CHAPTER 4 SCOPE OF RISK MANAGEMENT favourable outcome and reduce the

volatility or variability of that outcome.

Origin of Risk Management

 Risk management has a variety of origins DEVELOPMENT OF RISK MANAGEMENT

and is practised by a wide range of • Risk management has been a formalized
profes sionals. One of the early discipline for over 100 years, with its
developments in risk management origins in the specialist activity of
emerged in the United States out of the insurance. As insurance became more
insurance management function. The formalized and structured, the need for
practice of risk management became risk control standards increased,
more widespread and better co- particularly in relation to the insurance of
ordinated because the cost of insurance cargo being transported by ships around
in the 1950s had become prohibitive and the world.
the extent of coverage limited. • The emergence of risk management
Organizations realized that purchasing standards, such as AS/NZS 4360:1995, led
 This combined approach to risk financing to the emergence of comprehensive risk
and risk control developed in Europe management approaches across various
during the 1970s and the concept of industries, including the finance sector.
total cost of risk became important.. • Corporate risk management in the United
States during the 1950s became an
Definitions of risk management according to; extension of insurance purchasing
• ISO Guide 73 BS 31100: Co-ordinated decisions, with contingency planning
activities to direct and control an becoming more important in
organization with regard to risk organizations.
• Institute of Risk Management (IRM): • In the 1980s, treasury departments
Process which aims to help organizations began developing the financial approach
understand, evaluate and take action on to risk management, with recognition
all their risks with a view to increasing the that insurance risk management and
probability of success and reducing the financial risk management policies should
likelihood of failure be better coordinated.
• HM Treasury: All the processes involved • In the 1990s, risk financing products
in identifying, assessing and judging risks, combining insurance with derivatives
assigning ownership, taking actions to emerged, and corporate governance and
mitigate or anticipate them, and listing requirements encouraged
monitoring and reviewing progress directors to place greater emphasis on
• London School of Economics: Selection of enterprise risk management (ERM).
those risks a business should take and • In the 2000s, financial services firms were
those which should be avoided or encouraged to develop internal risk
mitigated, followed by action to avoid or management systems and capital models,
reduce risk with the rapid growth of CRO positions in
• Author definition: Risk management is energy companies, banks, and insurance
the set of activities within an organization companies.
undertaken to deliver the most
SPECIALIST AREAS OF RISK MANAGEMENT security, with standards like COBIT
• Risk management is a constantly guiding best practices.
developing and evolving discipline. As
well as its origins in the insurance The 8Rs and 4Ts of (Hazard) Risk Management:
industry and in other branches of hazard 1. Recognition: Identify and understand the
management, risk management has nature and potential impact of risks.
strong connections with the credit and 2. Rating: Evaluate the magnitude and likelihood
treasury functions.. of risks to create a risk profile.
3. Ranking: Analyze and prioritize risks against
• Perhaps one of the best known and established criteria or risk appetite.
specialist areas of risk management is 4. Responding: Choose appropriate actions for
that of health and safety at work. significant risks:
Another specialist area is that of disaster - Tolerate: Accept the risk and its potential
recovery planning and business consequences. - Treat: Implement measures to
continuity planning. reduce the likelihood or impact of the risk.
- Transfer: Shift the risk to another party (e.g.,
Additionally, other specialist areas of risk through insurance). - Terminate: Eliminate the
management have developed over the past risk entirely.
decades, including: 5. Resourcing: Ensure adequate resources are
• Project Risk Management: Focuses on allocated to implement and maintain risk control
identifying, assessing, and mitigating risks activities.
specific to projects, emphasizing the 6. Reaction Planning: Develop plans for
management of uncertainty or control responding to specific events or risks, including
risks. disaster recovery and business continuity.
• Clinical/Medical Risk Management: 7. Reporting and Monitoring: Track risk
Primarily concerned with patient care, performance, actions, and events, and
especially during surgical procedures, communicate risk issues effectively.
addressing issues like medical 8. Reviewing: Regularly review the risk
malpractice and patient awareness of management system, including internal audit
risks. procedures and the risk architecture.
• Energy Risk Management: Focuses on
managing risks related to energy prices, Enterprise Risk Management
exploration, and production, often When an organization considers all of the risks
employing financial techniques like that it faces and how these risks could impact its
hedging. strategy, projects and operations, then the
• Financial Risk Management: Covers a organization is embarking on an enterprise risk
wide range of financial risks, including management approach.
operational, credit, and market risks.
Financial institutions, heavily regulated Enterprise Risk Management (‘ERM’) is a strategic
by standards like Basel III and Solvency II, business discipline that supports the achievement
heavily utilize risk management tools and of an organization’s objectives by addressing the
techniques. full spectrum of its risks and managing the
• IT Risk Management: Addresses risks combined impact of those risks as an interrelated
related to information management and risk portfolio.
 that a significant proportion of the workforce
EXAMPLE OF THE ERM APPROACH comes from ethnically diverse backgrounds. The
Example: Pharmaceutical Industry company should see this diversity in its workforce
The pharmaceutical industry exemplifies the ERM as a benefit that will enable it to perform better
approach. A core process for pharmaceutical in the marketplace by exploring opportunities to
companies is ensuring the constant availability of produce and publish new magazines that appeal
medications. A pharmaceutical company using to a more ethnically diverse readership.
ERM would analyze risks across the entire
enterprise, including supply chain,
manufacturing, and delivery, to identify potential CHAPTER 5
disruptions to the core process. PRINCIPLESAND AIMS CHAPTER 5 OF RISK
MANAGEMENT
LEVEL OF RISK MANAGEMENT SOPHISTICATION Principles and aims of risk management
This section explores how organizations progress • The main principle of risk management is
through different levels of sophistication in their to deliver value to the organization by
approach to risk management, moving from basic achieving optimal outcomes and reducing
awareness to strategic utilization of risk. uncertainty.
