Risk Management Module 1 and 2
Risk Management Module 1 and 2
Chapter 1
INTRODUCTION TO RISK MANAGEMENT
MARWENA M. DIAZ 1
RISK MANAGEMENT
DISCUSSION:
Introduction:
Approaches to defining the risk
The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility
of danger, loss, injury or other adverse consequences’ and the definition of at risk is
‘exposed to danger’. In this context, risk is used to signify negative consequences.
However, taking a risk can also result in a positive outcome. A third possibility is that
risk is related to uncertainty of outcome.
Organization Definition
ISO Guide 73 Effect of uncertainty on objectives. Note that an effect may be
ISO 31000 positive, negative, or a deviation from the expected. Also, risk
is often described by an event, a change in circumstances or a
consequence.
Institute of Risk Risk is the combination of the probability of an event and its
Management (IRM) consequence. Consequences can range from positive to
negative.
“Orange Book” from Uncertainty of outcome, within a range of exposure, arising
HM Treasury from a combination of the impact and the probability of
potential events.
Institute of Internal The uncertainty of an event occurring that could have an
Auditors impact on the achievement of the objectives. Risk is measured
in terms of consequences and likelihood.
Alternative Definition Event with the ability to impact (inhibit, enhance or cause
by doubt about) the mission, strategy, projects, routine operations,
the author objectives, core processes, key dependencies and/or the
delivery of stakeholder expectations
Risk in an organizational context is usually defined as anything that can impact the
fulfilment of corporate objectives. However, corporate objectives are usually not fully stated
by most organizations. Where the objectives have been established, they tend to be stated as
internal, annual, change objectives. This is particularly true of the personal objectives set for
members of staff in the organization, where objectives usually refer to change or
developments, rather than the continuing or routine operations of the organization.
MARWENA M. DIAZ 2
RISK MANAGEMENT
Types of Risk
Risks can be classified in many ways. Hazard risks can be divided into many types of
risks, including risks to property, risks to people and risks to the continuity of the business.
Although it should not be considered to be a formal risk classification system, this part
considers the value of classifying risks according to the timeframe for the impact of the risk.
Classification of risk
Long-term Risk
MARWENA M. DIAZ 3
RISK MANAGEMENT
o will impact several years, perhaps up to five years, after the event occurs or
the decision is taken.
o Long-term risks therefore relate to strategic decisions. When a decision is
taken to launch a new product, the impact of that decision (and the success of
the product itself) may not be fully apparent for some time.
Medium-term Risk
o have their impact some-time after the event occurs or the decision is taken,
and typically this will be about a year later.
o Medium-term risks are often associated with projects or programs of work.
o decisions regarding the project to implement the new software will be
medium-term decisions with medium-term risk attached.
Short-term Risk
o have their impact immediately after the event occurs
o Accidents at work, traffic accidents, fi re and theft are all short-term risks that
have an immediate impact and immediate consequences as soon as the event
has occurred.
o These short-term risks cause immediate disruption to normal efficiency
operations and are probably the easiest types of risks to identify and manage.
Insurable Risk
o are quite often short-term risks, although the exact timing and magnitude/
impact of the insured events is uncertain
o In other words, insurance is designed to provide protection against risks that
have immediate consequences
o In the case of insurable risks, the nature and consequences of the event may be
understood, but the timing of the event is unpredictable.
MARWENA M. DIAZ 4
RISK MANAGEMENT
Control Risk
o are risks that cause doubt about the ability to achieve the mission of the
organization.
o are associated with uncertainty, and examples include the potential for legal
non-compliance and losses caused by fraud.
o They are usually dependent on the successful management of people and
successful implementation of control protocols
o are the most difficult type of risk to describe
Internal financial control protocols are a good example of a response to a control risk. If
the control protocols are removed, there is no way of being certain about what will happen.
Opportunity Risk
o are the risks that are (usually) deliberately sought by the organization
o These risks arise because the organization is seeking to enhance the
achievement of the mission, although they might inhibit the organization if the
outcome is adverse.
