RISK MANAGEMENT

President Ramon Magsaysay State University

(Formerly Ramon Magsaysay Technological University)
College of Accountancy and Business Administration
Iba, Zambales, Philippines
Tel/Fax No.: (047) 811-1683

College/Department College of Accountancy and Business Administration

Course Code Major Elec 2
Course Title RISK MANAGEMENT
Place of the Course in the
Major Subject
Program
Semester & Academic
First Semester AY 2021-2022
Year
Author JOHN REY MERCURIO

Chapter 3
RISK ASSESSMENT

Learning Objectives:
 describe the importance of risk assessment as a critically important stage in
the risk management process;
 outline the range of risk assessment techniques that are available and the
advantages/disadvantages of each technique;
 describe the importance of risk classification systems and describe the key
features of the best-established systems;
 provide examples of the use of a risk matrix, including using it to indicate
the dominant risk response in each quadrant;
 use a risk matrix to indicate the risk appetite of an organization and whether
the organization is risk averse or risk aggressive;

RISK MANAGEMENT JOHNREYMERCURIO

 RISK MANAGEMENT

 describe the main components of loss control as loss prevention, damage

limitation and cost containment and provide practical examples;
 demonstrate the use of loss-control actions to reduce the impact of an event
that has a large magnitude before mitigation;

DISCUSSION:

RISK ASSESSMENT CONSIDERATIONS

Importance of risk assessment
Risk assessment involves the recognition of risks and the rating of them to
determine the significant risks facing the organization, project or strategy. Because
the risk management input into strategy focuses on improved decision
making, risk assessment is the main risk management input into strategy
formulation. Risks may be attached to corporate objectives, stakeholder
expectations, core processes and key dependencies. Whichever of these features is
selected as the starting point, risk assessment can be undertaken. The purpose of
risk assessment is to identify the significant risks that could impact the selected
feature.
Although risk assessment is vitally important, it is only useful if the
conclusions of the assessment are used to inform decisions and/or to identify the
appropriate risk responses for the type of risk under consideration. It should be
considered as the starting point of the risk management process and it is certainly
not an end in itself.
An important feature of undertaking a risk assessment is to decide whether
the identified risk is going to be evaluated at the inherent level or at the current (or
residual) level. Assessment of inherent risk is undertaken without taking account of
the controls that are currently in place.
RISK MANAGEMENT JOHNREYMERCURIO
 RISK MANAGEMENT

Approaches to risk assessment

There are several approaches that can be taken when planning how to
undertake risk assessment. One of the key decisions will be who to involve in the
risk assessment exercise. Sometimes risk assessments are undertaken by the board
of directors as a top-down exercise. Risk assessments can also be undertaken by
involving individual members of staff and local departmental management. This
bottom-up approach is also valuable.

Risk assessment techniques

There are a wide range of risk assessment techniques available and a Final
Draft International Standard (FDIS) has recently been published providing detailed
information on the full range of risk assessments techniques that can be used.

Table 1.1 Technique of risk assessment

TECHNIQUE BRIEF DISCUSSION
Questionnaires and checklists Use of structured questionnaires and
checklists to collect information that will
assist with the recognition of the significant
risks
Workshops and brainstorming Collection and sharing of ideas at
workshops to discuss the events that could
impact the objectives, core processes or key
dependencies
Inspections and audits Physical inspections of premises and
activities and audits of compliance with

RISK MANAGEMENT JOHNREYMERCURIO

 RISK MANAGEMENT

established systems and procedures

Flowcharts and dependency Analysis of the processes and operations
analysis within the organization to identify critical
components that are key to success
HAZOP and FMEA Hazard and operability studies and failure
approaches modes effects analysis are quantitative
technical failure analysis techniques
SWOT and PESTLE analysis Strengths, weaknesses, opportunities,
threats (SWOT) and political, economic,
social, technological, legal, environmental
(PESTLE) analyses offer structured
approaches to risk identification

