018.090415.
115. Morris, P. W., (1989). Initiating major projects: The unperceived role
of project management. International Journal of Project Management,
7(3), 180–185. https://doi.org/10.1016/0263-7863(89)90037-9.
116. Nel, C. B. H., & Jooste, J. L., (2016). A technologically-driven asset
management approach to managing physical assets—A literature
review and research agenda for “smart” asset management. South
African Journal of Industrial Engineering, 27(4), 50–65. https://doi.
org/10.7166/27-4-1478.
117. Nocco, B. W., & Stulz, R. M., (2006). Enterprise risk management:
Theory and practice. Journal of Applied Corporate Finance, 18(4),
8–20. https://doi.org/10.1111/j.1745-6622.2006.00106.x.
118. Novak, M., (1997). Business as calling. The American Enterprise,
8(4), 59–61. Retrieved from: https://go.gale.com/ps/i.do?p=AONE&
sw=w&issn=10473572&v=2.1&it=r&id=GALE%7CA19754358&si
d=googleScholar&linkaccess=abs (accessed on 07 September 2022).
119. Nyoman, P. I., & Geraldin, L. H., (2009). House of risk: A model for
proactive supply chain risk management. Business Process Management
Journal, 15(6), 953–967. https://doi.org/10.1108/14637150911003801.
120. O’Donnell, E., & Schultz, J. J. Jr., (2005). The halo effect in business
risk audits: Can strategic risk assessment bias auditor judgment about
accounting details? The Accounting Review, 80(3), 921–939. https://
doi.org/10.2308/accr.2005.80.3.921.
121. Oehmen, J., Seering, W., Bassler, D., & Ben-Daya, M., (2011). A
comparison of the integration of risk management principles in product
development approaches. Josef Oehmen. Retrieved from: https://
dspace.mit.edu/handle/1721.1/78665 (accessed on 07 September
2022).
122. Panisello, P. J., & Quantick, P. C., (2001). Technical barriers to hazard
analysis critical control point (HACCP). Food Control, 12(3), 165–
173. https://doi.org/10.1016/S0956-7135(00)00035-9.
123. Paxson, M. C., (1992). Follow-up mail surveys. Industrial Marketing