MARWENA M. DIAZ 5
RISK MANAGEMENT
o This is the most important type of risk for the future long-term success of any
organization.
Principles and Aims of Risk Management
Risk management operates on a set of principles, and there have been several attempts
to define these principles. It is suggested that a successful risk management initiative will be:
Proportionate to the level of risk within the organization;
Aligned with other business activities;
Comprehensive, systematic and structured;
Embedded within business processes;
Dynamic, iterative and responsive to change.
This provides the acronym PACED and provides a very good set of principles that are
the foundations of a successful approach to risk management within any organization. A
more detailed description of the PACED principles of risk management is set out in Table
5.1. The approach to risk management is based on the idea that risk is something that can be
identified and controlled.
PRINCIPLE DESCRIPTION
Proportionate Risk management activities must be proportionate to the level of
risk faced by the organization.
Aligned Risk management activities need to be aligned with the other
activities in the organization.
Comprehensive In order to be fully effective, the risk management approach must
be comprehensive.
Embedded Risk management activities need to be embedded within the
organization.
Dynamic Risk management activities must be dynamic and responsive to
emerging and changing risks.
Learning Activities
Part I
Identify the following.
__________1. Risk is the combination of the probability of an event and its consequence.
Consequences can range from positive to negative.
MARWENA M. DIAZ 6
RISK MANAGEMENT
__________2. Lack of people skills and / or resources Unexpected absence of key personnel
Ill-health, accident or injury to people
__________3. Accidental damage to physical assets Breakdown of plant or equipment
__________4. Accidents at work, traffic accidents, fi re and theft are all short-term risks that
have an immediate impact and immediate consequences as soon as the event has occurred.
__________5. Inadequate or insufficient premises
Part II
Define the following:
Long-term Risk
Medium-term Risk
Hazard Risk
Opportunity Risk
PACED
Part III
Essay:
1. In your own understanding, what is Risk Management?
2. In your own words, what is the difference between hazard risk, control risk and
opportunity risk?
Chapter 2
APPROACHES TO RISK MANAGEMENT
Intended Learning Outcomes:
Particularly at the end of this chapter, the students should be able to:
MARWENA M. DIAZ 7
RISK MANAGEMENT
DISCUSSION:
Risk Management Standard
Risk Management Standards set out a specific set of strategic processes which start
with the overall aspirations and objectives of an organization, and intend to help to identify
risks and promote the mitigation of risks through best practice.
Standards are often designed and created by a number of agencies who are working
together to promote common goals, to help to ensure that organizations carry out high-quality
risk management processes.
Risk management standards are like a guide to help ensure that risk management is
carried out in a proper way. Standards usually include checkpoints and examples, to make it
really easy for organizations to comply.
Risk management standards have been designed so that those who must carry out risk
management processes have a guide to help them to work. These standards help to provide an
international consensus on how to deal with certain risks, and they offer best practice advice
on how to deal with others. Risk management standards help organizations to implement
strategies which are tried and tested, and proven to work.
MARWENA M. DIAZ 8
RISK MANAGEMENT
There are two elements of the process that can be considered as continually acting. These
are:
Monitoring and review, so that appropriate action occurs as new risks emerge and
existing risks change as a result of changes in either the organization’s objectives or
the internal and external environment in which they are pursued. This involves
environmental scanning by risk owners, control assurance, taking on board new
MARWENA M. DIAZ 9
RISK MANAGEMENT
information that becomes available, and learning lessons about risks and controls
from the analysis of successes and failures.
The central spine of the risk management process is concerned with preparing for
and then conducting risk assessment leading, as necessary, to risk treatment. The process
starts through defining what the organization wants to achieve and the external and internal
factors that may influence success in achieving those objectives. This step is called
establishing the context and is an essential precursor to risk identification.
Risk assessment under ISO 31000 comprises the three steps of risk identification,
risk analysis, and risk evaluation.
Risk identification requires the application of a systematic process to understand
what could happen, how, when, and why.