Checklists and questionnaires have the advantage that they are usually simple to
complete and are less time-consuming than other risk assessment techniques.
However, this approach suffers from the disadvantage that any risk not referenced
by appropriate questions may not be recognized as significant. A simple analysis of
the advantages and disadvantages of each of the most common risk assessment
techniques is set out in Table 1.2

Table 1.2 Advantage and Disadvantage of Risk Assessment Technique

Technique Advantage Disadvantage

Questionnaires and checklists  Consistent structure  Rigid approach may
guarantees consistency result in some risks
 Greater involvement being missed
than in a workshop  Questions will be based
on historical knowledge
Workshops and brainstorming  Consolidated opinions  Senior management
from all interested tends to dominate
parties  Issues will be missed if
 Greater interaction incorrect people

RISK MANAGEMENT JOHNREYMERCURIO

 RISK MANAGEMENT

produces more ideas involved

Inspections and audits  Physical evidence forms  Inspections are most
the basis of opinion suitable for hazard risks
 Audit approach results  Audit approach tends to
in good structure focus on historical
experience
Flowcharts and dependency  Useful output that may  Difficult to use for
analysis be used elsewhere strategic risks
 Analysis produces better  May be very detailed
understanding of and time consuming
processes
HAZOP and FMEA  Structured approach so  Most easily applied to
approaches that no risks are omitted manufacturing
 Involvement of a wide operations
range of personnel  Very analytical and
time-consuming
approach
SWOT and PESTLE analysis  Well-established  Focused approach that
techniques with proven may miss some
results categories of risk
 SWOT analysis can be  Rigid structure restricts
linked to strategic imaginative thinking
decisions

Given that risks can be attached to other aspects of an organization as well

as or instead of objectives, a convenient and simple way of analyzing risks is to
identify the key dependencies faced by the organization. Most people within an
organization will be able to identify the aspects of the business that are
fundamentally important to its future success. Identifying the factors that are
required for success will give rise to a list of the key dependencies for the
organization.

RISK CLASSIFICATIO SYSTEM

RISK MANAGEMENT JOHNREYMERCURIO

 RISK MANAGEMENT

SHORT, MEDIUM AND LONG TERM

Although it is not a formalized system, the classification of risks into short,

medium and long term helps to identify risks as being related (primarily) to
operations, tactics and strategy, respectively. This distinction is not clear-cut,
but it can assist with further classification of risks. In fact, there will be some short-
term risks to strategic core processes and there may be some medium-term and
long-term risks that could impact operational core processes.

A short-term risk has the ability to impact the objectives, key dependencies
and core processes, with the impact being immediate. These risks can cause
disruption to operations immediately at the time the event occurs.

A medium-term risk has the ability to impact the organization following a

(short) delay after the event occurs. Typically, the impact of a medium-term
risk would not be apparent immediately, but would be apparent within months, or
at most a year after the event.

A long-term risk has the ability to impact the organization some-time after
the event occurs. Typically, the impact could occur between one and five-years
(or more) after the event. Long-term risks usually impact the ability of the
organization to maintain the core processes that are concerned with the
development and delivery of efficacious strategy.

PURPOSE OF RISK CLASSIFICATION SYSTEMS

In order to identify all of the risks facing an organization, a structure for risk
identification is required. Formalized risk classification systems enable the
organization to identify where similar risks exist within the organization.

RISK MANAGEMENT JOHNREYMERCURIO

 RISK MANAGEMENT

Classification of risks also enables the organization to identify who should be

responsible for setting strategy for management of related or similar risks. Also,
appropriate classification of risks will enable the organization to better identify the
risk appetite, risk capacity and total risk exposure in relation to each risk, group of
similar risks or generic type of risk.

