RISK MANAGEMENT
PRELIM PERIOD
WHAT IS RISK??
Risk is also defined as the probability of something happening that will have an adverse
impact on people, plant, equipment, financials, property or the environment and the
severity of the impact (Australia, Risk Mgt. Standard ASNZA)
The risk is always associated with the loss aspects since the word itself has the
association of DANGER OF LOSS
CLASSIFICATION OF RISKS
1
If an organization is not prepared Operation is not desired
then it may go out of existence May result in partial or total
cessation of activities
Losses are suffered by one or few Losses are suffered by large section
more members of the society of the society/nation(s)
ICEBERG OF LOSSES
UNINSURED LOSSES
loss of goodwill
loss of market
loss of customers
loss of shareholder value
loss of key employees
loss of costs incurred
Risk Management is defined as the systematic way of ensuring protection of business resources
and income against losses so that the aim , goals and vision of the company can be reached.
Thus Risk Management creates stability and contributes to growth and assures profitability of
the Organization.
2
Insurance Mgt, focused on protecting companies from natural disasters, theft, fire,
employee injuries, employment practices, etc.
Then in 1980s-1990s, risk mgt. grew into a vital part of company planning and strategy
Thus Risk Management came into existence
ADVANTAGES OF RM
To achieve the objectives of the Organization
To ensure that the goals short term and long term are achieved without any disruption
or delay
To optimize the utilization of the resources
To have knowledgeable of insurance arrangements and have considered decisions on
insurances to be availed
RISK MANAGEMENT PROCESS - describes the steps you need to take to identify, monitor and
control risk.
Loss is caused by the operation of perils which refers to the causes for the losses
Loss or damage is caused by the operation of perils such as fire, explosion, flood, storm
etc
The loss potential ( extent of loss) depends on conditions which are favorable for the
incident to assume large proportions. This is known as hazard or potential of the loss.
PERIL ( CAUSE)----------------LOSS(EFFECT)
HAZARD
CAUSES OF LOSSES
Perils- such as fire, explosion etc
Human factors- such as negligence, carelessness, inadequate training, inadequate
supervision, lack of proper systems and controls
Inadequate maintenance ( predictive/ routine/ annual maintenance)
Failure of Plant/ machinery due to breakdowns (failure of safety devices)
Natural perils such as flood, cyclone, earthquake, landslide, rockslide & subsidence
Extraneous: Accidents involving Gas or chemical in nearby units
TYPES OF LOSSES
Property losses- losses which can happen to the Assets
Pecuniary losses- Financial Loss which can be caused by business interruption due to the
loss to the assets, financial loss due to unfaithful acts of employees, storekeepers and
other employees
Liability losses- Loss to the Third Party property or third party personnel due to activities
of the Organization
Personal injuries- accidents resulting in fatal or non-fatal injuries to the employees
HAZARD
Hazard is defined as conditions existing which are favorable for the loss becoming severe
4
CLASSIFICATIONS OF HAZARD
Physical hazard- relating to physical properties.
Moral hazards -relating to the moral behavior of the clients
Morale hazard -Relating to the morale & working conditions of the employees &
employer-employee relationships
RISK ANALYSIS
Risk analysis is the process of identifying and evaluating risk factors, present or
anticipated, and determining both the probability and the impact of identified risk
factors.
It is a preliminary step in establishing a risk management strategy, which is intended to
increase the possibility that the application development project produces the desired
outcome while minimizing risk factors.
It entails both preventive and corrective actions to each of the identified risk factors,
particularly those with a medium to high rating level.
RISK EVALUATION
Methods available
Study of Organizational charts/ balance sheets, accounting records
Process flow diagrams
Input- output analysis- contribution from various sections
Study of completed checklists
Threat analysis- Denial of access, Loss of services
EVALUATION METHODS
INPUT OUTPUT ANALYSIS To trace the flow of goods and services to identify the
contribution of parts of organization to the total earnings and to analyze exposures.