In ISO 31000, risk analysis is concerned with developing an understanding of each
risk, its consequences, and the likelihood of those consequences. Whether the end result is
expressed as a qualitative, semiquantitative, or quantitative manner, gaining this
understanding requires consideration of the effect and reliability of existing controls and any
control gaps. Risk analysis can be undertaken with varying degrees of detail, depending on
the risk, the purpose of the analysis, and the information, data, and resources available.
Analysis can be qualitative, semiquantitative, quantitative, or a combination of these,
depending on the circumstances.
Risk evaluation then involves deciding about the level of risk and the priority for
attention through the application of the criteria developed when the context was established.
Risk treatment is the process by which existing controls are improved or new
controls are developed and implemented. It involves evaluation of and selection from options,
including analysis of costs and benefits and assessment of new risks that might be generated
by each option, and then prioritizing and implementing the selected treatment through a
planned process. If this process is followed, the systematic way in which the risks have been
assessed means that risk treatment can proceed with confidence.
How do Risk management standards impact on managing organizational risk?
Risk Management standards impact on the ways which risk management processes
are created and implemented. They offer guidance on setting the context of the strategies, as
well as providing ideas about what should and should not be implemented as part of the risk
MARWENA M. DIAZ 10
RISK MANAGEMENT
management strategy. Many standards provide advice on how to best to quantify and classify
risk.
What terms are used in Risk management standards?
Standard – a rule or principle which is used as the basis for judgment of the risk
management process, a series of checkpoints which an organization should strive to achieve.
Risk – a potential consequence of an action. In recent developments in risk management, a
risk can now be considered to be a negative or a positive consequence. A risk may or may not
occur.
Management – the strategies which are implemented in an attempt to combat potential risk.
Advantages of ERM
In creating ERM initiatives, companies should focus not only on the downside of risk
but on the upside as well. The traditional approach was to concentrate on negatives—the
losses from currency or interest rate trades in financial markets, for instance, or financial
MARWENA M. DIAZ 11
RISK MANAGEMENT
losses that might be caused by a disruption in a supply chain or a cyber-attack that impairs a
company's information technology.
In thinking about the upside, companies now are supposed to consider competitive
opportunities and strategic advantages that might arise out of the deft management of risk.
Some of these "better decisions" involve items like where to locate a plant or office abroad
based on a risk analysis that would examine the political environment in a country.
The "upside" also includes focusing on preventive measures that help a company
avoid potential disasters down the road. For example, some of these actions may include
determining when and how physical assets need to be maintained and replaced.
This way, the company can avoid unexpected and costly plant and equipment failure
that might result in shutdowns, explosions or other events that put a company's employees,
communities and public profile at risk. Understanding that their most important and valuable
asset is their image, some companies work proactively when dealing with man-made or
natural disasters.
Example of Enterprise Risk Management
One of the most model reputation risk management stories in corporate history
involves Johnson & Johnson. The pharmaceutical giant found its reputation and its stock
price severely bruised in 1982 over revelations that someone had tampered with and poisoned
bottles of its pain reliever Tylenol, resulting in several deaths.
The company reacted quickly, removing and replacing its products at retail outlets,
cooperating fully with law enforcement authorities, and keeping the media (and, hence, the
public) informed throughout. Its decisive actions and honest open communication during the
crisis helped in the recovery of share value within a few months.
From 2006 to 2008, the recent push for companies is to prove they are "going green,"
hoping that aggressive environmental risk management will position their products, plants,
supply chain, and other operations positively with current and future customers.
MARWENA M. DIAZ 12
RISK MANAGEMENT
To enable you to achieve these capabilities, we can work with you to:
Identify and assess the current risks facing your organization - at an enterprise-wide
level and at business unit or activity levels - using qualitative and quantitative
measurement techniques
Assist you to understand the different stages of evolution and sophistication of ERM
and to determine what attributes you want your risk management program to have
Assess the current state of risk management throughout your organization and make
recommendations for improvement
Design an ERM program - including the desired risk culture, risk appetite and
tolerances, risk management process, structure, methodologies and systems - and
implementation plan -that will achieve the program you envision
Implement ERM pilots and assist with a full organization wide implementation
Help establish Risk Management functions and/or Committee
Design and conduct tailored risk management training and awareness sessions for
directors, management and staff
Automate the risk assessment process
MARWENA M. DIAZ 13
RISK MANAGEMENT
Learning Activities
Part I
Identification:
__________1. set out a specific set of strategic processes which start with the overall
aspirations and objectives of an organization, and intend to help to identify risks and promote
the mitigation of risks through best practice.
