3.

IDENTIFICATION AND ANALYSIS OF RISK

MANAGEMENT
3.1 Elements of a proper risk management system
Let us now learn about elements of a proper and sound risk management system.

An active Board, and senior management oversight is the first sound risk management system that should
be listed.

The board has the authority and mandate to approve business strategies and policies that are significant to
their organization. They may include those that have a close relation to managing and taking risks and
they should ensure that the management has the ability to manage these activities.

Board of directors has the mandate to ensure that they take steps to identify, monitor and control risks that
may come their way. Directors are supposed to have technical knowledge on how they should handle
risks that come their way. As a director, you should take steps that are needed in developing and
understanding the risks that your institution faces.

You can gather information from auditors and experts on risks and use such knowledge to provide
guidance to the institution. You should then push the senior management to implement those procedures
and policies. It is the responsibility of the management to ensure they are fully involved in activities that
are taking place in the institutions and also to have sufficient knowledge on which appropriate policies,
controls, and risk monitoring system that should be used.

It is the duty of the senior management to establish and communicate the need for effective internal
controls and ethical standards.

Let us now review the second element of which are adequate policies, procedures, and limits.

Senior management and board of directors ought to ensure policies and procedures are tailored to the type
of risk that may arise from the activities going on in the institution. After the identification of risk, the
policies and procedures of that institution should provide guidance on how implementation ought to be
done. What are some of the policies, procedures, and limits an institution should have?

First, it should have adequate and timely way of identifying, measuring, monitoring, controlling and
mitigating the risks that may occur to the institution

Secondly, there should be the consistency of the institution's goals and objectives.

Thirdly, whenever there is a new business or a product, it is always wise to review them by bringing
together all stakeholders to ensure that there are proper management and control of the activity prior to its
initiation. Then, remember to include a process and schedule that can review the policies, procedures, and
limits often.

The next step is effective risk monitoring and management information system. You should note that
adequate risk monitoring needs the institution to identify and measure all relevant risks. Information
systems support risk monitoring activities as they give directors and senior managers timely report on the
performance and risk exposure of the institution.

Let’s now see what should be done for effective measuring and monitoring of risk and management
information system.

First, all the material risk should be addressed and reports given by the institution. Also, data sources, key
assumptions and procedures that are used in measurement and monitoring of risk should be properly
documented.

Next, stress testing should be appropriately and periodically conducted, and appropriate actions plans
ought to be taken in order to mitigate the risks identified. Reports given to the management, and to the
directors should be timely, accurate and give sufficient information that will help decision-makers
evaluate the risks facing the institution.

The fourth step is adequacy of the internal controls. The internal control structure of any institution is
very critical in safeguarding the functioning of the organization. An effective internal control enables
proper operations and liable regulatory reporting safeguards assets and also ensures compliance with the
relevant roles and institutional policies. Testing of the internal controls should be executed by an
independent qualified internal auditor who then reports to the board’s audit committee.

Our next lesson is on how adequacy of internal controls and audit procedures ought to be observed.

First, the internal control should be tailored to the type and level of risk posed to the institution activities.
Clearness of responsibility should be established by the institution to enable monitor policies, procedures,
and limits. The actual operating practices should be reflected in the official organizational structure.

Then there should be reliability and accuracy in the operational, financial and regulatory reports. Also,
there should be adequacy of procedures to ensure they comply with the laws and regulations. More so,
independence and objectivity should be provided by the internal audit. It is important to note that testing
and reviewing of the internal control system is very important as it identifies weak areas that ought to be
given prior attention.

It is the management’s responsibility to address these weaknesses.

Finally, it is the duty of the boards of directors to review the effectiveness of internal control activities
regularly.

3.2 risk impact assessment

Let us now look at the risk impact assessment.

Step 1: Create the context

The purpose of establishing the context for risk assessment is to prepare the risk identification scenario.
Because "risk" is defined as "any problem (positive or negative) that could affect an organization's
capacity. In order to achieve your goals, setting the goals of the organization is a prerequisite for risk
identification.