Four Stages of Risk Management Sophistication: A successful risk management initiative and
• Inform: The organization is initially framework should be:
unaware of its legal, contractual, and risk- • Proportionate to the level of risk,
related obligations. This stage focuses on • Aligned with business activities,
informing the organization about these • Comprehensive, systematic, and
obligations. structured,
• Reform: The organization becomes aware • Embedded in business procedures,
of its obligations and takes steps to • Dynamic, iterative, and responsive to
address them, often focusing on change.
mitigating hazard risks. This forms the acronym PACED, which represents
• Conform: The organization moves key principles for effective risk management.
beyond simple compliance and strives to TABLE 5.1 Principles of risk management
adhere to appropriate risk control
standards, seeking to minimize potential
Principle Description
harm.
Proportionate Risk management activities
• Perform: The organization recognizes
must be proportionate to the
that managing risks can be beneficial and
level of risk faced by the
actively seeks to exploit. organization.
Example: A PUBLISHER Aligned ERM activities need to be
A publisher might realize that it was not fully aligned with the other activities
complying with. Equal opportunities legislation, in the organization.
because there was no ethnic minority Comprehensiv In order to be fully effective,
representation within the workforce. The e the risk management approach
company will identify the actions necessary in must be comprehensive.
order to reform its procedures, so that it Embedded Risk management activities
conforms to legal requirements. Having achieved need to be embedded within
compliance, the publisher should become aware the organization.
 Dynamic Risk management activities high profile in recent times, because of the global
must be dynamic and financial crisis and the number of high-profile
responsive to emerging and corporate failures across the world that preceded
changing risks. i
As well as assisting with better decision making
To maximize risk management benefits, and improved efficiency, risk management can
organizations should apply key principles when also contribute to the provision of greater
planning and developing their framework. Risk assurance to stakeholders. This assurance has
management objectives, summarized by MADE2 two important components.
(mandatory, assurance, decision making,
efficient core processes), focus on minimizing Risk management activities
disruptions, reducing uncertainty, and improving Risk management is a multi-stage process
decisions. represented by various standards like the IRM
Risk Management Standard and ISO 31000. These
TABLE 5.2 Risk management objectives stages are often described using the "8Rs and
Principle Description 4Ts" framework for hazard risk management,
Mandatory The basic objective for any risk focusing on identifying, analyzing, evaluating,
management initiative is to ensure treating, monitoring, and reviewing risks.
conformity with applicable rules,
regulations and mandatory The 4Ts (Risk Response Options):
obligations. 1. Tolerate
Assurance The board and audit committee of 2. Treat
an organization will require 3. Transfer
assurance that risk management 4. Terminate
and internal control activities
comply with PACED. Effective and efficient core processes
Decision making Risk management activities should Risk management initially aimed to ensure
ensure that appropriate risk-based
smooth operations by addressing insurable risks
information is available to support
but has evolved to enhance project and program
decision making.
management. Effective processes must deliver
Effective and Risk management considerations
efficient core will assist with achieving effective required results efficiently.
processes and efficient strategy, tactics,
operations and compliance to Importance of Compliance
ensure the best outcome with The loss of licences could have an adverse effect
reduced volatility of results. on our business and profitability and prevent us
Risk management considerations will assist with from providing gambling services.
achieving effective and efficient strategy, tactics, Rank’s gaming licences are fundamental to its
operations and compliance to ensure the best operation.
outcome with reduced volatility of results.
Rank has a dedicated compliance function that is
Importance of Risk Management independent of operations and a separate
Table 5.2 gives a number of examples that internal audit function that is independent of
illustrate the importance of risk management. both operations and the compliance function.
Risk management has taken on an increasingly Implementing risk management
In risk management, practitioners may clash over CHAPTER 6
differing approaches, but it's important to value RISK MANAGEMENT STANDARDS
both internal control and traditional insurance SCOPE OF RISK MANAGEMENT STANDARDS
perspectives. • There are a number of
• compliance management provides risk established risk management
governance; standards and frameworks.
• hazard management makes outcomes • The standard with highest
less negative; recognition was Australian
• control management reduces the range Standard AS 4360(2004); later
of possible outcomes; withdrawn in 2009 in favour of
• opportunity management makes ISO 31000.
outcomes more positive. • The international standard ISO
31000(2009), “Risk Management:
Principles and Guidelines’,
Achieving Benefits
published later in 2009.
Reward enhancement options, like bonus
• It is important to distinguish
schemes, can be discussed in strategy meetings,
between a Risk Management
but they should be balanced to prevent excessive
Standard and a Risk Management
risk-taking, especially after the global financial
Framework.
crisis.
RISK MANAGEMENT STANDARD Sets out the
The benefits of risk management can be overall approach to the successful management
summarized as follows: it reduces operational of risk including a description of the risk
disruptions, ensures successful project delivery, management process, together with the
and supports better strategic decisions while suggested framework that supports that process.
providing adequate risk assurance.
Risk Management Framework Organization-
wide plan for managing risks. Build upon the
• financial benefits arising from better
principles outlined in a standard and applies
allocation of funds, monitoring of
them to the unique context of the organization.
expenditure and reduced exposure to
fraud; MOST WIDELY USED RISK MANAGEMENT
• infrastructure benefits that have included STANDARDS AND FRAMEWORKS
fewer failures of the IT systems and
reduced staff absence rates;
• reputational benefits from ethical
sourcing policies and use of organic food
in the restaurant, as well as successful
niche productions in the theatre;
• market place benefits resulting in 89 per
cent occupancy rates, up from 83 per
cent three years ago, as well as increased
spend in the theatre by patrons.
 SIMPLE REPRESENTATION OF RISK
The Organization’s Strategic
MANAGEMENT PROCESS
Objectives
Risk Assessment
Risk Analysis
Risk Identification
Risk Description
Risk Estimation

