Risk Management

Introduction

Risk Management is an attempt to reach out into the uncertainty of the future and bring it under control, in order to achieve the objectives of an organisation. This can be achieved through a process of identification, assessment, evaluation and treatment of risk.

Once undertaken, professional risk management can help an organization achieve its objectives through the awareness and management of risk, thereby creating a climate for entrepreneurship and exploitation of new opportunities in a challenging competitive environment.

What is risk?

The definition used in ISO Guide 73:2009 Vocabulary for Risk Management is:

“…the effect of uncertainty on objectives..”

It is important to note that risk is not just uncertainty of future events, it is the uncertainty of the effect of specific events which could have an impact on achieving the objectives of an organisation.

It is recognised that the effects caused by uncertain events can have either:

Beneficial effects (such as share price performing well – this is upside risk)
Negative effects (such as interest rates increasing on borrowed money- this is downside risk).

What is risk management?

Risk management includes the identification and analysis of risks (both upside and downside) to which an organisation is exposed, the assessment of potential impacts on the business, deciding what action can be taken to eliminate or reduce downside risk, or to exploit or enhance upside risk.

Risk management is not intended to eliminate all risk. Risk is an intrinsic part of enterprise and,

when fully implemented, a comprehensive risk management process can actually encourage

increased appetite for risk, because risks have been identified and their impact is being managed.

Why have a risk management system?

It may seem that the risks to an organisation are obvious, and that other risks are of such a low impact or likelihood that a formalised management system is unnecessary. In the short term this may seem to be a viable cost saving option; however it is not a good footing to ensure the long term sustainability of an organisation.

Dealing with each risk as and when it arises (a fire fighting approach), will be more resource intensive in the long run, and promotes an unsystematic approach to dealing with risk, taking up valuable senior management time. An effective risk management system with a comprehensive analysis of all the possible risks allows for a true appreciation of the overall exposure to risk and prepares a business, for less potential loss or damage and to seize potential opportunities.

Business Case

Some of the benefits of having an effective risk management system are set out below. The extent to which these benefits are realised depends on a number of factors such as: the thoroughness of the initial evaluation, the regularity of review and follow up, and the communication and embedding of the risk management process throughout an organisation.

Benefits

A systematic, well-informed and thorough method of decision making
Fewer financial surprises with unforeseen costs
Faster decision making and taking
A greater likelihood of a more predictable, secure, income stream
Stakeholders of the organisation are likely to be reassured
A reduced likelihood of reputation damage
Access to opportunities that an organization may have otherwise not been aware of, and
enables a faster grasp of such opportunities
Protects the organisation’s image and reputation
A better basis for the allocation of resources
Greater likelihood of achieving the organisation’s objectives

Guidelines for risk management

Standards

There are a number of different risk management processes and standards, but for the most part,

they have the following stages:

Identify and characterise risks

To identify the risks, the objectives of an organization must be clearly outlined – the high level risks can then be identified.

Identification of risks should be done by external consultants or in-house. The latter can be beneficial as owing to the additional knowledge of internal processes, available resources and business objectives, ownership of the process is likely to be greater. Identification of risks can be done at Board level to identify overall strategic level risks, but feeding into the process should also be risks identified by other parts of the organisation which can show their operational risks.

Risks can be identified for the organisation, through methods such as:

Scenario Analysis
Brainstorming
Internal Questionnaires
Industry Benchmarking
Lessons Learnt Feedback

The possible types of risk identifiable are specific to the organisation achieving its objectives. Some risks will be industry specific, however general areas of risks can be divided into two categories.

Strategic risk

These risks will affect the achievement of Board level objectives and are general relatively static in nature:

Political – relating to political policy which may affect the marketplace in which the organisation is operating

Economic – relating to economic changes, such as interest rates or foreign exchange rates,or the consequences of investment decisions

Competitive – relating to the ability to deliver a competitive product or service

Environmental – relating to the environmental consequences of progressing the objectives ofthe organisation (eg energy efficiency, carbon emissions, pollution, recycling, climate change)

Operational risk

These are risks likely to be faced on a day to day basis by managers

Financial – relating to financial planning and control, such as the performance of investments and adequacy of insurances

Contractual – relating to contractors delivering services or products to the agreed cost and specification

Technological – relating to the reliance on operational equipment, such as IT systems or machinery

Human Resources – relating to staffing issues, health and safety, skill needs, management structures and disputes

Environmental – Weather that might impact the business profitability or capability of organisation to deliver its service

Identification should be approached in a methodical way to ensure all activities of a business have been articulated as well as the risks that result from them. External consultants may be used to assist the process, although in-house expertise and knowledge is essential. Using internal resources also aids the ownership of the risk management process.