Now let’s look at the steps to follow

 i. You should identify what goals or objectives the strategic UVM plan in your area may support.
ii. Then, identify the goals of your strategic college, school, or department.
iii. Next is to identify any major initiatives planned or involved in your area, the institution, the
college, school, department or departmental level.
iv. Next is to identify critical activities, functions or services that others trust in your area.
v. Lastly is to identify the external context of your area: legal/regulatory requirements, stakeholder
perception and expectations, and all relevant social, cultural, political, financial, technological,
economic, or competitive factors.

Step number 2: Risk identification

You should note that the purpose of the risk identification step is "to create a comprehensive list of risks
based on the events that can cause, ameliorate, prevent, worsen, accelerate or delay the achievement of set
objectives”

You will have to pay attention to the following,

 Be as inclusive as possible at this stage - identify as much as you can.

 Identify positive events that can achieve strategic (opportunities) and negative objectives
 Events that may make it difficult to achieve these goals (risks).
 Include risks and opportunities regardless of whether they are "under your control" or not.
 Take into account the risks associated with taking no risks.
 Consider related risks and opportunities, as well as cascading or cumulative effects.
 Involve more experienced people.
 Use the most relevant and up-to-date information you have.

Let us now look at the questions about Track Thinking and Discussion

1. What could influence the institution or capacity of your area to achieve or achieve your strategic
objectives? Initiatives or key functions, positive or negative? What uncertainties do you face?

2. What risks or opportunities can your area or institution face? The. Compliance and privacy Finances,
Health, safety or legal liability, Human capital and. Operations reputation Strategic errors

3. What do you see as strengths, weaknesses, threats, and opportunities for your area?

4. Have there been any major changes in your area of responsibility or control function recently (new)?

Regulations, new programs/activities, organizational changes, etc.), new risks or opportunities?

5. Are there specific programs, activities, internal controls or legal/regulatory issues in your area? Are you
worried about, or do you think this could pose a significant risk to your unit or institution?

Let us now ask ourselves which are the steps to follow?

1. First, identify any risks and opportunities that may affect your goals (see questions to chart the thinking
and discussion above).

2. Next is to give everyone a name or short title.

3. Then write a brief "Risk Statement" that describes all the risks or opportunities and offers little more
details on sources and causes. It does not include possible effects or consequences. The purpose of a
Goldilocks risk statement: not too short, not too long; not very vague, not very detailed; useful but not
flammable.

Very vague: "IT infrastructure “Very specific/inflammatory: "The IT network and the hardware are
outdated, which Potential for loss of business continuity, loss of irreplaceable data and Data Violation ".
Simply right: "The IT infrastructure is not maintained and/or upgraded to the required standards

4. You should think about whether every problem is generally a risk or an opportunity.

5. Also, think about what strategic goals and goals the university has or more for each risk or opportunity
closely related to.

6. Consider which areas of the Strategic University Initiative project, if any, for each risk or opportunity
concerns or is more closely related.

7. Then consider other strategic goals or initiatives for your department, college, school, or department
risk or opportunity.

8. More so identify the person who is responsible for any risk or opportunity. This is the individual in
UVM with the responsibility and authority to handle the problem.

Other tools and techniques- Potential Risk Areas for Higher Education, lists common risk areas by
focusing University function.

Other identification techniques or potential sources of risk and opportunity: brainstorming key terms,
questionnaires, studies Industry benchmarking scenario analysis determination, incident Audits or
inspections.

Risk: Any problem (positive or negative) that could affect an organization's ability to do so

Aims; the impact of uncertainty on organizational goals. Often marked impossible events, consequences,
and their probability.

Risk identification: the process of finding, recognizing and describing risks.

Risk statement (description): structured risk statement, which generally contains four elements: Sources,
events, causes, and effects.

Source (risk): Element or circumstance that alone or in combination has the intrinsic Potential to initiate
the risk. It can be material or immaterial.

