RISK MANAGEMENT: ISSUES, CHALLENGES AND OPPORTUNITY

Sijan Bhandari1, Ashish Dutta2, Sachin Manandhar3

Department of Geomatics Engineering, Kathmandu University

Corresponding author:
[email protected],
[email protected],
[email protected]

Keywords: Risk, Risk Management, Project, Project Risk Management

ABSTRACT
In times of increased competition and globalization, project success becomes even more critical to
business performance, and yet many projects still suffer delays, overruns, and even failure. Ironically,
however, risk management tools and techniques, which have been developed to improve project
success, are used too little, and many still wonder how helpful they are. All projects, programmes and
portfolios are inherently risky because they are unique, constrained, based on assumptions, performed
by people and subject to external influences. Risks can affect the achievement of objectives either
positively or negatively. Risk includes both opportunities and threats, and both should be managed
through the risk management process. Risk management involves identifying, analyzing and
responding to risk factors throughout life of a project. It is important since it helps us to handle issues
better and leads towards the success of a project. Hence, anticipating the risks timely and tackling it
effectively will help the organization achieving long term success.

1. INTRODUCTION
Risk management is a process that allows individual risk events and overall risk to be understood and
managed proactively, optimizing success by minimizing threats and maximizing opportunities
(SearchCompliance, 2019). Risk is the uncertain future event or condition that might affect our project
objectives. These uncertain events could lead to positive or negative result. All the organizations
attempt to avoid or reduce the impact of negative risks. However, when it comes to the positive risks,
organizations would like to take maximum advantages of these opportunities. Risk management has
1
become a key organization practice; it is among the issues that have consistently been in the spotlight.
Every organization is striving to develop risk management policies that will enable it to handle issues
better and to develop a competitive advantage in their respective industries . In the risk management,
you identify the potential risks, then you assess them so that which of the identified risks are more
critical and which are less. Based on that assessment, you give more priority to some risks and less to
others (Jastaniyah, 2017).
Each project is different, and involves some degree of uncertainty. Yet, many organizations still tend
to assume that all their projects will succeed, and often fail to consider and analyze their project risks,
and prepare in case some-thing goes wrong. This attitude frequently leads to project failure and
disappointing results, and as many studies have shown, project success rates are less than satisfactory.
Organizations need to be prepared for project risks and be ready to do something about them (Aaron
Shenhar, 2002).

2 AIM AND OBJECTIVES

The aim of this technical paper is to exchange and share experiences and research results on different
aspects of Survey Project Management. It also provides an interdisciplinary platform for us to present
and discuss the most recent innovations, trends, and concerns encountered and solutions adopted in
the fields of Survey Management.
This technical paper aims to:
 To provide a platform to the academic researchers to exchange and share their experience in
Survey Management Process.
 To highlight the issues, challenges, opportunities and solutions for the different project
management, survey management aspects, project planning, project and management principles.

3 METHODOLOGY
We performed desk study and literature review on risk management consulting various books, articles,
slides shared in slide share and YouTube videos. All the findings from this desk study are secondary
information from other materials. Primary research was not carried out by ourselves. All the materials
used for report preparation are listed in the reference section. The methodological flow chart for this
article is given below:

2
3.1 Literature Review
In the literature review section, scientific literature such as journal articles, books and documents are
used for the purpose of this research and are mentioned in reference section.