2. Assess risks

Once identified, risks need to be assessed according to:

Likelihood of occurrence
Impact on objectives

The estimation of the impact can be in qualitative or quantitative terms. The key issue for the Board to understand is which risks are unacceptable to them and be able to decide how they are to manage those risks.

3. Evaluate risks

Once risks have been assessed, they can be prioritised in terms of their impact and likelihood of

occurrence. Consideration should be given to more than just the financial impact on an organisation and its objectives. Legal, environmental, social and moral aspects of the risks are also factors; for example, one risk can result in only a minor financial loss but also a very big reputational loss (from any negative media coverage that might follow).

Risk evaluation is used to decide what the significance of risks to the organisation is and

whether each risk should be accepted or managed.

4. Manage risks

In order to determine how to manage risks, the acceptable level of exposure to risk, or risk appetite needs to be determined. This risk appetite is subjective according to each organisation – factors which can be taken into account in deciding this are:

Cost effectiveness – what is the cost relationship between implementing the change and the

expected risk reduction benefits?

Compliance – any controls in place must comply with the law

Stakeholders – what risk reduction measures would stakeholders expect?

The approach to managing the various risks identified will be dictated by the likelihood and

potential impact of the risk, in conjunction with the risk appetite of the organisation. The strategies to manage the identified downside risk include:

Transferring (eg: insurance cover - paying a third party to take the impact of the risk if it occurs)
Avoiding the risk (eg: ceasing an activity in a certain area)
Reducing the negative effect of the risk (eg: through internal controls, such as introducing a new procedure to reduce errors)
Accepting some or all of the negative impact of the risk (eg: if the cost of reducing risk is too high, then the Board may decide to accept the risk and its possible impact)

Where the risks identified are an upside risk, there are strategies to manage these too:

Exploit – removing the uncertainty by seeking to make the opportunity definitely happen
Share – passing ownership to a third party best able to manage the opportunity andmaximise the chance of it happening
Enhance – increasing its probability and/or impact to maximise the benefit to the project
Accept – adopting a reactive approach without taking explicit actions

5. Reporting and Monitoring

To achieve the desired outcomes, the findings of the risk management process need to be communicated effectively. This will enable those in charge of business units to be aware of risks which fall in their area, and understand the impact the possible risks will have on themselves and other areas of the organisation.

It will also allow individuals within the organization to understand the wider impact of their actions and understand their accountability for their risk, thereby building risk management into an organisation’s culture.

Risk management is most effective when embedded into existing systems which are

established and accepted, rather than creating stand alone systems.

Ongoing regular monitoring, usually with a developed risk register, of current and potential risks is also important, as:

Existing controls need to be examined to determine that they are still effective in controlling the risk, operating in an efficient manner and cost-effective
The risk levels in the organisation may have changed
New risks may emerge

Making it stick

For risk management to be effective, it has to be embedded within the culture of an organisation that risk management becomes just the way business is done. There is no concrete process for this to occur, but the following are some guidelines:

Build on existing foundations

If risk management can be seen to be part of efficient pre-existing processes. For example the

identification of risk (and opportunities) should be part of the business planning process whenever it is formulated or revised.

Risk Assessment Workshops

This allows members of the organisation to gain an understanding and appreciation of risk. The objective of the workshop is to gain consensus as to the real risks the organisation faces, and why later control measures are in place

Champions

Particular individuals who may have a risk management element in part of their jobs (eg: health

and safety manager/investment manager), could be identified, if they are willing to act as champions for the process. These individuals can help, through advocacy, for an organisation to adopt a culture of risk management being a fully embedded part of daily activities.

By communicating with the whole organisation via a number of different mechanisms, risk management should be demonstrated as being able to provide tangible value to individuals within the organisation. Individuals will then understand and realise that early identification of constraints and uncertainties can provide for timely management decisions, reduced costs and increased job security.

Conclusion

An effective risk management system will tread the middle ground between (a) being insufficiently thorough in identifying potential risks that an organisation is vulnerable to volatility through disruption, and (b) being overly burdensome that an organisation is prevented from operating and seizing new opportunities.

When risk management is embedded within an organisation and its culture, it should help anticipate what could go wrong and speculate what could be an opportunity. Examining both of these aspects should improve the probability of business growth, cost savings and profitability.

Links for Further Information

Chartered Management Institute

www.managers.org.uk/bestpracticeguides

This leaflet and other professional practice guides covering a range of topics from Diversity to

Corporate Responsibility are available for download

www.managers.org.uk/researchreports

Provides access to the latest CMI research, including the 2010 Business Continuity

Management Report

The Institute of Risk Management

www.theirm.org

Professional education and training body. The Institute provides education, training and

professional development in risk management at a range of levels