Event: occurrence or change of certain circumstances. Maybe one or more that can have multiple causes.
(Consequences): The result of an event that affects the goals positively or negative. It can be right or
insecure; can be expressed qualitatively or quantitatively. The event can lead to a number of
consequences, and the initial consequences can grow from the knock-on-Effects.

Owner (Risk Owner): Person or organization that is responsible for managing a risk.

Step 3: Risk analysis

Note that the main purpose of risk analysis is to develop an understanding of risk or opportunity. Inform
your assessment and decision team if a response is required. Here you will judge possible impact and the
likelihood of risks and opportunities. To pay attention to things, the analysis can be qualitative, semi-
qualitative, quantitative or a combination of them.

You should consider causes and sources, their positive and negative consequences, the probability that
they may occur, and other risk or opportunity attributes. Consider the interdependence of the various risks
or opportunities and their sources.

Steps to follow

1. First consider which category of institutional risk best fits all risks or opportunities: compliance and
Privacy, finance, health, legal responsibility, human capital, operations or strategically.

2. Then consider the potential impact of each risk or opportunity, assuming the risk and opportunity
effects. If more than one column of the scale relates to your risk, base your rank on the column that
reflects the greatest impact. This will probably be the column this also corresponds to the risk category.
(For example, if you rated your risk as “Financial," you will probably use the financial scale of the impact
scale to determine your Impact assessment.)

3. Next, consider the probability that some risk or opportunity occurs using probability scales.

4. Then look at the impact and likelihood scores; multiply, to obtain an initial risk score for each risk or
opportunity.

5. If a problem brings risk and opportunity (i.e. it could be positive and negative Impact) assess the
positive/opportunistic aspects of the problem based on the impact of probability scale. Multiply impact
and likelihood ratings to get an opportunity score next, consider the negative/risk aspects of the problem
and evaluate it for the risk and probability scale. Multiply impact and likelihood assessments to create a
risk assessment. Compare your chances and risks: what is greater? Is there more up or down? In the
worksheet, indicate which impacts and probability assessments are the greatest Result.

There are other tools and techniques

 Business Continuity Planning

 Business impact analysis
 Economic, Political, Economic, Social and Technological Analysis

Decisions you need to take under risk and uncertainty entails the following: dependency modeling, Event
tree analysis, Failure mode and effects analysis (FMEA), fault tree analysis, market studies, prospecting,
Measures of central tendency and diversification, Analysis of politics, economy, society, technology, law
and environment (PESTLE), modeling of real options, Research and Development, Statistical inference,
SWOT analysis, Test the marketing, Threat analysis.

key terms

Impact (Consequences): The result of an event that affects the goals positively or negative. It can be right
or insecure; can be expressed qualitatively or quantitatively. The event can lead to a number of
consequences, and the initial consequences can grow from the knock-on-Effects.

Probability: the chance that something happens - defined, measured or determined objectively or
subjectively, qualitatively or quantitatively and using general terms or mathematically

 Probability: measure the probability of occurrence in numbers between 0 and 1

 Risk analysis: a process for understanding the nature of the risk and determining the level of risk;
it provides the basis for risk assessment and risk-response decisions.
 Risk control: Any process, policy, device, exercise or another measure that changes the risk Steps
4 and 5: risk assessment and response

The purpose of risk assessment and response steps is to decide based on the outcome of your risk
Analysis of what risks and opportunities require a response and what your recommended response will be.

Pay attention to these:

 The risk value of each risk or opportunity (the product of the probability of impact X) determines
where it is in the UVM risk and opportunity hot map and at what level of institutional review all
risks or opportunities are obtained.
 Risk management is a cyclical process for assessing the reaction and determining whether there
are residual risks (After the reaction) are acceptable, develop a new reaction, if necessary, and
evaluate the reply again.

There are several standard options for responding to risks, but they are not mutually exclusive. They can
be used in combination. A decision cannot be to react to risk or opportunity, but only to maintain existing
one's management or control activities.

 Consider the expectations of stakeholders in developing a response.

 Consider whether some answers are economically viable (e.g. an expensive answer) by a high and
low risk).
 Response to risks may involve risks. Think about how your response plan will affect your risks.

