RISK MANAGEMENT PROCESS

(ISO31000 Risk Management Process)

DR. RABIHAH MD.SUM
Enterprise Risk Management Certified Professional (ERMCP), Singapore
Certified Member The Academy of Risk Management Malaysia (ARiMM)
Actuarial Science And Risk Management Program
Faculty Of Science And Technology
Universiti Sains Islam Malaysia

SMR4023 RISK MANAGEMENT

BSc.(Hon.) Financial Mathematics

[email protected] 1
What is the Risk Management process?

The risk management process consists of

a series of steps that, when undertaken
in sequence, enable continual
improvement in decision-making.

[email protected] 2
 Steps of the Risk Management Process

Step 1. Establish the context.

Step 2. Assess Risk
2.1 Identify the risks.
2.2 Analyze the risks.
2.3 Evaluate the risks.
Step 3. Treat the risks.
Step 4. Monitor and review.
Step 5. Communicate and consult

[email protected] 3
[email protected] 4
Step 2. Establish the context

Consists of a five-step process to assist

with establishing the context within
which risk will be identified.
1-Establish the internal context
2-Establish the external context
3-Establish the risk management
context
4- Develop risk criteria
5- Define the structure for risk analysis

[email protected] 5
1- Establish the internal context

• As previously discussed, risk is the chance of

something happening that will impact on
objectives.
• As such, the objectives and goals of a business,
project or activity must first be identified to ensure
that all significant risks are understood.
• This ensures that risk decisions always support the
broader goals and objectives of the business. This
approach encourages long-term and strategic
thinking.
[email protected] 6
In establishing the internal context, the business
owner may also ask themselves the following
questions:
 Is there an internal culture that needs to be
considered? For example, are staff Resistant to
change? Is there a professional culture that
might create unnecessary risks for the
business?
 What staff groups are present?
 What capabilities does the business have in
terms of people, systems, processes,
equipment and other resources?

[email protected] 7
 2. Establish the external context

• This step defines the overall environment in which

a business operates and includes an understanding
of the clients’ or customers’ perceptions of the
business.
• An analysis of these factors will identify the
strengths, weaknesses, opportunities and threats
to the business in the external environment.

[email protected] 8
A business owner may ask the following questions
when determining the external context:
• What regulations and legislation must the business
comply with?
• Are there any other requirements the business
needs to comply with?
• What is the market within which the business
operates? Who are the competitors?
• Are there any social, cultural or political issues that
need to be considered?

[email protected] 9
Tips for establishing internal and external contexts

• Determine the significance of the activity in

achieving the organization's goals and objectives
• Define the operating environment
• Identify internal and external stakeholders and
determine their involvement in the risk
management process.

[email protected] 10
 3- Establish the risk management context

- Before beginning a risk identification exercise, it is

important to define the limits, objectives and
scope of the activity or issue under examination.

- For example, in conducting a risk analysis for a new

project, such as the introduction of a new piece of
equipment or a new product line, it is important to
clearly identify the parameters for this activity to
ensure that all significant risks are identified.
[email protected] 11
• Tips for establishing the risk management context
• Define the objectives of the activity, task or
function
• Identify any legislation, regulations, policies,
standards and operating procedures that need to
be complied with
• Decide on the depth of analysis required and
allocate resources accordingly
• Decide what the output of the process will be, e.g.
a risk assessment, job safety analysis or a board
presentation. The output will determine the most
appropriate structure and type of documentation.
[email protected] 12
 4. Develop risk criteria

• Risk criteria allow a business to clearly define

unacceptable levels of risk.
• Risk criteria may include the acceptable level of
risk for a specific activity or event.
• In this step the risk criteria may be broadly defined
and then further refined later in the risk
management process.

[email protected] 13
• Tips for developing risk criteria

• Decide or define the acceptable level of risk for

each activity
• Determine what is unacceptable
• Clearly identify who is responsible for accepting
risk and at what level.

[email protected] 14
 5. Define the structure for risk analysis

• Isolate the categories of risk that you want

to manage. This will provide greater depth
and accuracy in identifying significant risks.
• Thechosen structure for risk analysis will
depend upon the type of activity or issue, its
complexity and the context of the risks.

[email protected] 15
 Step 2. Assess Risk
2.1 Identify the risks

• Risk cannot be managed

unless it is first identified.
• Once the context of the
business has been defined,
the next step is to utilize the
information to identify as
many risks as possible.

[email protected] 16
The aim of risk identification is to identify possible
risks that may affect, either negatively or positively,
the objectives of the business and the activity under
analysis. Answering the following questions
identifies the risk:

[email protected] 17
• There are two main ways to identify risk:
1- Identifying retrospective risks
Retrospective risks are those that have previously
occurred, such as incidents or accidents.
Retrospective risk identification is often the most
common way to identify risk, and the easiest. It’s
easier to believe something if it has happened
before. It is also easier to quantify its impact and
to see the damage it has caused.

[email protected] 18
• There are many sources of information about retrospective
risk. These include:
• Hazard or incident logs or registers
• Audit reports
• Customer complaints
• Accreditation documents and reports
• Past staff or client surveys
• Newspapers or professional media, such as
journals or websites.

[email protected] 19
 2-Identifying prospective risks

• Prospective risks are often harder to identify.

• These are things that have not yet happened, but
might happen some time in the future.
• Identification should include all risks, whether or
not they are currently being managed.
• The rationale here is to record all significant risks
and monitor or review the effectiveness of their
control.
[email protected] 20
• Methods for identifying prospective risks include:
• Brainstorming with staff or external stakeholders
• Researching the economic, political, legislative
and operating environment
• Conducting interviews with relevant people
and/or organizations
• Undertaking surveys of staff or clients to identify
anticipated issues or problems
• Flow charting a process
• Reviewing system design or preparing system
analysis techniques.

