WHAT IS RISK MANAGEMENT?

DR. ZAINAL ARIFIN

WHY MANAGING RISK IS IMPORTANT?
WHY MANAGING RISK IS IMPORTANT IN ORGANIZATION?

1. Identification of key business risks in a timely

manner,
2. Consideration of the likelihood of risks crystallizing
and the significance of the consequent financial
impact on the business,
3. Establishment of priorities for the allocation of
resources available for control and the setting and
communicating of clear control objectives.
Risk management is the identification, assessment, and prioritization
of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed
by coordinated and economical application of resources to minimize, monitor,
and control the probability and/or impact of unfortunate events or to maximize
the realization of opportunities.
Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons. p. 46.

Risk management’s objective is to assure uncertainty does not

deflect the endeavor from the business goals.
Antunes, Ricardo; Gonzalez, Vicente (3 March 2015). "A Production Model for Construction: A Theoretical
Framework". Buildings. 5 (1): 209–228.

Risk management is the process of identifying, assessing and controlling

threats to an organization's capital and earnings. These threats, or risks, could
stem from a wide variety of sources, including financial uncertainty, legal
liabilities, strategic management errors, accidents and natural disasters
http://searchcompliance.techtarget.com/definition/risk-management
 RISK MANAGEMENT LEVEL

Figure 1.1 Levels within a corporate organization (Merna 2003)

Risk management should consider not only the threats (possible losses) but
also the opportunities (possible gains). It is important to note that losses or
gains can be made at each level of an organization.
Figure 2.1 The concept of risk (Merna and Smith 1996)
 THE ORIGIN OF RISK

The origin of the word ‘risk’ is thought to be either the Arabic word risq or the
Latin word riscum (Kedar 1970).
The Arabic risq signifies ‘anything that has been given to you [by God] and from
which you draw profit’ and has connotations of a fortuitous and favorable
outcome.
The Latin riscum, however, originally referred to the challenge that a barrier reef
presents to a sailor and clearly has connotations of an equally fortuitous but
unfavorable event.
A common definition of risk – the likelihood of something undesirable happening
in a given time – is conceptually simple but difficult to apply. It provides no clues
to the overall context and how risks might be perceived. Most people think of risk
in terms of three components: something bad happening, the chances of it
happening, and the consequences if it does happen.
Typical risk parameters (Adapted from Allen 1995)
 UNCERTAINTIES
Hetland (2003) believes the following assertions clarify uncertainty:
1. Risk is an implication of a phenomenon being uncertain.
2. Implications of a phenomenon being uncertain may be wanted or unwanted.
3. Uncertainties and their implications need to be understood to be managed properly.

Smith et al. (2006) suggest that risks fall in to three categories: known risks, known
unknowns and unknown unknowns.
 SOURCES OF RISK

Table 2.2 Typical sources of risk to

business from projects (Merna and
Smith, 1996
 TYPICAL RISKS
Project Risks
The International Finance Corporation (IFC) division of the World Bank
1. the implementation stage (pre-completion) – relative to construction risks
2. the operational phase (post-completion) – relative to operational risks, the first few years of operation
having the highest degree of susceptibility

1. Failure to keep within cost estimate

2. Failure to achieve the required completion date
3. Failure to achieve the required quality and operational requirements.
Thompson and Perry (1992)

Many project management practitioners suggest the following influence the risk associated with projects:
1. Project size
2. Technology maturity (the incorporation of novel methods, techniques, materials)
3. Project structural complexity.
Figure 2.3 Financial risk timeline
 Global Risks Elemental Risks
Global risks originate from sources external Elemental risks originate from sources within the project
to the project environment and although environment and are usually “controllable” within the
they are usually predictable their effect on elements of the project. The four main elemental risks are
the outcome may not always be construction/manufacture, operational, financial and
controllable within the elements of the revenue risks (Merna and Smith 1996). These types of risk
project. The four major global risks are are usually considered as controllable risks and are often
political, legal, commercial and related to the different phases of a project and mainly
environmental risks (Merna and Smith assessed at SBU and project levels.
1996). These types of risk are often
referred to as “uncontrollable risks” since
the corporate entity cannot control such
risks even though there is a high probability
of occurrence. Normally these risks are
dealt with at corporate level and often
determine whether a project will be
sanctioned.
 Static Risk Dynamic Risk