Let us look at the steps to follow

1. First take into account the general results of your risk analysis, in particular, your risk assessment or the
impact and likelihood of the opportunity and the resulting risk assessment.

2. Next, refer to the "heat map" in Figure 2 to see where your risks and opportunities are sinking. What
level of institutional review will you need for your risk score?
3. Then consider which risk or opportunity response options you use to manage this risk: Accept / Ignore,
Avoid / Explore, Mitigate/improve or Share.

4. Also, think about the steps you will take to respond to all risks or opportunities.

5. Then consider any special feature costs or requirements associated with your response.

6. Also, think about how long it would take to implement your answer

Let us consider the process to change or respond to an opportunity. Opportunity response may include
one or a combination of Improvement, Exploration, Ignore, or share.

First, improvement: the ability to "mitigate" a risk is to increase the risk Opportunity. The improvement is
aimed at improving the likelihood and/or Opportunity to maximize the benefits of the project.

Exploit: Parallel to the "avoid" response where the general approach should be eliminated Uncertainty.
The "exploitation" strategy is trying to seize the opportunity (i.e. increase the probability to 100%).
Aggressive measures are taken to ensure that the benefits of this opportunity are realized through the
project.

Just as the "acceptance" strategy does not take any active action to deal with a waste risk, opportunity can
be ignored by choosing a reactive approach without taking explicit Actions.

Sharing (Transfer), opportunity: The "sharing" strategy for opportunities is looking for a partner able to
manage the opportunity that can maximize the chance of action and/or potential benefits. This involves
the release of each reversal in the same way as the transfer of risk includes the imposition of penalties.

Let us now look at the risk response (treatment): This is the process to change or respond to a risk.

The answer to the risk may include one or a combination of acceptance, avoidance, mitigation or sharing.
In acceptance an informed decision to tolerate or accept a particular one risk

Avoid: It is an informed decision not to get involved or retire an activity so as not to be exposed to any
particular risk.

Then mitigation as a form of risk management with measures to reduce a risk or the risk consequences.

Then risk sharing (Transfer), the risk is a form of risk management in which the contractual risk transfer
takes place other parts, including insurance.

Then there is risk finance: This is a form of risk sharing involving contingent provisions for the provision
of funds to meet or change funding.

3.3: risk impact assessment methods.

Let us now look at the risk impact assessment methods. In order to successfully manage a project, you not
only need to identify the risks that influence successful completion of your project but also need to do
calculations in the decision-making process. You ought to analyze the consequences of occurrence of a
risk and as a result, make an informed decision. In this section, I will review the quantitative,
semiquantitative and the qualitative methods. Let us now begin with

3.3.1 Semi quantitive and quantitive methods

. These methods involve the use of statistical methods and just to mention a few I will include PERT,
MCA, and Monte Carlo methods. I normally prefer the quantitative methods as they are more objective
and accurate as they include the use of numerical data. In order to improve your accuracy when using this
method, you need to rely on correct input parameters. On the other hand, qualitative methods will give
you a descriptive result and will not necessarily give you an accurate determination of risk. These
methods provide a benchmark for further quantitive analysis. To be successful while using the qualitative
methods, you need to be thorough right from the data collection stage. Quantitative methods of risk
assessment are normally considered formal. They are more systematic, favorable for mathematical
analysis as well as provide figures on the impact of risks. Here I will discuss some of the reasons they are
preferred as compared to qualitative methods.

 The first reason is that they are easily understood by policymakers and other users of this
information.
 They also give a perception of ease and you can hence make rapid achievements.
 You will not need to quantitate assessment for evaluation.
 And finally, you don’t necessarily need qualified staff. Even though numeric data is needed, as a
policymaker you can make decisions based on qualitative assessments.

For you to improve the information you need, a quantitative assessment will be of use. Does this imply
that qualitative assessment does not provide sufficient information? Of course, not qualitative information
can also provide data that had been left out previously. I would hence recommend that a quantitative
assessment is followed by a qualitative assessment to clear all uncertainties on the data currently in use.