3.1.1 Historical Overview on the Concepts of Risk

It is a fascinating and uncommonly appreciated fact that our current “modern times,” characterized
by the technological advances that shape and define our daily lives, originate from the introduction of
a Hindu-Arabic numbering system in Italy in the early 1200s. The ability of society to utilize numerals
for arithmetic calculus propelled our understanding of odds, risk, and probability, starting from the
time of the Renaissance in Europe to our current modern age in a global perspective ( Bardi, 2007).
Most readers are likely not aware that almost all significant inventions, innovations, and developments
in science, economics, technology, and health care in the past 200–300 years originated from the
ability to predict future events and to make conscientious, balanced decisions on the risk and
probability of our action ( Bardi, 2007).
3.1.2 Evolution of Risk Management
In an originally french published book in 1916, Henry Fayol identified risk management as a security
function among the six basic functions of a business firm. Risk management has been re-discovered
by multinational firms in the United States after World War II (Krimsky, 1982). The general trend in
the current usage of risk management probably began in the early 1950s. One of the earliest reference
to the concept of risk management in the literature appeared in an article by Russel Callagher in the
Harvard Business Review in 1956 (Frank E. Bird , George L. Germain, Jr. Bird, 1996)
In October 1988 the first world congress on risk management was sponsored by the International
Federation of Risk and Insurance Management Associations (IFRIMA). Today, the Association has
22 members around the world. The latest national association were created at the end of the 1980s in
Singapore, Malaysia and the Philippines..
The risk manager evolved from the insurance manager because risk management is broader than
insurance in that it deals with the choice of the appropriate techniques for dealing with pure risks
including insurance. Felix Kloman argued recently that "organizations have been challenged by newer
and more dynamic risks, risks that have not been addressed effectively by the risk
management that is tied to the insurance industry." (Jacques, 1985).

3
3.1.3 Risk Management System
People have often chosen to adopt various views in the field of risk management. In recent years,
although some sources may have a narrow view, the term “risk management system” may be used to
represent the broadest concept, in particular in the field of human safety and health, the environment
and property protection, and in the chemical and shipping industries. The risk management system is
the overall integrated process consisting of two essential interrelated and overlapping, but
conceptually distinct components – risk assessment and risk management.
Risk management attempts to provide answers to the questions on how best to deal with risks, such
as : What can be done? What options are available and what are their associated tradeoffs? What are
the effects of current decisions on future options? ( Mullai , 2006).
3.1.4 Risk Management Process
The effectiveness of Risk Management strongly depends on the degree to which it succeeds in
becoming a part of an organization's culture, i.e. its philosophy, practices and business processes. In
this way, Risk Management is the responsibility of everyone in the organization.
In practice, any of the Risk Management processes can be used as an entry point to the Risk
Management process or can be performed in isolation. ( Mullai , 2006)
The ideal sequence for the performance of the processes of Risk Management is to start with the
establishment of a Corporate Risk Management Strategy and proceed according to the orange cyclic
arrow as indicated in the figure, whereas mutual interactions between the processes might also be
performed (e.g. performance of Risk Assessment after a Risk Acceptance) ( Mullai , 2006)

4
 Figure 1: Overall cycle of a Risk Management process
Source: ( Mullai , 2006)
Risk Management is considered as consisting of the five main processes shown in the figure above:
Definition of Scope, Risk Assessment, Risk Treatment, Risk Communication and Monitor and
Review. It is worth mentioning, that the two processes Definition of Scope and Risk Communication
are considered to make up the Risk Management Strategy (represented in Figure by the yellow box).
The description of the above mentioned figure on overall risk management processes are given below:

I. The Cooperate Risk Management Strategy

Risk Management Strategy is an integrated business process that incorporates all of the Risk
Management processes, activities, methodologies and policies adopted and carried out in an
organization. The Risk Management strategy sets the parameters for the entire Risk Management and
is usually released by the executive management of an organization. As depicted in Figure 4, Risk
Management Strategy consists of two processes, one setting the framework for the entire Risk