Management, 21(3), 195–201. https://doi.org/10.1016/0019-
8501(92)90016-M.
124. Piercy, N. F., (2010). Evolution of strategic sales organizations in business‐
to‐business marketing. Journal of Business & Industrial Marketing,
25(5), 349–359. https://doi.org/10.1108/08858621011058115.
125. Pitt, H. L., (2005). The changing standards by which directors
will be judged. St. John’s Law Review, 79, 1. Retrieved from:
h t t p s : / / h e i n o n l i n e . o rg / H O L / P a g e ? h a n d l e = h e i n . j o u r n a l s /
stjohn79&id=11&div=&collection= (accessed on 07 September 2022).
126. Posner, R. A., (1972). The behavior of administrative agencies. The
Journal of Legal Studies, 1(2), 305–347. https://doi.org/10.1086/467487.
127. Potkany, M., Stasiak-Betlejewska, R., Kovac, R., & Gejdos, M., (2016).
Outsourcing in conditions of SMEs: The potential for cost savings.
Polish Journal of Management Studies, (Vol. 13, No. 1), 145–156.
https://doi.org/10.17512/pjms.2016.13.1.14.
128. POWER, M., (2004). The risk management of everything. The Journal
of Risk Finance, 5(3), 58–65. https://doi.org/10.1108/eb023001.
129. Raz, T., & Hillson, D., (2005). A comparative review of risk
management standards. Risk Management, 7(4), 53–66. https://doi.
org/10.1057/palgrave.rm.8240227.
130. Reed, A., (1970). Planemakers fight to hold world markets. Industrial
Management, 70(1), 46–105. https://doi.org/10.1108/eb056013.
131. Rehman, A. U., & Anwar, M., (2019). Mediating role of enterprise
risk management practices between business strategy and SME
performance. Small Enterprise Research, 26(2), 207–227. https://doi.
org/10.1080/13215906.2019.1624385.
132. Risman, A., Salim, U., Sumiati, S., & Indrawati, N. K., (2017).
Commodity Prices, Exchange Rates, and Investment on Firm’s
Value Mediated by Business Risk: A Case from Indonesian Stock
Exchange. Retrieved from: https://www.um.edu.mt/library/oar/
handle/123456789/29952 (accessed on 07 September 2022).
133. Robinson, J. G., (2012). Common and conflicting interests in the
engagements between conservation organizations and corporations.
Conservation Biology, 26(6), 967–977. https://doi.org/10.1111/j.1523-
1739.2012.01914.x.
Bibliography 217
134. Salter, M. B., (2008). When the exception becomes the rule: Borders,
sovereignty, and citizenship. Citizenship Studies, 12(4), 365–380.
https://doi.org/10.1080/13621020802184234.
135. Salzmann, O., Ionescu-Somers, A., & Steger, U., (2005). The business
case for corporate sustainability: Literature review and research
options. European Management Journal, 23(1), 27–36. https://doi.
org/10.1016/j.emj.2004.12.007.
136. Schanfield, A., & Miller, M., (2005). A sustainable approach to ERM:
As best practices begin to emerge, one company uses a phased plan
to create a fully functioning, integrated enterprise risk management
system. Internal Auditor, 62(2), 79–83. Retrieved from: https://go.gale.
com/ps/i.do?p=AONE&sw=w&issn=00205745&v=2.1&it=r&id=GA
LE%7CA131780246&sid=googleScholar&linkaccess=abs (accessed
137. Scholten, K., Sharkey, S. P., & Fynes, B., (2019). Building routines
for non-routine events: Supply chain resilience learning mechanisms
and their antecedents. Supply Chain Management: An International
Journal, 24(3), 430–442. https://doi.org/10.1108/SCM-05-2018-0186.
138. Schwartz, H., & Davis, S. M., (1981). Matching corporate culture and
business strategy. Organizational Dynamics, 10(1), 30–48. https://doi.
org/10.1016/0090-2616(81)90010-3.
139. Schweer, D., & Sahl, J. C., (2017). The digital transformation of
industry – the benefit for Germany. In: Abolhassan, F., (ed.), The
Drivers of Digital Transformation: Why There’s No Way Around the
Cloud (pp. 23–31). Cham: Springer International Publishing. https://
doi.org/10.1007/978-3-319-31824-0_3.
140. Sharma, A., & Kansal, D. V., (n.d.). Mobile Banking as Technology
Adoption and Challenges: A Case of M-Banking in India, 1(1),1-10.
141. Sheffi, Y., (2001). Supply chain management under
the threat of international terrorism. The International
Journal of Logistics Management, 12(2), 1–11. https://doi.
org/10.1108/09574090110806262.
142. Shelden, R. G., & Brown, W. B., (2000). The crime control industry
and the management of the surplus population. Critical Criminology,
9(1), 39–62. https://doi.org/10.1007/BF02461037.
143. Shenhar, A. J., Dvir, D., Levy, O., & Maltz, A. C., (2001). Project
success: A multidimensional strategic concept. Long Range Planning,
34(6), 699–725. https://doi.org/10.1016/S0024-6301(01)00097-8.
144. Shi, J., Katehakis, M. N., & Melamed, B., (2013). Martingale methods
for pricing inventory penalties under continuous replenishment and
compound renewal demands. Annals of Operations Research, 208(1),
593–612. https://doi.org/10.1007/s10479-012-1130-5.
145. Simkins, B., & Ramirez, S. A., (2007). Enterprise-wide risk
management and corporate governance. Loyola University Chicago
Law Journal, 39, 571. Retrieved from: https://heinonline.org/HOL/
Page?handle=hein.journals/luclj39&id=591&div=&collection=
146. Sison, A. J., (2000). Integrated risk management and global business
ethics. Business Ethics: A European Review, 9(4), 288–295. https://doi.
org/10.1111/1467-8608.00203.
147. Soltanizadeh, S., Abdul, R. S. Z., Mottaghi, G. N., & Wan, I. W.
K., (2016). Business strategy, enterprise risk management and
organizational performance. Management Research Review, 39(9),
1016–1033. https://doi.org/10.1108/MRR-05-2015-0107.
148. Spekman, R. E., & Davis, E. W., (2004). Risky business: Expanding the
discussion on risk and the extended enterprise. International Journal