BRAINSTORMING

Let us now look at brainstorming as another way of encouraging and stimulating free flow of information
among knowledgeable people to point out potential risks, failure modes and criteria to be used in decision
making. The true and deeper meaning of brainstorming is involving certain techniques to ensure that each
member’s ideas and imaginations are triggered by thoughts and statements of others in that group. You
should note that it is highly applicable where issues have been identified and they need high discussions
on how to review them.

The other technique is Delphi technique

This method involves gathering reliable \opinions from experts. This method is applicable at any stage in
the process of risk management.

Next, there are checklists

This procedure entails risks, hazards or control failures which have been developed from experience. This
can be due to previous risk assessment or past failures. With this method, you can be able to assess the
effectiveness of controls as well as identification of risks and hazards. They are applicable at any stage of
a life cycle of a process, product or a system. It is most appropriate when everything has been covered
after a more clear technique has been used to identify new problems that may arise.

Preliminary hazard analysis is our next method to discuss.

This method of analysis is inductive and simple. Its objective is to point out hazards and hazardous events
that cause harm to a given facility, system or even activity.

HAZOP

You may be wondering what is HAZOP but this is an acronym for Hazard and Operability study. It’s a
qualitative method that questions how the design or operating conditions might not be achieved in every
step in the process, design system or procedure. This involves systematic and structures examining of
existing or planned process, product, system or a procedure. This technique identifies risks to equipment,
people, environment or even organizational objectives, Originally HAZOP was developed to analyze
systems that deal with chemical processes but now it has been used in the electronic and mechanical
systems, procedures as well as software systems.

The other technique is scenario analysis (SA)

In this case, descriptive models are developed to show future may turn out to be. Risks can be identified
when future possible developments as well as exploring their implications are considered. Scenarios such
as (worst case, expected case or even best case) can be used to analyze consequences for each scenario.
Scenario analysis can’t be used in predicting probabilities of changes such as consumer preferences,
technology, and social attitudes but can be used in assisting make policy decisions and planning for future
activities.

Next is Root cause analysis (RCA)

This technique involves studying analyzing a major loss to avoid it reoccurring. It goes deep in looking at
the original causes instead of dealing with obvious symptoms. It is very useful as it is used in identifying
where improvements can be done. Let us now look at areas where RCA can be used.

 The safety based RCA can be used to investigate accidents and occupational safety and health.
 Failure analysis is used in systems related to technology to check its reliability as well as
maintenance.
 Process-based RCA is used on business processes.
 Production based RCA is focused on quality control for industrial manufacturing.

Other methods that can be used include; Human reliability assessment, layers of protection analysis, event
tree analysis, structured” what-if” techniques among many.

One of the quantitive methods is multivariate statistical models: it can also be referred to as regression
analysis. The analysis uses this method to build linear or nonlinear statistical models that are based on the
data from past project and then they do a comparison with the project in question. These statistical models
can be used as a benchmark for evaluating cost, schedule, and other factors of a certain project. Owners
who have carried out many projects but have not done many usable historical project databases should
improve their competence by having their own data in the project and program management.

Event trees

The under event trees. We have another method of decision tree analysis, probability trees. This method
shows decision alternatives and outcomes in a manner that is sequential and takes into account outcome
that is uncertain.Majorly a decision tree is very useful in managing project risks and more so helpful in
selecting best action where uncertainty arises. Reasons for decisions can also be communicated by the
graphical display. Probability trees are commonly used in probabilistic risk assessments, reliability
studies as well as failure modes. Every event tree shows a certain event at the top, conditions causing it
and the determination of the likelihood of these events. These methods are mostly applicable to project
schedule, cost, and the performance risk assessments.

System dynamics models

Let us now discuss this method. Some of the conventional methods used in projects may result in
counterproductive decisions, incorrect conclusions as well as project failure. These models are used for
clarification and testing of project assumptions and also designing and testing proposed project
improvements and managerial policies. This method has been used effectively in evaluating, planning and
assessing risk projects.