5
Management and the other setting the communication channels in the organization (see yellow box
embracing Definition of Scope and Risk Management 30/06/2006 ENISA 16 Communication). In the
forthcoming sections the components of Risk Management Strategy will be analyzed. It also contained
following aspects:
 Risk Communication, Risk Awareness and Consulting
As mentioned above, it is essential for Risk Management to become part of the organization’s culture.
Therefore communicating and creating awareness of relative issues across the organization at each
step of the Risk Management process are very important. Communication should by all means involve
an open discussion with all stakeholders with efforts focused on consultation and development of
common understanding, rather than on a one way flow of information from the decision maker to the
other stakeholders ( Mullai , 2006).
 Definition of Scope and Framework
By establishing the framework for the management of risks, the basic parameters within which risks
must be managed are defined. Consequently, the scope for the rest of the Risk Management process
is also set. It includes the definition of basic assumptions for the organization’s external and internal
environment and the overall objectives of the Risk Management process and activities. Although the
definition of scope and framework are fundamental for the establishment of Risk Management, they
are independent from 5 It is often the case that “established” practices lead to isolated or narrow
observation of the status quo of the security. External personnel contribute in bringing in “fresh air”
by means of additional viewpoints in the evaluation of risks. Risk Management 30/06/2006 ENISA
17 the particular structure of the management process, methods and tools to be used for the
implementation ( Mullai , 2006).
 Definition of external environment
This step includes the specification of the external environment in which the organization operates
and the definition of the relationship between this environment and the organization itself. The
external environment typically includes: the local market, the business, competitive, financial and
political environment. Also, the law and regulatory environment , social and cultural conditions ,
external stakeholders are included in it .
 Definition of internal environment
As in every significant business process, the most critical prerequisite is to understand the organization
itself. Risk Management 30/06/2006 ENISA 18 Key areas that must be evaluated in order to provide

6
a comprehensive view of the organization’s internal environment include: key business drivers (e.g.
market indicators, competitive advances, product attractiveness, etc.), the organization’s strengths,
weaknesses, opportunities and threats, internal stakeholders, organization structure and culture,
assets in terms of resources (such as people, systems, processes, capital etc), goals and objectives and
the strategies already in place to achieve them ( Mullai , 2006).
 Generating the Risk Management context
In business terms, Risk Management as a process should provide a balance between (all kinds of)
costs, benefits and opportunities. Therefore, it is necessary to draw the appropriate framework and to
correctly set the scope and boundaries of the Risk Management process. Setting the Risk Management
context involves defining the: organization, process, project or activity (to be assessed) and
establishing its goals and objectives. Also, duration of the project, activity or function, full scope of
the Risk Management activities to be carried out specifying any including inclusions and exclusions
are included on generating the risk management context ( Mullai , 2006).
 Formulation of risk criteria
The criteria by which risks will be evaluated have to be decided and agreed. Deciding whether risk
treatment is required, is usually based on operational, technical, financial, regulatory, legal, social, or
environmental, criteria or combinations of them. The criteria should be in line with the scope and
framework defined above. Furthermore, they should be closely related to the organization's internal
policies and procedures and support its goals and objectives ( Mullai , 2006).
II.Risk Assessment
Every organization is continuously exposed to an endless number of new or changing threats and
vulnerabilities that may affect its operation or the fulfillment of its objectives. Identification, analysis
and evaluation of these threats and vulnerabilities are the only way to understand and measure the
impact of the risk involved and hence to decide on the appropriate measures and controls to manage
them. It has to be noted, that Risk Assessment is a process that in many cases is not (at least not
adequately) performed, even if Risk Management is implemented ( Mullai , 2006). Following are the
aspect included on Risk assessment:
 Identification of Risks
This is the phase where threats, vulnerabilities and the associated risks are identified. This process has
to be systematic and comprehensive enough to ensure that no risk is unwittingly excluded. It is very
important that during this stage all risks are identified and recorded, regardless of the fact that some