[email protected] 21
 Tips for effective risk identification

• Select a risk identification methodology

appropriate to the type of risk and the nature of
the activity
• Involve the right people in risk identification
activities
• Take a life cycle approach to risk identification and
determine how risks change and evolve
throughout this cycle.

[email protected] 22
Step 2. Assess Risks
2.2 Analyze the risks

• During the risk identification

step, a business owner may
have identified many risks and
it is often not possible to try to
address all those identified.
• The risk analysis step will assist
in determining which risks have
a greater consequence or
impact than others.

[email protected] 23
• What is risk analysis?

• Risk analysis involves combining the possible

consequences or impact of an event

• with the likelihood of that event occurring. The

result is a ‘level of risk’. That is:

Level of Risk = Impact x likelihood

[email protected] 24
• Elements of risk analysis
The elements of risk analysis are as follows:
1. Identify existing risk strategies and risk controls
that act to minimize the risk.
2. Determine the impact of the risk.
3. Determine the likelihood of the risk.
4. Estimate the level of risk by combining impact
and likelihood.
5. Consider and identify any uncertainties in the
estimates.

[email protected] 25
• Types of analysis
Three categories or types of analysis can be used to
determine level of risk:
• Qualitative
• Semi-quantitative
• Quantitative.
- The most common type of risk analysis is the
qualitative method.
- However, the type of analysis chosen will be based
upon the area of risk being analyzed.
[email protected] 26
• Tips for effective risk analysis
• Risk analysis is usually done in the context of
existing risk controls – take the time to identify
them.
• The risk analysis methodology selected should,
where possible, be comparable to the significance
and complexity of the risk being analyzed, i.e. the
higher the potential impact or consequence the
more rigorous the methodology
• Risk analysis tools are designed to help rank or
priorities risks. To do this they must be designed
for the specific context and the risk dimension
under analysis.
[email protected] 27
 Step 2. Assess Risks
2.3 Evaluate the risks
• Risk evaluation involves comparing
the level of risk found during the
analysis process with previously
established risk criteria, and deciding
whether these risks require treatment.
• The result of a risk evaluation is a
prioritized list of risks that require
further action.
• This step is about deciding whether
risks are acceptable or need
treatment.
[email protected] 28
• Risk acceptance
A risk may be accepted for the following reasons:
• The cost of treatment far exceeds the benefit, so
that acceptance is the only option (applies
particularly to lower ranked risks)
• The level of the risk is so low that specific
treatment is not appropriate with available
resources
• The opportunities presented outweigh the
threats to such a degree that the risks justified
• The risk is such that there is no treatment
available, for example the risk that the business
may suffer storm damage.
[email protected] 29
Step 3. Treat the risks

• Risk treatment is about considering

options for treating risks that were
not considered acceptable or
tolerable.

• Risk treatment involves identifying

options for treating or controlling
risk, in order to either reduce or
eliminate negative consequences,
or to reduce the likelihood of an
adverse occurrence.
• Risk treatment should also aim to
enhance positive outcomes.
[email protected] 30
• Options for risk treatment:
Identifies the following options that may assist in
the minimization of negative risk or an increase in
the impact of positive risk.
1. Avoid the risk
2. Take the risk
3. Remove risk source
4. Change the likelihood of the occurrence
5. Change the consequences
6. Share the risk
7. Retain the risk [email protected] 31
• Tips for implementing risk treatments
• The key to managing risk is in implementing
effective treatment options
• When implementing the risk treatment plan,
ensure that adequate resources are available, and
define a timeframe, responsibilities and a method
for monitoring progress against the plan
• Physically check that the treatment implemented
reduces the residual risk level
• In order of priority, undertake remedial measures
to reduce the risk.
[email protected] 32
Step 4. Monitor and review

• Monitor and review is an

essential and integral step in the
risk management process.
• A business owner must monitor
risks and review the effectiveness
of the treatment plan, strategies
and management system that
have been set up to effectively
manage risk.
[email protected] 33
• Risks need to be monitored periodically to ensure
changing circumstances do not alter the risk
priorities.
• Very few risks will remain static, therefore the risk
management process needs to be regularly
repeated, so that new risks are captured in the
process and effectively managed.
• A risk management plan at a business level should
be reviewed at least on an annual basis.
• An effective way to ensure that this occurs is to
combine risk planning or risk review with annual
business planning.
[email protected] 34
Step 5.Communicate and consult

- Communication and
consultation aims to identify
who should be involved in
assessment of risk (including
identification, analysis and
evaluation) and it should
engage those who will be
involved in the treatment,
monitoring and review of risk.

[email protected] 35
As such, communication and consultation will be
reflected in each step of the process described here.
As an initial step, there are two main aspects that
should be identified in order to establish the
requirements for the remainder of the process.
-These are communication and consultation aimed at:
A. Eliciting risk information
B. Managing stakeholder perceptions for
management of risk.

[email protected] 36
 A- Eliciting risk information

Communication and consultation may occur within

the organization or between the organization
and its stakeholders.

It is very rare that only one person will hold all the
information needed to identify the risks to a
business or even to an activity or project.

It therefore important to identify the range of

stakeholders who will assist in making this
information complete.

[email protected] 37
Tips for effective communication and consultation

• Determine at the outset whether a communication

strategy and/or plan is required
• Determine the best method or media for
communication and consultation
• The significance or complexity of the issue or
activity in question can be used as a guide as to
how much communication and consultation is
required.
• The more complex and significant to the
organization, the more detailed and
comprehensive the requirement.
[email protected] 38
Summary of risk management steps

[email protected] 39