of Physical Distribution & Logistics Management, 34(5), 414–433.
https://doi.org/10.1108/09600030410545454.
149. Steele, J., (2010). The LMAA in the 21st-century: Securing the future for
London maritime arbitration. Arbitration: The International Journal
of Arbitration, Mediation, and Dispute Management, 76(3). Retrieved
from: https://kluwerlawonline.com/journalarticle/Arbitration:+The+In
ternational+Journal+of+Arbitration,+Mediation+and+Dispute+Mana
gement/76.3/AMDM2010054 (accessed on 07 September 2022).
150. Stroh, P. J., (2005). Enterprise Risk Management at United Health
Group (pp. 26–35). Strategic Finance. Retrieved from: https://
go.gale.com/ps/i.do?p=AONE&sw=w&issn=1524833X&v=2.1&it=
r&id=GALE%7CA133858716&sid=googleScholar&linkaccess=abs
151. Swani, K., Milne, G. R., Brown, B. P., Assaf, A. G., & Donthu, N.,
(2017). What messages to post? Evaluating the popularity of social
media communications in business versus consumer markets. Industrial
Marketing Management, 62, 77–87. https://doi.org/10.1016/j.
indmarman.2016.07.006.
Bibliography 219
152. Tang, C., & Tomlin, B., (2008). The power of flexibility for mitigating
supply chain risks. International Journal of Production Economics,
116(1), 12–27. https://doi.org/10.1016/j.ijpe.2008.07.008.
153. Tanlapco, E., Lawarree, J., & Liu, C. C., (2002). Hedging with futures
contracts in a deregulated electricity industry. IEEE Transactions
on Power Systems, 17(3), 577–582. https://doi.org/10.1109/
TPWRS.2002.800897.
154. Taskinsoy, J., (2013). Basel III: Road to Resilient Banking, Impact on
Turkey’s Financial Sector [SSRN Scholarly Paper]. Rochester, NY.
Retrieved from: https://papers.ssrn.com/abstract=3274876 (accessed
155. Trakman, L. E., (2002). Confidentiality in international commercial
arbitration. Arbitration International, 18(1), 1–18. https://doi.
org/10.1023/A:1014277907158.
156. Ullah, S., Mufti, N. A., Qaiser, S. M., Hussain, A., Lodhi, R. N., &
Asad, R., (2022). Identification of factors affecting risk appetite of
organizations in selection of mega construction projects. Buildings,
12(1), 2. https://doi.org/10.3390/buildings12010002.
157. Van, D. M. A. P., (2002). Project management and business
development: Integrating strategy, structure, processes, and projects.
International Journal of Project Management, 20(5), 401–411. https://
doi.org/10.1016/S0263-7863(01)00012-6.
158. Van, K. H., & Hogenbirk, A., (2005). Multimedia, entertainment, and
business software copyright piracy: A cross-national study. Journal
of Media Economics, 18(2), 109–129. https://doi.org/10.1207/
s15327736me1802_3.
159. Van, R. G. G., (2014).The curious case of the post-9-11 boost in government
job satisfaction. The American Review of Public Administration, 44(1),
59–74. https://doi.org/10.1177/0275074012461560.
160. Verdon, D., & McGraw, G., (2004). Risk analysis in software design.
IEEE Security & Privacy, 2(4), 79–84. https://doi.org/10.1109/
MSP.2004.55.
161. Viterbo, A., (2019). The European union in the transnational financial
regulatory arena: The case of the Basel committee on banking
supervision. Journal of International Economic Law, 22(2), 205–228.
https://doi.org/10.1093/jiel/jgz013.
162. Von, A. A., (2008). Cost‐oriented failure mode and effects analysis.
International Journal of Quality & Reliability Management, 25(5),
466–476. https://doi.org/10.1108/02656710810873871.
163. Walters, B. A., Peters, S., & Dess, G. G., (1994). Strategic alliances and
joint ventures: Making them work. Business Horizons, 37(4), 5–11.
Retrieved from: https://go.gale.com/ps/i.do?p=AONE&sw=w&issn=
00076813&v=2.1&it=r&id=GALE%7CA15636442&sid=googleScho
lar&linkaccess=abs (accessed on 07 September 2022).
164. Wang, M., & Jie, F., (2020). Managing supply chain uncertainty and risk
in the pharmaceutical industry. Health Services Management Research,
33(3), 156–164. https://doi.org/10.1177/0951484819845305.
165. Weber, O., (2012). Environmental credit risk management in banks and
financial service institutions. Business Strategy and the Environment,
21(4), 248–263. https://doi.org/10.1002/bse.737.
166. Wilson, S., (2006). Law, morality, and regulation: Victorian experiences
of financial crime. The British Journal of Criminology, 46(6), 1073–
1090. https://doi.org/10.1093/bjc/azl067.
167. Woo, C. Y., (1987). Path analysis of the relationship between market
share, business-level conduct, and risk. Strategic Management Journal,
8(2), 149–168. https://doi.org/10.1002/smj.4250080206.
168. Woods, M., (2009). A contingency theory perspective on the risk
management control system within Birmingham City Council.
Management Accounting Research, 20(1), 69–81. https://doi.
org/10.1016/j.mar.2008.10.003.
169. Wu, D. D., & Olson, D. L., (2009a). Enterprise risk management:
Small business scorecard analysis. Production Planning & Control,
20(4), 362–369. https://doi.org/10.1080/09537280902843706.
170. Wu, D. D., & Olson, D. L., (2009b). Introduction to the special section
on “optimizing risk management: Methods and tools.” Human and
Ecological Risk Assessment: An International Journal, 15(2), 220–
226. https://doi.org/10.1080/10807030902760967.
171. Yeung, R. M. W., & Morris, J., (2001). Food safety risk: Consumer
perception and purchase behaviors. British Food Journal, 103(3), 170–
187. https://doi.org/10.1108/00070700110386728.
172. Young, P. C., & Tomski, M., (2002). An introduction to risk management.
Physical Medicine and Rehabilitation Clinics, 13(2), 225–246. https://
doi.org/10.1016/S1047-9651(01)00005-5.
Bibliography 221
173. Zaridis, A. D., & Mousiolis, D. T., (2014). Entrepreneurship and

