Risk management class

Session 1: Introduction to risk and risk management

 MINDSET – How is Risk Perceived - what are individual and Organisational approaches to
Risk? Risk Appetite!
o Different from people to people
 SKILLSET – How are techniques most effectively used and applied? Who applies them
and how knowledgeable and competent/confident are the users?
 TOOLSET – What are the models, templates, frameworks and systems that are applied
to Risk Management?
 DATASET – What Data is required to measure Risk and Risk Cause? How is this data
accessed, communicated and displayed?

Risk Cause and Effect

 Cause = what has happened that is the resent for the even
 Effect = consequence of the event
If the cause happens it is not 100% sure that the even happens
e.g. car accident:
 Cause: bad weather or driver not feeling well

Cause of risk
Risks may come from diverse “cause groups”. The popular Six Risk Area model:

1. Strategic risk – Are you headed in the right direction? Can you change direction? (Poor
Strategic Direction) influence from external changes.
 Made bad decision about the risk
2. Compliance risk – Adherence to Legal, Statute, Regulations and Guidelines – Global
(Laissez Faire attitude to compliance)
 E.g. laws are different in different countries
3. Financial risk – Cost and Revenue model changes, currency, cashflow (Poor financial
vision planning and control)
 E.g. exchange risk -> currency fluctuation
4. Operational risk – Risks in day-to-day operations, risks from failed internal processes,
people or systems or external.
5. Reputation risk – Transparency and visibility, public perception (Poor awareness of
market reputation factors). Risk is increasing due to popularity of social media.
 Relates to communication with the public (effect -> ppl unhappy selling costs)
6. Health and safety risk: Identifying the types of hazards that could occur, such as physical,
chemical and biological, assessing the risks and putting the appropriate control
measures in place to make sure that your employees feel safe and taken care of,
physically and mentally.

Risk categories

 Risk categories: Classification of risks by the Causes.

 o Based on the need of the company
 It is also called hazard groups, risk groups, or risk areas.
 Many different ways/models to set up the categories.

Effect of risk

Effect may appear in the following ‘Impact Groups’

1. Economic Performance – Very broad but quantifiable
2. Professional Reputation – Less measurable and quantifiable – ‘Intangible’
3. Health and Safety – Damage to Life and Property
4. Environment – Health and safety impacts EXTERNAL to the organization
5. Society – CSR impacts

Conclusion:
Risk Concept – Impacted Outcomes through incomplete knowledge
Risk Psychology – The determinants of ‘Risk Appetite’
Risk tolerance, Risk exposure, Risk capacity
Risk Pathways – Causal areas (risk categories, hazard groups)
Risk Outcomes – Impact areas
Risks in the management hierarchy

Session 2:

Risk assessment: Identification and register

‘If you can see it, you can measure it (Einstein) And if you can measure it, you can manage
it’
This session deals with the process of ‘Seeing it’.
Risk Identification is the first stage of establishing a Coherent, Measurable and Manageable
Risk Register

Content

 Measuring Risks: Risk Matrix

 Name the Risks
 Differentiating Risk Cause from Risk Event
 Risk Identification
 Risk Identification Process
 Risk Register

Risk matrix

 Is about how to consider the risk qualitatively

 Risk assessment can be a ‘very straightforward process based on judgement requiring no
specialist skills or complicated techniques.’
 This approach is commonly known as qualitative or subjective or narrative risk
assessment.
 Qualitative risk assessment involves making a judgment on the impact and probability of
a risk:
Risk Magnitude = Severity x Likelihood

How to create a Risk matrix

Name a Risk

 We name the risk events in our business and organizational context. • Named Risks can
be discretely measured and observed.
 To be specific
Example of a badly named Risk: ‘Risk to Company Reputation’

This could be:

Under quality product (design, value presentation and utility)
Delivery delay (logistics and distribution)
Unsatisfied clients (Sales and Marketing)
Weak compliance to CSR Guidelines (Procurement and/or Production)

 Do not confuse a Risk Event with its Causes.

 Effective Dashboards allow visibility at APPROPRIATE POINTS for both CAUSE and EVENT
 A risk dashboard shows the risk events!

Questions, is it cause, risk or effect?

Is poor car maintenance a risk?

 Cause
Is bad weather a risk?
 Cause – can lead to an accident
Is traffic jam a risk?
 Cause – lead to being late
Is factory downtime a risk?
 Depends on the context
o Effect: if the owner did not pay for electricity
o Cause: reduction of sales
o Risk: the electricity stops working during the time
We are worried about not having the appropriate documentation for customs clearance. Is
it a risk?
 Cause: night make it complicated to then get passed customs
We’re concerned that we didn’t complete a liabilities check on our agents. Is it a risk?