Sensitivity analysis

In every quantitative analysis requires a sensitivity analysis. A coefficient of sensitivity can also be
referred to as a derivative. This is the change in the outcome as a result of a change in inputs. At times
you find it difficult to determine the probability of a risk, this should not worry you whatsoever as a
sensitivity analysis can be used to determine which variables have the greatest influence on the risk. The
most important function of risk analysis is to break down a problem into essential elements that can be
used by the management in the decision making process. A sensitivity analysis on your part will be of
great help to determine what precautions to take to avoid or mitigate the risk in question. A sensitivity
analysis can be of help also in the absence of reliable data and is very useful in assessing the validity of
risk models.

Our next method of risk assessment projects simulations.

I will start by defining what project simulations are. This is group enactments that a project manager
undertake virtually before the commencement of the actual project. Most of the simulations may or may
not be compatible with computers. You need not emphasize on the computer models but on the effects of
the interactions with particular project outcomes. I would highly recommend project simulations as very
good techniques prior to actual project onset. Project simulations are inexpensive as compared to other
techniques cited here. They can be very cost-effective in the long run as compared to typical approach to
projects with little or no prior preparation of working relationships. Engineering and construction
managers are highly recommended to apply project simulations as pre-preparation planning efforts.

Next, we look at the stochastic as simulation models.

Stochastic simulation models are computer driven probabilistic models and generally, apply random
number generators to draw variations from distributions of probability. This method is also known as
Monte Carlo simulations as the generally are performed on computers and apply the use of random
numbers. The objective here of simulations is normally to find the uncertainties and probability
distributions based on the assumed uncertainties of the dependent variables. They are normally applied to
when the relation between dependent and independent variables are too complex to come up with
analytical solutions. Next, we look at yet another quantitative method of risk impact analysis known as
the Event Chan Methodology (ECM).
Event Chain Methodology
The risk in the risk register can be assigned to different project activities to various probabilities and
different levels of impacts as discussed earlier. An essential probabilistic model ought to include a risk
register, a project schedule and a set of possible mitigation plans. In instances where the number of
activities to be taken into consideration are numerous, the project model can prove to be a bit complex.
We the aid of the Event Chain Method I will help you simplify risk analysis. The following are some
basic points behind an events chain model. You can start by simplifying a project schedule consisting of
uncertainties and risks by visualizing a number of events and relating each of them. Now take into
account the relationships of risk events, timing, and conditions among other factors. This will help you
improve your accuracy of the quantitative analysis. The final step here is to incorporate the actual
performance of the project at hand. Here you will measure the performance of your project at different
phases. The first step of risk analysis is the risk identification. There are several techniques you can apply
to identify a risk and I will shortlist a few which include interviewing, brainstorming, assumptions and
checklist analysis, SWOT techniques, identification of root causes and several other diagrammatic
techniques. When we talk about event chain methodology, we must include the following key points in
the risk identification phase.

 First, identify the resource or activity a project event you will assign.
 Then identify the relationship between the risk triggers and the risk chain.
 The next step is to identify the specific time the risk occurs in an occurrence chain.
 Finally, determine the different states of each activity. Some activities may not, of course, be
identified to specific risks.

Next, in the ECM process, you do a quantitative risk analysis. There are various techniques you can apply
here, they include Monte Carlo analysis (used to approximate duration/cost), decision trees, and a
sensitivity analysis. Here, you randomly pull a sample value, from the probability distribution. You can
do your calculations by the aid of the Critical Path Model. A Monte Carlo analysis has been highly
recommended as it helps incorporate uncertainties in the scheduling of projects. It, however, faces the
following limitations. As a project manager, you apply different recovery options at various phases which
are not taken into account by the Monte Carlo analysis hence you end up being over pessimistic. Monte
Carlo does not hold into account statistical distributions of various costs.

3.3.2 Qualitative methods

To begin with, Let us look at the probability Impact Matrix. A probability matrix is one of the most
preferred methods of qualitative analysis for risk assessment. Risk calculation is very simple. Consider
the likelihood of an impact of an event and now assign it a random basis to the total which could be of a
particular classification. I will show this in a table.