5
EVALUATION OF RISKS-THREAT
analyze the threats to business
denial of access- chemical leakage, collapse of nearby buildings, strike, picketing,
damage to water/sewer mains, government restrictions
loss of services water, power, rains, floods, cyclones
RISK RETENTION
To keep the costs under control, after analyzing the risks the Management, may decide
to retain some of such losses to its account.
6
Once a decision is taken , then necessary provision needs to be made to avoid such a
loss ,if happens, eating into the operating budget
Special contingency funds are therefore to be created for this purpose
RISK TRANSFER
Risk transfer involves payment by one party (the transferor) to another (the transferee,
or risk bearer).
The transferee agrees to assume a risk that the transferor desires to escape.
MIDTERM PERIOD
Organizations know they must manage strategic risk to create and protect value.
One of the lessons many organizations learned from the global financial crisis is that they need to clearly
link strategy and risk management and be able to identify and manage risk in a highly uncertain
environment. Another is that they must focus risk management on creating value as well as protecting
value.
STRATEGIC RISK MANAGEMENT - is a process for identifying, assessing and managing risks and
uncertainties, affected by internal and external events or scenarios, that could inhibit an organizations
ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting
shareholder and stakeholder value.
Strategic risk management is focused on the most consequential and significant risks to
shareholder valueclearly an area deserving the time and attention of executive management
and the board of directors
Managements view of the most consequential risk the firm faces, their likelihood, and
potential effect; are
1.the frequency and nature of updating the identification of these top risks;
2.the influence of risk sensitivity on liability management and financial decisions; and
3. the role of risk management in strategic decision making.
1. Its a process for identifying, assessing, and managing both internal and external events and
risks that could impede the achievement of strategy and strategic objectives.
2. The ultimate goal is creating and protecting shareholder and stakeholder value.
3. Its a primary component and necessary foundation of the organizations overall enterprise
risk management process.
4. As a component of ERM (Enterprise Risk Management), it is by definition effected by boards
of directors, management, and others.
5. It requires a strategic view of risk and consideration of how external and internal events or
scenarios will affect the ability of the organization to achieve its objectives.
8
6. Its a continual process that should be embedded in strategy setting, strategy execution, and
strategy management. Organizations can adapt the definition and principles of SRM in
developing their action plans for strengthening ERM and focusing it on strategic risks.
Assess the maturity of the organizations ERM efforts relative to its strategic risks.
Consider whether management and the board feel that they have a good understanding of the
organizations strategic risks and the related risk management processes.
Develop action plans to move to a high level of ERM maturity.
Conduct a strategic risk assessment.
Conduct a separate assessment to understand and prioritize the organizations strategic risks.
Consider both internal and external risks and events.
Review the process for strategy setting, including the identification of related risks.
Review the organizations process for setting and updating its strategies and strategic objectives.
Ensure that the process requires the identification and assessment of the risks embedded in the
strategies.
Review the processes to mea sure and monitor the organizations performance.
Expand the processes to include the monitoring and reporting of key performance indicators
(KPIs) related to strategic risks.
Embed risk monitoring and reporting into the organizations core processes for budgeting,
business performance monitoring, and performance measurement systems.
Develop an ongoing process to periodically update the assessment of strategic risks.
Make the strategic risk assessment process an ongoing one with periodic updating and
reporting.
Enterprises develop risk management capabilities to deal with these risks and a proper
action plan. Enterprises must note down all the possible risks that may occur and
prepare a set of action plans depending on the nature of risk.
These risks arise due to the execution of the business functions of the enterprises.
Enterprises need to assess these risks and prepare action plans to meet the impact of
risk. At the primary level, operational risk management deals with technical failures and
human errors like: Mistakes in execution; System failures; Policy violations; Legal
infringements; Rule breaches
Financial risk managers also deal with other risks related to foreign exchange, liquidity,
inflation, non-payment of clients and increased rate of interest. These risks affect the
financial position of the enterprise.