7
of them may already be known and likely controlled by the organization ( Mullai , 2006).
 Analysis of relevant Risks
Risk analysis is the phase where the level of the risk and its nature are assessed and understood. This
information is the first input to decision makers on whether risks need to be treated or not and what is
the most appropriate and cost-effective risk treatment methodology. Risk analysis involves: thorough
examination of the risk sources, their positive and negative consequences, the likelihood that those
consequences may occur and the factors that affect them ( Mullai , 2006).
 Evaluation of Risks
During the risk evaluation phase decisions have to be made concerning which risks need treatment
and which do not, as well as concerning on the treatment priorities. Analysts need to compare the
level of risk determined during the analysis process with risk criteria established in the Risk
Management context (i.e. in the risk criteria identification stage). It is important to note that in some
cases the risk evaluation may lead to a decision to undertake further analysis ( Mullai , 2006).
III. Risk Treatment
According to its definition, Risk Treatment is the process of selecting and implementing of measures
to modify risk. Risk treatment measures can include avoiding, optimizing, transferring or retaining
risk. The measures (i.e. security measurements) can be selected out of sets of security measurements
that are used within the Information Security Management System (ISMS) of the organization. At this
level, security measurements are verbal descriptions of various security functions that are
implemented technically (e.g. Software or Hardware components) or organizationally (e.g.
established procedures) ( Mullai , 2006).
 Identification of options
Having identified and evaluated the risks, the next step involves the identification of alternative
appropriate actions for managing these risks, the evaluation and assessment of their results or impact
and the specification and implementation of treatment plans. Since identified risks may have varying
impact on the organization, not all risks carry the prospect of loss or damage. Opportunities may also
arise from the risk identification process, as types of risk with positive impact or outcomes are
identified ( Mullai , 2006).
 Development of the action plan
Treatment plans are necessary in order to describe how the chosen options will be implemented. The
treatment plans should be comprehensive and should provide all necessary information about:

8
proposed actions, priorities or time plans; resource requirements; roles and responsibilities of all
parties involved in the proposed actions; performance measures; reporting and monitoring
requirements ( Mullai , 2006).
 Approval of the action plan
As with all relevant management processes, initial approval is not sufficient to ensure the effective
implementation of the process. Top management support is critical throughout the entire life-cycle of
the process. For this reason, it is the responsibility of the Risk Management Process Owner to keep
the organization’s executive management continuously and properly informed and updated, through
comprehensive and regular reporting ( Mullai , 2006).
 Implementation of the action plan
The Risk Management plan should define how Risk Management is to be conducted throughout the
organization. It must be developed in a way that will ensure that Risk Management is embedded in
all the organization’s important practices and business processes so that it will become relevant,
effective and efficient ( Mullai , 2006).
 Identification of residual risks
Residual risk is a risk that remains after Risk Management options have been identified and action
plans have been implemented. It also includes all initially unidentified risks as well as all risks
previously identified and evaluated but not designated for treatment at that time ( Mullai , 2006).
IV.Risk Acceptance
It is the optional process. Acceptance of residual risks that result from with Risk Treatment has to take
place at the level of the executive management of the organization (s. definitions in chapter 4.1). To
this extent, Risk Acceptance concerns the communication of residual risks to the decision makers.
Once accepted, residual risks are considered as risks that the management of the organization
knowingly takes. The level and extent of accepted risks comprise one of the major parameters of the
Risk Management process. In other words, the higher the accepted residual risks, the less the work
involved in managing risks (and inversely). , Risk Acceptance has been included in the assessment of
methods and tools, as it might be a decision criterion for certain kinds of organizations (e.g. in the
financial and insurance sector, in critical infrastructure protection etc.) ( Mullai , 2006).
V. Monitor and Review
One of the most critical factors affecting the efficiency and effectiveness of the organization’s risk
management process is the establishment of an ongoing monitor and review process. This process

9
makes sure that the specified management action plans remain relevant and updated. In today’s
continuously changing business environment, factors affecting the likelihood and consequences of a
risk are very likely to change also. This is even truer for factors affecting the cost of the risk
management options. It is therefore necessary to repeat the risk management cycle regularly. ( Mullai
, 2006).