Table 1: A simple model for probability and classification of impact

1 source: own

Probability Score Classification of impact Score

classification
Low 1 Major 3
Medium 2 Medium 2
 High 3 Easy 1
As the risk manager, you assign the total scores for likelihood and impact of risks you identify. You will
then proceed to multiply the two variables. The result will show the degree or extent of risk.

The first step is to define probability of a risk occurring and I will illustrate this in table 2

Table 2: Likelihood risk score

Likelihood level Score

Very low 0-20
Low 21-40
Medium 41-60
High 61-80
Very high 81-100

The second step here you set an impact scale ranging from 1-5 as I will show in table 3
Table 3 Analysis of Impact

Impact magnitude Definition of impact Score Rate

High Very high 5 A

impact/probability These are the biggest risk
that you should pay attention
to
High Impact or High 4 B
medium probability These are the risks with
And medium either high probability they
impact or high occur or will cause a
probability significant impact
Medium Medium 3 C
impact/probability The risk has a medium
impact of occurring.
There will be a noticeable
impact
Medium Impact r a Low 2 D
low probability of Here, the risks can occur in
low impact or certain situations and general
medium probability y have low or medium
impact
 Low impact and Insignificant 1 E
low probability Risk has low probability
occurrence and causes an
insignificant impact.

The third step you determine risk exposure of returning values

Table 4: Exposure risk calculation

No. Risk Likelihood of Impact Degree exposure risk

occurrence

Probability score Probability Score Rating Score

1 No Very low 20 Very high 5 E 12,5

numbers

2 A small no low 40 High 4 D 22

3 Reasonable Medium 60 Medium 3 C 31,5

no

4 Full no High 80 Low 2 B 41

5 More than Very high 100 Very low 1 A 50,5

The last step now will be drawing the probability matrix.

LIKELIHOOD IMPACT

Low Medium High

(insignificant) Here there is Here we
a reasonable have a
impact and significant
need to be impact
monitored
Low E D C
(not likely to
occur)
Medium D C B
(may occur)
 High C B A
(likely to
occur)
Probability Impact Matrix

For example, we can say the probability of not having class is a risk class C hence a medium risk.

From the probability matrix, we can conclude by saying that the risk management process is a cautious
attitude and focuses on the possibility of a specified risk materializing. It hence calls for you a risk
manager to make constructive decisions based precisely on such attitude. Risk management can hence
only be achieved by first understanding the risk in question. This, in fact, is the general purpose of our
study risk management. Risk identification and analysis of impact sizes can at times be termed as risk
assessment. This can also be put in the form of a checklist or a risk checklist to be precise. The probability
matrix forms a benchmark for the risk process. The differences that arise from the implementation may at
times score but this is not guaranteed. This is not an advisable method to use when assessing complex
risk. I would in this step advice to use the semi quantitate and quantitative methods for complex risks. Do
you need to obtain information on the descriptive way about risks? As a manager appeal to qualitative
evaluation that is approved and easily under stable to third parties. The purpose of impact matrix is to
calculate the impact of exposure to a specified risk.

3.4: methods to enhance leadership and organization risk management team

Let us look at the aim of good management. Its aim is to provide services that are efficient, appropriate,
sustainable and equitable to the community. This is achieved when resources for service providers such as
finances, hardware, human resource and process aspects are carefully taken care of. In this lesson, we will
study how leadership and good management helps in risk management.

Managers and leaders

Let us differentiate a manager from a leader. Leadership is all about creating a vision whereas
management is getting things done. You should note that good managers ought to be good leaders and
good leaders require management skills to deliver good services. Leaders are visionary and they have
visions which they communicate to others and come up with strategies for achieving such goals. They
negotiate for resources as well as motivate people in order to achieve their goals. On the other hand, the
duty of a manager is to ensure availability of resources, organizations are well organized and are applied
appropriately to produce good results. Let us now look at attributes of a good leader.