10
8. Bank Risk Management:
It deals with the handling of different types of risks faced by the banks, for example,
market risk, credit risk, liquidity risk, legal risk, operational risk and reputational risk.
Integrated risk management refers to integrating risk data into the strategic decision
making of a company and taking decisions, which take into account the set risk tolerance
degrees of a department. In other words, it is the supervision of market, credit, and
liquidity risk at the same time or on a simultaneous basis.
Deals with different types of risks associated with implementation of new softwares.
Risk-Adjusted performance measurement can drive improved returns and serve as the key to a well-
structured capital management framework.
Protect Financial Solvency Optimize Shareholder Profitability
The Board and Senior Management challenge is to balance stakeholder expectations
What is the Banks overall risk Is shareholders capital
appetite? invested profitably?
Does the Bank have enough Are there ways to redeploy
11 capital to improve overall
capital to cover its risks?
Can the Bank effectively returns?
monitor and control its risks? Is the financial structure and
dividend policy effective?
IMPLEMENTATION CHALLENGES
Choosing the type and sophistication of the metric which is right for your organization
Developing risk measures and models which are healthy enough to support the applications
Determining the level of implementation
Identifying how it will be used which applications will be developed
Gaining buy-in from business lines
Identifying which business lines and applications to start with
Top Down
1. Set the Banks risk tolerance in line with its strategic objectives
2. Redeploy capital to activities with the best expected risk adjusted returns
3. Align capital structure with the Banks risk and solvency
Bottom Up
4. Control risk to within the Banks risk tolerance
5. Price business so the bank is paid for the risk it is taking
6. Reduce risk by improving diversification
GENERIC PLANNING
12
The concept of generic planning might be set forth as a way of distinguishing the broader view
of planning from the concept of specific planning that might be used to describe what has
typically gone on in the past.
Finally, the idea of general planning might be taken as the comprehensive name for the
integration of generic and specific planning to form the ultimate total body of knowledge
concerning all planning.
Generic Risk Assessments - highlight commonly identified hazards (i.e. things with the
potential to cause harm) and control measures/precautions (i.e. ways of reducing the likelihood
of the hazard causing harm) associated with general locations, events or activities.
Generic Risk Assessments provide a useful starting point for discussion and consideration, BUT
they must never be regarded as:
Foolproof accidents can still happen! (but the risk assessments do give written
evidence to help show that leaders have given reasonable prior thought to the risks and
control measures involved!);
Comprehensive even as generic risk assessments seek to identify and highlight key
hazards and control measures, it should never be assumed that all significant issues have
been recognized and included. It is still up to the leaders to identify and add any other
hazards or control measures that may appropriate;
Rigid risk assessment forms are flexible, and must be adapted to each groups own
circumstances by adding further hazards/control measures that may be relevant, or
deleting those hazards/control measures that are not appropriate or acceptable, or
cannot practically be implemented for some reason. Indeed, while the control measures
suggested might all be worthy of consideration, it is understood that they are not all
universally applicable for all groups and situations. However, if an accident were to occur
as a consequence of a control measure not being adopted, a court of law might expect
the leader to justify that decision!
One persons sole responsibility - all risk assessments should be shared and discussed in
advance with all the other leaders (including volunteer helpers) involved. Wherever
possible, the group members should also be involved in discussions - this will help them
to recognize hazards, to identify suitable control measures, and to take more
responsibility for their own safety and welfare;
Complete the generic risk assessments identify likely hazards and suggest control
measures to consider, but they do not provide a comprehensive list of all options. Users
should delete inappropriate and unacceptable options, and add extra measures in each
13
section of the form, as necessary. In addition to using relevant generic risk assessments,
a Specific Visit Risk Assessment form should be completed to identify hazards and
control measures that are unique to the precise locations visited, activities undertaken,
and individuals within the group.
