Chapter 5: Introduction to

risk management
Chapter 5: Introduction to risk
managment
Content
1. Introduction to risk
2. Risks for businesses and their investors
3. Types of risk
4. Risk concepts
5. The objectives of risk management
6. The risk management process
7. Crisis management
8. Disaster recovery
• 1. Risk
1.1. Definition
1.2. Type of risk / Measurement of risk
- type of risk
Note 1: Cyber risk
Note 2: Cyber attack
Note 3: Cyber security
- Measurement of risk = risk concepts
1.3. Risk management process
2. Crisis
2.1. Definition
2.2. Type of crisis
2.3. Crisis management
3. Disaster
3.1. Disaster
3.2. Type of disaster
3.3. Disaster recovery
Note 1: Business Resilience
Note 2: Cyber resilience/Supply chain resilience
Chapter 5: Introduction to risk
management
1. Introduction to risk
• Risk: The possible variation in an outcome from what is expected to
happen
• Variability: events in the future cannot be predicted with certainty
• Expectation: we expect something to happen, or perhaps hope that
it will not happen
• Outcomes: this is what actually happens compared with what is
intended or expected to happen
• Uncertainty: The inability to predict the outcome from an activity due
to a lack of information.
• Opportunity: The possibility that an event will occur and positively
affect the achievement of objectives.
Chapter 5: Introduction to risk
management
2. Risk for business and their investor
• The risks faced by businesses in general are as follows.
• There are risks that trade conditions might be poor, and sales might
fall or costs might rise. A new product launch might be unsuccessful, or
an expensive research and development project might fail to produce a
new commercial product.
• There is a risk that inadequate controls within the business may result
in losses through inefficiency, damage to business reputation, or
deliberate fraud.
• A business might face risks of a financial nature, and losses might occur
because of the way it has financed an operation.
Chapter 5: Introduction to risk
management
2. Risk for business and their investor - Risk and strategic planning
• Critical success factor (CSF): 'those product features that are
particularly valued by a group of customers and, therefore, where the
organisation must excel to outperform the competition'
Chapter 5: Introduction to risk
management
2. Risk for business and their investor - Risk attitudes
Chapter 5: Introduction to risk
management
2. Risk for business and their investor – Risk concepts
The scale of any risk for a business depends upon four key risk
concepts.
• Exposure is the measure of the way in which a business is
faced by risks.
• Volatility is how the’ factor to which a business is exposed is
likely to alter
• Impact (or consequence) refers to measures of the amount of
the loss if the undesired outcome occurs
• Probability (or likelihood) means how likely it is that a
particular outcome will occur.
Chapter 5: Introduction to risk
management
2. Risk for business and their investor – Expected returns
• When the business starts considering risk in relation to an
investment it is also likely to derive a range of possible returns
from the investment, given best-case, worst case and most
likely scenarios. These can be combined in a weighted average
to give the overall expected return.
 Chapter 5: Introduction to risk
3.management
Type of risks
-Strategy risk
Enterprise risk
Product risk: can not sell product/service in the expected
quantities
Financial risk: Controllable financial risk >< Uncontrollable
- Controllable financial: Grearing risk (high borrowing, insolvency);
Credit risk (customers don’t pay); Liquidity risk (short of cash)
- Uncontrollable financial (market risk = change in market price,
interest rate, exchange rate,…)
Operational risk= unexpected failure
Chapter 5: Introduction to risk
management
3. Type of risks – Financial risks
• Controllable financial risk is financial risk arising from factors
that are within the business's direct control.
• Uncontrollable financial risk is financial risk arising from
factors that operate independently of the business. The key
factor here is market risk, that is the risk of losses resulting
from changes in
 Chapter 5: Introduction to risk management
3. Type of risks – Operational risks
• Operational risk: The risk that actual losses, incurred because of inadequate or failed internal
processes, people and systems, or because of external events, differ from expected losses.
