As all organizations operate in a highly uncontrolled environment, i.e. the (global) market, they are exposed to many types or financial and operational risks. These may pose opportunities but they may also be potentially threatening to the organization. With the correct preparation and planning, exposure to threatening risks may be decreased and may be even turned to the organization’s advantage.
Risk management is the ongoing process that addresses exposure to threats and attempts to manage it. Its purpose is to make sure, to the extent possible, that uncertainty does not derail the business from its mission and its objectives (refer to ISO 31000).
Risk Management refers consecutively to the identification, assessment and prioritization of all types of risks and the application of measures to manage them.
To enable a thorough risk assessment, all possible sources of risk should be considered. Risk sources include:
- financial risks including credit risks,
- actuarial assessments,
- stock market and currency exchange fluctuations,
- legal liabilities,
- security threats,
- technological risks,
- production risks,
- infrastructure risks including key infrastructure failures,
- market risks (customer related),
- risks arising from the competition,
- human capital related risks,
- occupational safety and health risks including workplace accidents,
- environmental risks including natural disasters,
- other operational risks.
For each source or risk, the potential risks that pose a threat to the organization are identified and listed. Positive risks (opportunities) may be identified and listed as well.
Once the listing is completed, risks are assessed. There are several risk assessment models available for use: simple and complicated, descriptive and numerical. The sophistication of the risk assessment method selected depends on the type of organization, the type of product or service and the precision required. The value of risk is usually derived from the combination of parameters such as probability of occurrence, severity of impact, frequency of exposure. Standard tables are usually used to combine the selected risk assessment parameters and interpret the results. What is important regardless of the selected model, is that it is applied consistently, so that the organization can compare and prioritize risks depending on their rating.
Once risks are prioritized, the strategies and measures required to manage them are selected. There are various possible strategies to manage a given risk.
Risks with a positive impact (opportunities) can be:
- exploited,
- enhanced,
- shared or
- rejected.
Risks with a negative impact (threats) can be:
- avoided,
- reduced,
- controlled,
- transferred,
- shared or
- accepted (as they are).
Organizational risk appetite can be:
- Averse, if avoidance of risk and uncertainty is a key organization objective;
- Minimal, if there is preference to very safe options that are low risk and have a potential for only limited reward;
- Cautious, if there is reference to safe options that have a low degree of risk and may only have limited potential for reward;
- Open, if the organization is willing to consider all potential options and choose the one most likely to result in successful delivery, while also providing an acceptable level of reward and value for money; or
- Hungry, if there is eagerness to be innovative and to choose options offering potentially higher business rewards, despite greater inherent risk.
The strategies and measures selected will form the Risk Management Plan which will need to include time schedules, people responsible to act, budgets, execution plans and supervisors.
A team from the top management should be responsible to supervise the realization of the plan. When a set of measures, for a given risk, is materialized, the risk should be re-assessed. It will then normally be found that its value rating has been reduced. If the remaining risk, referred to as residual risk, is acceptable by the organization, the risk has been covered. If not, additional measures should be considered. “Covered” risks are not forgotten, they are periodically re-assessed, in the light of the measures taken and of any changing circumstances affecting them.
To quote TS Eliot “Only those who will risk going too far can possibly find out how far one can go”.
Therefore, taking risks is healthy for businesses, as long as it is within their risk appetite and a risk management process is covering for them.
In conclusion, the responsibility for risk management should never be jerked onto the shoulders of a single person, the “Risk Manager”, or even a department, but be recognized as a cultural parameter and a risk management element to be embedded in each and every business process, as a formal sub-process and the staff at all levels be accordingly educated. The “Risk Manager”, if any, should be the organization’s internal Risk Management consultant and auditor striving to improve the risk management culture and sub-processes. The ultimate responsibility for risk management resides on the shoulders of the Board of Directors and the Executive Management.
22.1.2016
22.1.2016