SME’s organizational structure. Elements of a successful business.
Procedia – Social and Behavioral Sciences, 148, 463–467. https://doi.
org/10.1016/j.sbspro.2014.07.066.
174. Zeng, J., An, M., & Smith, N. J., (2007). Application of a fuzzy based
decision-making methodology to construction project risk assessment.
International Journal of Project Management, 25(6), 589–600. https://
doi.org/10.1016/j.ijproman.2007.02.006.
175. Zumello, C., (2011). The “everything card” and consumer credit in the
United States in the 1960s. Business History Review, 85(3), 551–575.
https://doi.org/10.1017/S0007680511000808.
INDEX
A computer systems 162

contract management team 186
Audit committee 32
control hazards 34
B cooperative planning 168
corporate finance transaction 141
bankruptcy 90 corporate governance 136, 148,
Bank Secrecy Act of 1970 (BSA) 149, 152
146 corporate information 66
Business hazards 65 corporate risk management 63
Business organizations 165 counterparty risk 96
Business performance indicators credit risk 63, 65, 77, 79, 84
193 customer demand 167
business risk 63, 64, 65
business strategy 5 D
C Disruptions 167
distribution strategy 121
capital gains taxes 143 drought 10
Cause-and-effect analysis 187
change management 90 E
civil judicial system 150
earthquakes 65
civil procedure rules (CPR) 150
electronic data exchange (EDI) 170
client satisfaction 186
enterprise resource planning (ERP)
commercial conflict 96
66
competitive advantage 165, 166
enterprise resource planning (ERP)
computer hardware 99
program 195
computer software systems 94
Enterprise Risk Management 113 J

enterprise-wide risk management
just-in-time delivery 167
(ERM) 47
e-procurement 167 L
F liability claims 65
license 144
failure modes and effects analysis
litigation risk 146
(FMEA) 124
financial crisis 114, 115, 117 M
Financial data 142
financial risk management 3 market discipline 115
foreign exchange 63, 65, 75, 79 marketing strategy 121
Market risk 63, 84
G Market share 186
Medium-term hazards 42
globalization 90
governance, risk, and compliance N
(GRC) program 121
greenhouse gas (GHG) emissions natural disaster 90
10 non-governmental organizations
(NGOs) 147
H
O
habitat conservation 192
Hazard risk management 39 Operating leverage 71
hazard risks 33, 34, 48, 55 operational risk 63, 73, 74, 77, 79,
hazards 2, 3, 11, 12, 13, 26, 28 82, 83, 84
historical analysis 67, 68 operational risk management (ORM)
human resources plan 121 34
human rights 190 Opportunity risks 34, 35, 36, 44
Organizational workflows 189
I outward risk messaging 123
information sharing 168, 169 P
inheritance taxes 143
insurable risks 34, 38, 43 Pareto analysis 186, 188
insurance policy 45 payroll headcount 187
intellectual property rights (IPRs) pharmaceutical business 100
145 Piracy 117, 118
Internal risk messaging 123 political hazards 165
Political systems 165
poor management 64
Index 225
Price risk 68, 69 risk management 2, 3, 5, 6, 10, 11,