Examples of risk classification systems

Standard COSO IRM BS 31100 FIRM PESTLE
or Risk
framework Scorecard
Classification Strategic Financial Strategic Financial Political
headings Operations Strategic Programe Infrastructure Economic
Reporting Operational Project Reputational Sociological
Compliance Hazard Financial Marketplace Technological
Operational Legal
Environmental

There are similarities in the way that risks are classified by the different risk
classification systems. However, there are also differences, including the fact that
operational risk is referred to as infrastructure risk in the FIRM risk scorecard.
COSO takes a narrow view of financial risk, with particular emphasis on reporting.
The different systems have been devised in different circumstances and by different
organizations; therefore, the categories will be similar but not identical.

British Standard BS 31100 sets out the advantages of having a risk

classification system. These benefits include helping to define the scope of risk
management in the organization, providing a structure and framework for risk
identification, and giving the opportunity to aggregate similar kinds of risks across
the whole organization.
RISK MANAGEMENT JOHNREYMERCURIO
 RISK MANAGEMENT

The British Standard states that the number and type of risk categories
employed should be selected to suit the size, purpose, nature, complexity and
context of the organization. The categories should also reflect the maturity of risk
management within the organization. Perhaps the most commonly used risk
classification systems are those offered by the COSO ERM framework and by the
IRM risk management standard.

However, the COSO risk classification system is not always helpful and it
contains several weaknesses. For example, strategic risks may also be present in
operations and in reporting and compliance. Despite these weaknesses, the COSO
framework is in widespread use, because it is the recognized and recommended
approach for compliance with the requirements of the Sarbanes–Oxley Act.

The reporting component of the COSO internal control framework is

specifically concerned with the accuracy of the reporting of financial data and is
designed to fulfil the requirements of section 404 of the Sarbanes–Oxley Act. It is
worth noting that the COSO ERM framework

FIRM risk scorecard

Financial; Infrastructure; Reputational; Marketplace.

Financial Infrastructure Reputational Marketplace

Description Risks that can impact Risks that will Risks that will Risks that will impact
the way in which impact the level impact desire of the level of customer
money is managed of efficiency and customers to deal trade or expenditure
and profitability is dysfunction or trade and level and customer
achieved within the core of customer retention

RISK MANAGEMENT JOHNREYMERCURIO

 RISK MANAGEMENT

processes retention
Internal or Internal Internal External External
External Risk
Quantifiable Usually Sometimes Not always Yes
Measurement Gains and losses from Level of efficiency Nature of publicity Income from
(performance internal financial in processes and and effectiveness commercial and
indicator) control operations of marketing market activities
profile
Performance Procedures Failure of Process Perception Failure Presence Failure to
Gap procedures to control Failure of to achieve the achieve required
internal financial risks processes to desired perception presence in the
operate without of the organization marketplace
dysfunction
Control  CapEx  Process  Marketing  Strategic and
Mechanism standards
control  Advertising business plans
 
 Internal
Loss
 Reputation Opportunity
control
and brand assessment
control
 Insurance protection
 Delegation of
and risk
authority
financing

PESTLE risk classification system

Category of Risk Description

Political tax policy, employment laws, environmental
regulations, trade restrictions and reform,
tariffs and political stability.
Economic economic growth/decline, interest rates, exchange
rates and inflation rate, wage rates, minimum
wage, working hours, unemployment (local and
national), credit availability, cost of living, etc.
Sociological cultural norms and expectations, health
consciousness, population growth rate, age
distribution, career attitudes, emphasis on
RISK MANAGEMENT JOHNREYMERCURIO
 RISK MANAGEMENT

safety, global warming.

Technological technology changes that impact your products
or services, new technologies, barriers to
entry in given markets, fi nancial decisions
like outsourcing and supply chain.
Legal changes to legislation may impact
employment, access to materials, quotas,
resources, imports/exports, taxation etc.
Environment ecological and environmental aspects,
although many of these factors will be
economic or social in nature.

RISK MANAGEMENT JOHNREYMERCURIO