__________2. is concerned with preparing for and then conducting risk assessment leading,
as necessary, to risk treatment.
__________3. requires the application of a systematic process to understand what could
happen, how, when, and why.
__________4. the process by which existing controls are improved or new controls are
developed and implemented.
__________5. is a plan-based business strategy that aims to identify, assess, and prepare for
any dangers, hazards, and other potentials for disaster—both physical and figurative—that
may interfere with an organization's operations and objectives.
Part II
Enumeration:
Three (3) types of risk management standards
1.
2.
3.
Three (3) types of Risk Assessment
1.
2.
3.
Six (6) steps to achieve ERM
1.
2.
3.
4.
5.
6.
MARWENA M. DIAZ 14
RISK MANAGEMENT
Part III
Essay:
1. How important Enterprise Risk Management in business? Elucidate your answer.
2. In your own words, how do Risk management standards impact on managing
organizational risk?
MARWENA M. DIAZ 15
RISK MANAGEMENT
Chapter 2
APPROACHES TO RISK MANAGEMENT
Learning Objectives:
describe the importance of risk assessment as a critically important stage
in the risk management process;
outline the range of risk assessment techniques that are available and the
advantages/disadvantages of each technique;
describe the importance of risk classification systems and describe the
key features of the best-established systems;
provide examples of the use of a risk matrix, including using it to indicate
the dominant risk response in each quadrant;
use a risk matrix to indicate the risk appetite of an organization and
whether the organization is risk averse or risk aggressive;
describe the main components of loss control as loss prevention, damage
limitation and cost containment and provide practical examples;
demonstrate the use of loss-control actions to reduce the impact of an
event that has a large magnitude before mitigation;
DISCUSSION:
Risk assessment considerations
Importance of risk assessment
Risk assessment involves the recognition of risks and the rating of them
to determine the significant risks facing the organization, project or strategy.
Because the risk management input into strategy focuses on improved decision
making, risk assessment is the main risk management input into strategy
formulation. Risks may be attached to corporate objectives, stakeholder
expectations, core processes and key dependencies. Whichever of these features
is selected as the starting point, risk assessment can be undertaken. The purpose
MARWENA M. DIAZ 16
RISK MANAGEMENT
of risk assessment is to identify the significant risks that could impact the
selected feature.
Although risk assessment is vitally important, it is only useful if the
conclusions of the assessment are used to inform decisions and/or to identify the
appropriate risk responses for the type of risk under consideration. It should be
considered as the starting point of the risk management process and it is
certainly not an end in itself.
An important feature of undertaking a risk assessment is to decide
whether the identified risk is going to be evaluated at the inherent level or at the
current (or residual) level. Assessment of inherent risk is undertaken without
taking account of the controls that are currently in place.
There are several approaches that can be taken when planning how to
undertake risk assessment. One of the key decisions will be who to involve in
the risk assessment exercise. Sometimes risk assessments are undertaken by the
board of directors as a top-down exercise. Risk assessments can also be
undertaken by involving individual members of staff and local departmental
management. This bottom-up approach is also valuable.
References:
Hopkin, Paul, 2017. Fundamentals of Risk Management (Understanding, evaluating and
implementing effective risk management) 4th Edition
https://www.skillmaker.edu.au/risk-management-standards
https://www.pwc.com/la/en/risk-assurance/enterprise-risk-management.html
MARWENA M. DIAZ 18
RISK MANAGEMENT
Prepared by:
JOHN REY MERCURIO
Instructor
MARWENA M. DIAZ 19