primary risks 120, 123 12, 14, 16, 17, 18, 19, 24, 25,
Probability 38 27
Product liability 146 risk management plan 5, 6, 10
product promotion 168 risk materialization 193, 194, 201,
product strategy 121 202
project management 95, 104, 107 risk matrix 36, 37
Prolonged trends 114 Risk messaging 123
Public discomfort 97 risk mitigation 32
pure risks 33 risk prioritization 6
risk recording 12
Q
risk registers 33, 55
quality risk 68 risk retention 3
Quantity risk 68, 69 risk return analysis 146
risk-return ratio 90, 103
R
risk-reward equation 146
RAMP (Risk Analysis and Manage- risk-seeking tactic 92
ment of Projects) 92 risk-taking behavior 92
rapid application development risk tolerance 185, 194, 201
(RAD) 94 Risk transfer 3
rare occasions 114
S
replenishment 168, 170, 171
reputation 68, 69, 70 Sarbanes-Oxley (SOX) 120
research and development (R&D) 5 service taxes 143
Risk 31, 32, 33, 35, 37, 38, 41, 43, Short-term hazards 43
46, 47, 48, 52, 54, 55, 56, 57, small and medium-sized enterprises
58 (SMEs) 147
Risk acceptance 3 stakeholder satisfaction 192
risk agenda 8 Strategic planning 44
risk analysis 100, 101, 103, 111 supervisory scrutiny 115
Risk appetite 3 supply chain alliances 167
risk assessment 184, 185, 186, 191, supply chain management 66
192, 193, 194, 195, 196, 197, Supply chain networks 168
198, 201 Supply chain risk 162, 167
risk capability 37 Sustainability 184, 191
risk complexity 116
T
risk environment 3, 5, 6
taxonomy-based risk identification
5
team analysis 187 V

telecommunications 64, 76
vendor-managed inventory (VMI)
terrorist attacks 115
73, 168
thunderstorm activity 95
vendor-managed inventory (VMI)
U systems 168
uninterrupted power supplies (UPS)
107

Jonah C. Pardillo - Comprehensive Guide To Business Risk Management-Society Publishing (2023)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Jonah C. Pardillo - Comprehensive Guide To Business Risk Management-Society Publishing (2023)

Uploaded by

Copyright:

Available Formats

本书版权归Arcler所有

e-book Edition 2023

© 2023 Society Publishing

List of Figures ................................................................................................xi

Chapter 1 Introduction to Business Risk Management ............................................... 1

Chapter 2 Fundamentals of Risk Management ......................................................... 31

Chapter 4 Project Management ............................................................................... 89

Chapter 5 Enterprise Risk Management ................................................................. 113

Chapter 6 Corporate Governance and Risk Management ...................................... 135

Chapter 7 Supply Chain Risk Management ............................................................ 161

Chapter 8 Sustainable Business and Risk Management .......................................... 183

Bibliography .......................................................................................... 203

Index ..................................................................................................... 223

Figure 1.1. Risk management

ART alternative risk transfer

Figure 1.1. Risk management.

Figure 1.2. Sustainable ERM system.

Figure 1.3. Risk appetites.

Figure 1.4. Taxonomy-based risk identification.

Event Risk Unmitigated Unmitigated Unmitigated

Environmental Extra cost to High (4) Medium

Cannot acquire Project untenable Low (2) Very High 10

Not enough Lose 6 months of Low (2) Very High 10

Environmental Some bad High (4) Very Low 4

Figure 1.5. Risk prioritization.

Figure 1.6. Sustainability challenges.

social responsibility will become increasingly important, posing challenges

Figure 1.7. Corporate social responsibility.

As a result of global warming (Figure 1.8), both drought and floods

Figure 1.8. Global warming.

Figure 1.9. Trading of greenhouse gas.

Figure 1.10. Risk ratings.

It is crucial that the reactions to the pertinent hazards be commensurate

the US. Management frequently finds a disjointed approach as they struggle

Figure 1.11. Record management.

about the most benefit. It could be necessary to seek outside counsel on

Figure 1.12. Compliance.

have a significant long-term influence on the ability to integrate. Operational

a program for handling risks generally throughout the organization should

Figure 1.13. Corporate environment.

Generally speaking, the majority or many partnerships may likely

The relationship between Enron and the foundation linked to the

Figure 1.14. Kenneth Lay.

aforementioned, a major source of concern is the relative lack of attention

Figure 1.15. E-commerce.

1.7. PUBLIC RELATIONS

services provided to the aviation sector may be excluded as another (Salter,

Figure 2.1. Fundamentals of risk management.

Figure 2.2. Hazard risks.

Figure 2.3. Opportunity risks.

The inherent amount of risk may also be referred to as the absolute

2.4. RISK MATRIX

the characteristics of individual hazards. Probability is displayed on the

Figure 2.4. Risk matrices.

2.5. RISK MANAGEMENT

Figure 2.5. Hazard risk management.

infrastructure damage, reputational harm, and the incapacity to operate in

Figure 2.6. Start-up businesses.

risks introduce uncertainty, it’s possible to assume that an organization will

Figure 2.7. Brexit plan.

happens. Short-term hazards include theft, fire, road accidents, workplace

Figure 2.8. Organization’s risk exposure.

2.6. ATTITUDE AND RISK