Risk Evaluation
RISK RECOVERING Threats and
Opportunities
DECISION
RISK TREATMENT
RESIDUAL RISK REPORTING
MONITORING
RISK MANAGEMENT CONTEXT
3 DISTINCT APPROACHES FOLLOWED IN THE • Within many risk management standards
STANDARDS it is stated that risk management
‘Risk management approach’ activities should take place within the
Followed by ISO 31000, British Standard BS context of the business environment, the
31100 and the IRM standard. organization and the risks faced by the
‘Internal control approach’ organization.
Developed by COSO Internal Framework and by COMPONENTS OF RISK MANAGEMENT CONTEXT
the FRC risk guidance. • Risk Architecture Defines roles,
‘risk-aware culture’ approach responsibilities, communication and risk-
Developed by CoCo Framework. reporting structure
• Risk Strategy Risk strategy, appetite,
attitudes and philosophy defined in the
RISK MANAGEMENT PROCESS policy.
• The best -established risk management • Risk Protocols Includes the rules and
approaches are the IRM standard, ISO procedures, RM methodologies, tools
31000, BS 31100, and the COSO ERM and techniques.
framework.
• Several countries have developed their COSO ERM FRAMEWORK
own internal control and risk • Enterprise Risk Management(ERM)
management standards as part of their version of COSO framework.
requirement. • In COSO ERM Framework, there is a
• Simple representation of the risk direct relationship between objectives,
management process is provided by the which are what an entity strives to
figure>>> achieve, and ERM components
represents what is needed to achieve.
• COSO describes the framework: ‘within
the context of the establsihed mission or
vision of an organization, management
 establishes strategic objectives, selects • MONITORING- the entirety must be
strategy and sets alligned objectives.’ monitored and modified if necessary.
RISK MANAGEMENT PROCESS FROM ISO 31000
• ESTABLISHING THE CONTEXT
• RISK IDENTIFICATION
• RISK ANALYSIS
• RISK EVALUATION
• RISK TREATMENT

UPDATING OF EXISTING STANDARDS

• There is a continuing desire to keep risk
management standards and corporate
governance codes relevant and up-to-
date. There is also a developing trend for
standards org to develop mgt.
• For COSO, Organizations that integrate
enterprise risk mgt. into strategic
• INTERNAL ENVIRONMENT- encompasses planning can obtain a range of
the tone of an organization and sets the benefits>>>
basis for how risk is viewed and
addressed. BENEFITS
• OBJECTIVE SETTING- it must exist before • Increasing range of opportunities by
mgt. can identify potential events considering both positive and negative
affecting achievement. aspect of risk.
• EVENT IDENTIFICATION- Internal and • Improving performance by identifying
external events affects achievement of and managing risk on an entity-wide
objectives must be identified, basis‘
distinguishing risk and opportunities. • Reducing negative surprises, increasing
• RISK ASSESSMENT- risks are analysed, gain and profiting from advantageous
considering likelihood and impact, basis developments;
for determining how they should be • Reducing performance viability by taking
managed. actions to minimize disruption.
• RISK RESPONSE- Mgt. selects risk • Improving resource deployment and
response: avoiding, accepting, reducing achieving enhanced resource allocation.
or sharing risk.
• CONTROL ACTIVITIES- Policies and
procedures are established and
implemented into help ensure the risk
responses effectively carried out.
• INFORMATION AND COMMUNICATION-
relevant info is defined, captured and
communicated so that people can fulfill
their responsibilities.