What risk is and

why it is important
Lecturer: Fatima Rustamova
 1. Definitions of risk
2. Types of risks
3. Risk description
4. Levels of risk
5. Classification systems

Content 6. Risk likelihood and impact

7. Why understanding risk is important
8. Impact of hazard risks
9. Attachment of risks
10. Risk and reward

11. Attitudes to risk

12. Risk and triggers

 Whatever we think of as ‘risk’, it is changing in the digital age.
Organizations of all types – government, local and health authorities,
manufacturers and service providers, financiers and criminals – now use
computers and are digitally processing immense amounts of data. Almost
half of all households worldwide have a computer at home, and, whilst it is
estimated that number is a third of households in developing countries, the
Introduction impact on everyday lives and activity cannot be underestimated.
As our everyday activity is changing, so should our attitude to risk. Mark
Zuckerberg famously said that ‘in a world that is changing really quickly,
the only strategy that is guaranteed to fail is not taking risks’.
Definitions of
risk
Risk is often perceived as being
undesirable: The Oxford English
Dictionary defines risk in terms
of hazard, danger, loss or
adverse consequence.
 Risk may have positive or negative outcomes and may be considered to be
related to an opportunity or a threat, or simply to uncertainty of outcome
for an organization. Every risk has its own characteristics that require
particular management or analysis. In this book, risks are divided into four
categories:
Types of risks ●
●
compliance (or mandatory) risks;
hazard (or pure) risks;
● control (or uncertainty) risks;
● opportunity (or speculative) risks.

In general terms, organizations will seek to minimize compliance risks,

mitigate hazard risks, manage control risks and embrace opportunity risks.
Types of risks
Types of risks
Types of risks
Types of risks
 In order to fully appreciate a risk, a detailed description is necessary so that a com-
Risk mon understanding of the risk can be identified and ownership/responsibilities may
be clearly established. To determine the correct range of information to collect about
description each risk, the distinction between compliance, hazard, control and opportunity risks
needs to be clearly understood.
 It is important to understand the level of risk that has been
identified if no controls are in place:
● Inherent level of risk: The level of risk before any actions have been
taken to change the likelihood or magnitude of the risk.
● Current or residual level of risk: The level of risk after initial control
measures have been put in place.
Levels of risk ● Target level of risk: The level of risk that is desired or will be
obtained with the application of further control measures.

The inherent level of risk is sometimes referred to as the ‘gross’ or

absolute risk. The current or residual level of risk is sometimes
referred to as the ‘net’ or the managed level of risk.
 Risks can be classified according to the nature of the attributes of the risk.
These can be:
 timescale – both at impact and after the event;
 source of the risk, for example counterparty or credit risk;
Classification  nature of the impact and/or likely magnitude of the risk;

systems  component or feature that will be impacted (eg risks can impact
people, premises, processes or products).
There is no universal classification system that fulfils the requirements of all
organizations. It is likely that each risk will need to be classified in several
ways in order to clearly understand its potential impact.
Risk likelihood
and impact
 Following the Covid-19 pandemic, many organizations took a greater
interest and a proactive approach to risk and risk management. It is
increasingly understood that the explicit and structured management of
risks brings bene ts. Organizations that manage risks will be able to achieve
Why the following four areas of improvement, which are abbreviated as STOC
throughout this book:
understanding  Strategy: Because the risks associated with different strategic options will be
fully analysed, better strategic decisions will be reached.

risk is  Tactics: Because consideration will have been given to selection of the tactics
and the associated risks involved, available alternatives can be evaluated.

important  Operations: Because events that can cause disruption will be identified in
advance and actions taken to reduce their likelihood of occurring, the
damage caused by these events will be limited and the costs contained.
 Compliance: This will be enhanced because the risks associated with failure
to achieve compliance with statutory and customer obligations will be
addressed.
 Hazard risks are often insurable as they can only have a negative outcome.
Hazard risk management is concerned with issues such as health and safety
at work, re prevention and avoiding the consequences of defective
products. Hazard risks can cause disruption to normal operations, as well as
resulting in increased costs and poor publicity associated with disruptive
Impact of events.

hazard risks If a hazard risk materializes, it may have a very large impact. For example, a
re could destroy the main distribution warehouse of an organization, but
the risks can be reduced by putting in place controls to minimize nancial
impact (by insurance) or reduce the extent of damage to reputation
(through crisis management).
 The organization will need to
ask what features or
components are key to
success. This will result in the
identi cation of the strengths,
weaknesses, opportunities and
threats facing the
organization. This is often
referred to as a SWOT
analysis. Having identi ed key
dependencies, the
organization can then consider
Attachment the risks that will impact these
dependencies.

of risks Risks may be attached to core

processes, as well as being
attached to objectives and/or
key dependencies. Core
processes can be classi ed as
strategic, tactical, operational
and compliance (STOC). In all
cases, the core processes need
to be effective and ef cient.
Mature (or sophisticated) risk
management activities can
then be designed to enhance
the effectiveness and ef ciency
of core processes.
Risk and
reward
 Different organizations will have different attitudes to risk. However, risk
attitude is the organization’s approach to assess, pursue, retain or avoid
risks.
Some organizations may be considered to be risk averse, whilst others will
Attitudes to be risk aggressive. The attitude of the organization to risk will depend on
the attitude of the board, the nature of the sector and the marketplace
risk within which it operates.
Risks need to be considered inside the context that gave rise to them. An
organization may appear to be risk aggressive about an opportunity the
board has decided should not be missed. The particular opportunity needs
to have been fully considered for the organization to evaluate that risk
correctly.
 Attitude to risk is a complex subject and is closely related to the risk
appetite of the organization, but they are not the same.
 Risk attitude indicates the way the organization perceives the likelihood
Attitudes to and impact of uncertainty (including what it can do about the
uncertainty).
risk  Risk appetite indicates the amount of risk an organization is willing to
seek or accept in pursuit of its long-term objectives.
 The purpose of using the
bow-tie illustration is to
demonstrate the risk
classification systems
used by the organization
and the potential range
of impacts should a risk
materialize. Controls can
be put in place to

Risk and
optimize the risk
occurring (preventing
downside or, if it’s an
triggers opportunity, controls
can make it more likely
to happen and impact
bigger) and these can be
represented by vertical
lines on the left-hand
side of the bow-tie. In a
similar manner, recovery
controls can be
represented on the right-
hand side of the bow-tie.
Risk and
triggers
 THANKS!
ANY QUESTIONS?