Risk identification

1. IMPORTANT: Identify objective

2. What is the uncertain event we want to avoid

• Risk identification is a set of activities that detect,

describe and catalog all potential risks to assets and
processes that could have negatively impact on
business outcomes in terms of performance, quality,
damage, loss or reputation.
Mission:
• Identify, name and describe the risks
• Identify the causes and effects of the risks
• It is the first step in the Risk Management cycle
and the creation of Risk Register.

Why must cause be carefully identified and managed?

Cheaper to prevent it than to fix it

The 1-10-100 Theory states that:

‘Moving from prevention of an error to correction increases the cost
by a factor of 10. And, if you move to failure – that factor is 100’

The Risk identification Process

1. Identify Risk Categories (Hazard Groups)

2. Identify detailed Risks
3. NAME and describe the Risk
4. Identify and Qualify the Cause of the Risk
5. Qualify Probability (The Likelihood Narrative)
6. Qualify Impact (The Impact Narrative)
7. Allocate Functional “Risk Owner” within the organization
Risk Identification
STEP 1: identify risk categories

Six risk areas:

• Strategic risk
• Financial risk
• Reputational risk
• Operational risk
• Health and safety risk
• Compliance risk

This stage is not easy and is rarely obvious initially:

Operational risk may be the most urgent for a management solution. For example:
• Maritime Industry is now under scrutiny to reduce emissions through alternative
propulsion systems with significant pressure to enforce legislation.

STEP 2: Identify detailed risk

STEP 3: Quality and NAME the risks

This legislation change may impact many aspects of the business,

for example: legislation change in port entry Qualify the Risk:
Port entry refusal for non-compliant vessels, whereby vessels can still sail but by unilateral
national decision, vessels with emissions over a stated level are not permitted to berth or
enter.
MAME the Risk:
‘Non Emissions-compliant vessel port entry refusal’

STEP 4: Identify cause of risk

This is VITAL as it steers towards prevention (Managing the Cause) or Treatment (Mitigating
the Event).
‘This Risk is apparent due to increased unilateral compliance decision with global Emissions
Protocols and International Maritime Organisation Guideline 68. Currently these are
recommendations to the industry, but significant pressure to transfer to Legislation and/or
Regulation’

STEP 4: Quality impact

 At this stage, clearly identify and define the impact: ‘We can only measure what we
can see’
 At this stage, the impacts might be identified as multiple across several organisation
functions – Multiple Stakeholder inputs and perspectives required.
Remember! The impacts will later require to be measured in Performance Units for the
dashboard! For example:
• Extra costs through transhipments and additional inland haulage (Financial) • Delays to
vessels and client cargoes (Reputational)
• Reduced tonnage (Vessels) on certain routes and legs (Financial/Product)
• Vessel downtime (Financial/Operational)

STEP 6: Quality probability

Narrative probability scenarios.

All event probabilities need to be evaluated and ‘likelihoods’ stated
• Port entry refusal in Northern Europe/WC US within the next three years is highly
probable.
Emmissions Control tests and regulations become standard in Lloyds shipping registry (KOL)
and other vessel inspection and certification within next ten years

Step 7: Quality visibility – The clarity of the probability

Visibility of the risk: to what extent / at what timeframe can the risk be detected before
occurrence?
• Signal and notification
• Time delay in reporting
• Low visibility leads to high risk factor
‘The shipping industry is sensitive politically and vital in terms of international trade. The
IMO are committed to graduated introductions of regulations and unilateral national
decisions will be announced well in advance of implementation – offsets for Automotive
Industry’.
 Visibility is high.

Session 3:

Measuring and Evaluating Risk

Risk is evaluated over three quantified variables:

1. Predictability
2. Impact
3. Visibility

Risk probability

 This is not a ‘Possibility’ analysis.

 Probability evaluation QUANTIFIES the Likelihood of a Risk Event occurrence.
 Probability is established by:
 Mathematical/statistical models
 Historical data: Business records, commercial or governmental databases, academic
publications, etc.
 Subjective evaluation
 ExpertOpinion
 Consultative Analysis Examples:
  • Shipping delays in La Roche port: 34% of shipments were delayed more than 7 days
in 2021. • 90% of business start-ups fail within two years.

The higher the number, the probability is higher, impact is higher and harder to detect

Severity Probability x impact x visibility – Risk Priorisation number (RPN)

Likelihood

Visibility

Assessing risk
Failure mode and Effect Analysis