4 ISSUES, CHALLENGES AND OPPORTUNITIES

There are different issues and challenges involved with this process. Project Managers should
overcome these to effectively layout a plan.
4.1 Mismeasurement of known risks:
Risk managers sometimes make mistakes in assessing the probability or the size of losses ( Stulz,
2008). In many cases, big risk decisions are being made too low in organizations, with people who
aren’t incentivized to make the right decisions for the organization. Mismeasurement of known risk
is a common problem in risk management practice.
4.2 Failure to take known risks into account:
It is very difficult to consider all the risks in a risk measurement system, or it is costly to do so. This
is because nobody can forecast future events perfectly.
4.3 Failure in communicating risks to top management:
Risk managers communicate information about the risk position of the firm to top management and
the board. The management and board use this information to determine the firm’s risk strategy. If a
risk manager is unable to communicate this information effectively, top management may make
decisions that are badly informed, or they may develop an overoptimistic perception of the risk
position of the firm ( Stulz, 2008).
4.4 Failure in monitoring and managing risks:
It is challenging for risk managers to capture all the changes in the risk characteristics of securities
and to adjust their hedges accordingly. As a result, risk managers may fail to adequately monitor risks
simply because the risk characteristics of securities may change too quickly to allow them to assess
them and put on effective solutions.
A good project risk management plan allows managers to look at the entirety of their project through
the lens of what could go wrong. This, in turn, will help them to develop an alternatives for a variety
of budget, timing, or personnel issues ( Stulz, 2008). Here are benefits of developing a project risk

1
0
management plan:
 Effective use of resources
 Fewer shocks and failures
 Raised awareness of significant risks Enhancing communication
 Quick grasp of new opportunities

5 RESULTS AND DISCUSSION

By implementing a risk management plan and considering the various potential risks or events before
they occur, an organization can save money and protect their future. This is because a robust risk
management plan will help a company establish procedures to avoid potential threats, minimize their
impact should they occur and cope with the results. This ability to understand and control risk will
allow organizations to feel more confident about their business decisions. Furthermore, strong
corporate governance principles that focus specifically on risk management can help a company reach
their goals.
In every project there is the chance of occurrence of risk during project duration time. If proper risk
management is not done, then it may hamper in completion of different project work. From this paper
we come up with proper risk management process. And we also discussed about different issues,
challenges and opportunity during the risk management process. And we concluded that risk
management is important for the project to be completed in planned time and budget.

6 CONCLUSION
This paper has discussed the various aspects of risk management in the project. The most important
part of this article is the process of risk management and how can we manage it. Risk management
helps us identify, manage and ultimately control risks. It helps us to reduce the exposure once we
understand what risks exist in the project. Very few risks will remain static, therefore the risk
management process needs to be regularly repeated, so that new risks are captured in the process and
effectively managed. Understanding the risk management is very important in studying and managing
risks. In this article, attempts have been made to provide “state-oft the-art” knowledge and contribute
to enhancing understanding in the field of risk management and methodology
1
1
7 REFERENCES

Bardi, J. (2007). The Calculus Wars: Newton, Leibniz, and the Greatest Mathematical Clash of All Time.
NewYork, USA: Basic Books Ltd.
Mullai , A. (2006). RISK MANAGEMENT SYSTEM – RISK ASSESSMENT FRAMEWORKS AND
TECHNIQUES. 6. (O. L, Ed.) Dagob publication Ltd.
Stulz, R. (2008, October 08). Risk Management Failures: What are They and When do They Happen? Social
Science Network Journal , 25.
Aaron Shenhar, D. D. (2002). Risk Management, Project Success, and Technological Uncertainty. R& D
Management, 101-109.
Frank E. Bird , George L. Germain, Jr. Bird. (1996). Practical Loss Control Leadership. Intl Loss Control
Inst.
Jacques, C. (1985). European Risk Managment. Paris, France.
Jastaniyah, A. A. (2017). Risk Management Problems: Risk Management Challenges in the Financial
Institutions. American Journal of Engineering Research, 34-39.
Krimsky, S. (1982, 9 1). Alternatives to Regulation by Michael S. Baram.
SearchCompliance. (2019, October 16). Retrieved from
https://searchcompliance.techtarget.com/definition/risk-management

1
2