A good leader is one who is charismatic, decisive, has a sense of mission, who influences people to work
together. Who has a creative problem-solving mechanism to promote the better working environment?
Now let us look at the attributes of a manager. A manager is one who has good organization and
delegation skills, who has clarity of tasks and purpose. A manager is one who possesses good
communication skills and the ability to negotiate different regulatory and administrative processes.

What are some of the conditions for good management?

Conditions for good management include first, selection of managers and team members based on merit.
Managers should be respectful of their staff and supervisors. Managers need also to be knowledgeable,
skillful and have the ability to understand the task, roles, and purpose of services that they ought to
deliver. The basic support system functions should be good. E.g. well planning and monitoring of
activities, clear administering of staff roles and regulations.

What are some of the questions to ask yourself as a manager?

 What am I supposed to do as a manager?

 How often am I free to make decisions?
 Will the resources required be here and be on time?
 Where and what tools and equipment do I need to help me do my job well.
 How can I balance my managerial duties and other duties allocated to me?

An effective manager should agree with the staff on the objective they want to achieve and by this, they
can easily make decisions with minimal risks. What are some of the ways you can acquire competencies
and skills as a manager to reduce risks?

1. You should have a continuous learning and educating that includes self-learning programs.
2. As a manager, you should attend peer to peer learning. By this, you will have an opportunity to
interact with other managers, share challenges, experiences, and solutions and also support each
other.
3. Should have regular study tours, attachments, observation and secondments to provide practical
learning of how to handle situations you are likely to incur.
4. You should have coaching and mentoring relationships. By this managers will have the ability to
seek advice, and have various options they can use when faced with difficult situations.
5. Managers ought to involve themselves in learning groups. By this, they will have an opportunity
to learn, discuss issues and help improve management system.

Let us now proceed to an example where you manage finances as part of risk management. The degree of
the fund and financial resource management depends on nature, size, and the organization structure.
When you have a sound financial management team you are assured of providing good service delivery.

Here is a checklist of a good financial management.

 Ensure all accounting journals, registers and ledgers are up to date.

 Financial reports are prepared and submitted in a timely manner.
 Procedures to use petty cash are properly developed.
 Procedure to authorize purchases is strictly followed.
 Security measures to protect assets, books are in place to prevent tampering or theft.
 The physical stocktaking of assets and supplies is done at least once a year.
 Bank statements are monthly reconciled.
 The work plan should be used to develop a realistic annual budget.
 Financial plan/strategy to be in place to enhance improved cost recovery.
 Then items in the budget, chart of accounts and financial reports correspond with each other.
 Lastly but not least, cash flow is monitored and projected for the year to ensure there are no cash
shortages.

It’s important to note the below listed financial management task are very helpful in reducing risks. They
include preparing a budget and cash flow projection, management of cash income expenses and budget
allotment and expenditure.
3.5: expert judgment
Let us discuss expert judgment under different sections, first, we are going to discuss expert judgment in
hazard identification. Under the process of generating, developing and prioritizing risk, there challenges
that come up. This step produces crucial results and recommendations for risk assessment. There are two
normative experts required in hazard identification task. The first one is directing the process and the
other one is checking all required information is recorded. Expert judgment on risk model structure.
Differences in approaches to risk assessment relate to how uncertainties pertain to model structures, risk
model parameter values and completeness are addressed. Uncertainties depend on the understanding and
complexity of the causal relationship of quantities of the real world and their significance in the process
of decision making. Addressing the uncertainties both quantitatively and qualitatively affects the
credibility and completeness of risk assessment. Here are some of the examples of uncertainty and how
they are addressed in risk assessment approaches. The first type of uncertainty is conceptual; this occurs
when qualitative relationships of social or physical phenomena are undefined or unknown. An example of
conceptual uncertainty is the effects of global warming on paths of sea currents. Risk analysis method
can’t be used in addressing this uncertainty instead research and conceptual analysis should first be
carried out. Approaches to risk assessment have different needs on the expert judgment needed.