• Process risk: process may be ineffective/inefficient
• People risk: insufficient staff, incompetence, dishonesty,…
• System risk: risk of information and communication systems
• Event risk (external)
 Disaster risk: fire, flood,…
 Regulatory risk: new laws, regulations in introduced
 Reputation risk:
 Systemic risk
 Social risks
 Political risks
 Legal risks
 Economic risks
 Technology risks
Chapter 5: Introduction to risk
management
4. Cyber risk = system risk - operational risk
- Unintentional breach of security
- Deliberate/unauthorized breach of security to gain access
to information system
- Poor system
• Cyber risk is the risk of financial loss, disruption or damage to the
reputation of an organisation from failure of its information technology
systems due to accidents, breach of security, cyber attacks or poor
systems integrity
Chapter 5: Introduction to risk
management
4. Cyber risk – Cyber attack
 Chapter 5: Introduction to risk
4.management
Cyber risk – Tackling cyber attacks
Chapter 5: Introduction to risk
management
4. Cyber risk – Tackling cyber attacks
Chapter 5: Introduction to risk
management
4. Cyber risk – Tackling cyber attacks
Chapter 5: Introduction to risk
management
4. Cyber risk – Technical controls for cyber security
Use a firewall to secure its internet connection
Choose the most secure setting for its devices and software
Control who has access to data and services
Protect itself from viruses and other malware
Keep devices and software up to date
Chapter 5: Introduction to risk
management
5. Risk concepts
 Exposure is measure of the way in which a business is faced by
risk
Volatility is how the factor to which a business is exposed
Impact refers to measures of the amount of the loss if the
undesired outcome occurs
Probability means how likely it is that a particular outcome will
occur
+ Greatest risk: exposure is high, high volatility, , strong impact, high
probability
Chapter 5: Introduction to risk
management
6. The objectives of risk management
The purpose of risk management is to understand and then to
minimize cost effectively the business’s exposure to risk and adverse
effect of risks, by
Reducing the probability of risks occurring in the first place, and
then if they do occur
Limiting the impact they will have on the business
Chapter 5: Introduction to risk
management
7. The risk management process
Chapter 5: Introduction to risk
management
7. The risk management process
• Risk awareness and identification, using techniques such as
brainstorming and analysis of past experience to identify the business's
exposure to risks
• Risk analysis (assessment and measurement); this considers the
volatility of particular factors, the probability of an event occurring and
the severity of the impact if it does. Measurement may be qualitative
or quantitative
• Risk response and control: in essence a risk can be avoided (do not do
the risky activity), reduced, shared or simply accepted
• Risk monitoring and reporting is a continuous process
Chapter 5: Introduction to risk
management
7. The risk management process
Risk awareness and identification
• Risk identification
• Identifying the whole range of possible risks and the likelihood
of losses occurring as a result of these risks.
• Risk identification must be a continuous process
• Potential new risks may arise
• Existing risks may change
Chapter 5: Introduction to risk
management
7. The risk management process
Risk awareness and identification
There are two approaches to identifying risks:
Chapter 5: Introduction to risk
management
7. The risk management process – Risk analysis
Chapter 5: Introduction to risk
management
7. The risk management process – Risk analysis
• Significance can be measured in terms of the potential loss
arising as a result of the risk, that is its gross risk.
• This depends on:
The potential impact, quantified as an expected value
The probability of occurrence, measured mathematically, as a
decimal between 0 and 1
Gross risk = Probability x Impact
Chapter 5: Introduction to risk
management
7. The risk management process – Risk response and control
Chapter 5: Introduction to risk
management
7. The risk management process – Risk response and control
Chapter 5: Introduction to risk
management
7. The risk management process – Risk response and control
Physical controls: locks, speed limits, clothing protect,…
Financial control: credit checks, credit limits, customer
deposits protect money
System controls: procedural control, software controls
Management control: organization structure, annual budget
Chapter 5: Introduction to risk
management
7. The risk management process – Monitoring an reporting risk
Chapter 5: Introduction to risk
management
8. Crisis management
Crisis: an unexpected event that threatens the wellbeing of a
business, or a significant disruption to the business and its normal
operations which impacts on its customers, employees, investors
and other stakeholders
Crisis management: Identifying a crisis, planning a response to
the crisis and confronting and resolving the crisis
Chapter 5: Introduction to risk
management
8. Crisis management
Types of crisis
In terms of effects
• Financial crisis: short term liquidity or cash flow problem, solvency problems,…
• Public relations crisis
• Strategic crisis:….
In terms of their cause.
• Natural event
• Industrial accident
• Product or service failure
• Public relations disaster
• Business crisis
• Management crisis
Chapter 5: Introduction to risk
management
8. Crisis management - Managing a crisis
• Crisis prevention
• Contingency planning
• Effective action in the event of a crisis
Chapter 5: Introduction to risk
management
9. Business resilience
Business resilience: a business ability to manage and survive
against planned or unplanned shocks and disruptions to its
operations
Challenges to building a resilient organization
Lack of expertise
Lack of input from senior management
Siloes for delivery
Limited sharing of risk information
Chapter 5: Introduction to risk
management
9. Business resilience
Cyber resilience: is the ability of an organization to ensure that its
data and information and reliable, available, has integrity and is
adequately protected from unauthorized access
Threats to an organization cyber resilience:
Mobile threats
Networking and cloud consideration
Access controls in the mobile world
Other threats
Chapter 5: Introduction to risk
management
10. Disaster recovery and business continuity planning
Chapter 5: Introduction to risk
management
10. Disaster recovery and business continuity planning
Business continuity plans:
Standby procedures so that some operations can be performed
while normal services are disrupted
Recover procedures once the cause of the breakdown has been
discovered or corrected
Personnel management policies to ensure that the above are
implemented properly
 Chapter 5: Introduction to risk
management
10. Disaster recovery and business continuity planning - Disaster recovery