- In addition to using relevant generic risk assessments, a Specific Visit
Risk Assessment form should be completed to identify hazards and
control measures that are unique to the precise locations visited,
activities undertaken, and individuals within the group on a particular
visit.
- Furthermore, it must be clearly understood by all leaders that risk
assessment and management is an ongoing process that involves far
more than written documents. Therefore, during a visit, all leaders must
maintain a Dynamic or Ongoing Risk Assessment by remaining alert to,
and responding to, changing circumstances or additional unforeseen
hazards;
It is not mandatory for staff to use these exact format, and it is perfectly acceptable for
leaders to complete their own risk assessments in a different format, if preferred,
provided they are suitable and sufficient.
14
CONTINGENCY PLANNING
The contingency planning process can basically be broken down into three simple questions:
This guide helps planners think through these questions in a systematic way.
Contingency planning is most often undertaken when there is a specific threat or hazard; exactly
how that threat will actually impact is unknown.
Developing scenarios is a good way of thinking through the possible impacts.
On the basis of sensible scenarios it is possible to develop a plan that sets out the scale of the
response and the resources needed.
2. Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information
systems and components critical to supporting the organizations mission/business functions.
15
3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can
increase system availability and reduce contingency life cycle costs.
4. Create contingency strategies. Thorough recovery strategies ensure that the system may be
recovered quickly and effectively following a disruption.
5. Develop an information system contingency plan. The contingency plan should contain
detailed guidance and procedures for restoring a damaged system unique to the systems
security impact level and recovery requirements.
6. Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas
training prepares recovery personnel for plan activation and exercising the plan identifies
planning gaps; combined, the activities improve plan effectiveness and overall organization
preparedness.
7. Ensure plan maintenance. The plan should be a living document that is updated regularly to
remain current with system enhancements and organizational changes.
TRAINING
Lowering the risk is realized by the decision the final product of the risk control process.
Based on the processed problems of decision process, there are following possibilities for risk
occurrences.
1. First phase - definition and setting of objectives, there can be risks of:
decision makers missing verification of collected information, late identification of
problem, high cost of information processing etc.
2. Second phase - analysis of information and documents can be risks:
Omitting of important information that clearly define the declared objective and
decision process.
3. Third phase - finding the variants (an event that departs from expectations) can be risks:
Choosing the wrong solution,
16
4. Fourth phase - criteria determination can be risks:
risk of creating a large criteria that complicates making of the decision
5. Fifth phase - determining the variant outcomes can be risks:
creating of duplicity or criteria overlapping (redundancy) etc.
6. Sixth phase - variant rating and selection can be risks:
wrong variant selection, choosing the optimal variant without considering the two
side aspects by the decision maker: benefit and their risks
7. Seventh phase - realization and control of chosen variant can be risks:
wrong communication and cooperation of managers and other workmen, missing
the fact, whether the problem still exists, or has been suppressed, etc.
It is necessary for the decision makers to know and what risk the individual decision makers are
willing to take.
Decision making is the cognitive process leading to the selection of a course of action among
variations. There are lots of risks in every phase. The purpose of risk management is to ensure
levels of risk and uncertainty are properly managed.
acquiring risk management skills, e.g. consultants, and developing the skills of staff
through education and training;
REFERENCES
[1] http://www.bozpinfo.cz/citarna/clanky/rizeni_bozp/management_rizeni.html
17
[2] http://en.wikipedia.org/wiki/Decision_making
Exercise: For each of the three contexts below, identify the cause, uncertain event and impact
based on the following model:
As a result of (definite cause), (an uncertain event/risk) may occur, which would lead to (an
impact on objectives)
Situation A The plan states a team of 10, but we only have 6 available, so we might not be able
to complete the work in time
Situation B Use of new / novel hardware, unexpected errors may occur which would lead to
overspending
Situation C We have to outsource production, we may be able to learn new practices from our
new partner, leading to increased productivity
18