This relates only to potential This is concerned with maximizing

losses where people are opportunities. Dynamic risk means that
concerned with minimizing losses there will be potential gains as well as
by risk aversion (Flanagan and potential losses. For example, Marconi tried
Norman 1993). A typical example to gain by changing from a well-established
would be the risk of losing market in the defense industry to new
markets for a particular product or uncertain markets in the telecom industry.
brand of goods by not risking the Dynamic risk is risking the loss of something
introduction of new products or certain for the gain of something uncertain.
goods onto the same market. During a project, losses and gains resulting
from risk can be plotted against each other
and compared (Flanagan and Norman 1993).
 Inherent Risk

The way in which risk is handled depends

on the nature of the business and the way
that business is organized internally. For
example, energy companies are engaged
in an inherently risky business – the threat
of fire and explosion is always present, as
is the risk of environmental impairment.
Financial institutions on the other hand
have an inherently lower risk of fire and
explosion than an oil company, but they
are ex- posed to different sorts of risk.
Contingent Risk

This occurs when an organization is affected directly by an event in an area

beyond its direct control but on which it has a dependency, such as weak
suppliers (International Journal of Project and Business Risk Management 1998).
Normally a percentage of the overall project value is put aside to cover costs of
meeting such risks should they occur.
 Customer Risk Fiscal/Regulatory Risk

Dependency on one client creates Only by keeping abreast of potential

vulnerability because that client can changes in the environment can a
take its business away, or be taken over business expect to manage these
by a rival. The risk can be managed by risks.
creating a larger customer base
(International Journal of Project and
Business Risk Management 1998).
 Purchasing Risk
Purchasing risk is a vital part of
modern commercial reality
 Reputation/Damage Risk

This is not a risk in its own right but rather the

consequence of another risk, such as fraud, a
building destroyed, failure to attend to
complaints, lack of respect for others.
 Organizational Risk Institutional Risks

A poor infrastructure can result in weak

controls and poor communications with a
variety of impacts on the business
Interpretation Risk
Destructive Technology Risk
Perceived and Virtual Risks
1. Perceived through science: cholera, for example, needs a microscope to see it and
scientific training to understand it.
2. Perceived directly: climbing a tree, riding a bike or driving a car are all risks apparent by
the actions and consequences.
3. Virtual risk: these are risks scientists do not fully understand or cannot agree on their
impact. Examples include global warming, low level radiation, pesticide residues, mobile
phones, passive smoking, and eye laser treatment.
Events of Force Majeure

1. Such circumstance is not within the reasonable control of the party affected
2. Such circumstance despite the exercise of reasonable diligence cannot be
prevented, avoided or removed by such party
3. Such event materially adversely affects the contractor to construct or
operate the facility
4. The contractor has taken all reasonable precautions in order to avoid the
effect of such event on the contractor’s ability to construct or operate the
facility
5. Such event is not the direct or indirect result of failure by the contractor to
perform any of his obligations under any of the project documents, and
6. Such party has given the other party prompt notice describing such event,
the effect thereof and the actions being taken in order to comply with this
paragraph.
Instances of Force Majeure
1. Acts of war or the public enemy whether war be declared or not
2. Public disorders, insurrections, rebellion, sabotage, riots, violent demonstrations or
vandalism
3. Explosions, fires, earthquakes, avalanche or other natural calamities
4. Strikes, lockouts, or other industrial action of workers or employees
5. Ionizing radiations or contamination by radio activity from any nu- clear fuel or nuclear
waste
6. Any order, legislation, enactment, judgments, ruling or decision made or taken by
Government or judicial authority
7. Unforeseeable unfavorable climatic or unforeseeable unsuitable ground conditions or
sub-surfaces or latent physical conditions at the site which differ materially from those
indicated in the Site Investigation Report or previously unknown physical conditions at the
site of an unusual nature which differ materially for those ordinarily encountered and
generally recognized as inherent in work of the character provided for in an agreement
8. Delays in obtaining Governmental authorizations
9. Any other event which is not within reasonable control of the party affected.
STAKEHOLDERS
If you can’t manage risk, you can’t control
it. And if you can’t control it you can’t
manage it. That means you’re just
gambling and hoping to get lucky.
(J. Hooten, Managing Partner, Arthur
Andersen & Co., 2000)