Risk Management

1.1
Definition of Risk
 Definition of Risk

Risk is often associated with the negative

consequences it entails, such as the possibility of
losses, injuries, or some other negative events.
This connotation has lead organizations to
consider risk as a barrier to the achievement of
their objectives and that they should simply
minimize or avoid it altogether. For these
organizations, the purpose of risk management
becomes to limit their exposure to risk
 Definition of Risk

Risk can have both positive and negative

consequences.
Opportunities for organizations to expand,
innovate, and improve are almost always
accompanied by some forms of risk i.e.
uncertainties.
 Definition of Risk Management

Risk Management generally refers to the

architecture that organizations use (principles,
framework and process) for managing risk
effectively, and “managing risk” refers to applying
that architecture to particular decisions, activities
and risk.
Risk Management is therefore an integral
component of managements that involves
coordinated activities concerned with the effect of
uncertainty of the objectives of an organization.
Some of the Reasons for Risk Management
Failure

Insufficient capital
Failure in communicating the risks to
the top management
Risk ignorance
Failure to mitigate risk
No concrete plan
Elements of a Successful Risk Management
Understand emerging risk

Understand emerging risk: Gather intelligence

on far-of threats
Consider extreme events: Consider
unexpectedly large deviations (i.e., “fat tails” or
“black swans”) that could have a catastrophic
impact.
Define and understand risk appetite: Provide
key risk indicators in order to ensure that risk
remains with the determined thresholds.
Elements of a Successful Risk Management
Understand emerging risk
Assess and aggregate all risks: Assess
correlations and more general interactions within
the set of an organization’s exposures; implement
a “portfolio approach” to the aggregation of risks.
Ensure sound judgement: While data quantifying
tools are important, they also have their
limitations. Data reflect on past events and in
order to predict future events, we must rely on
hypothesis and interpretation. Therefore, sound
judgement and quantifying tools should be part of
risk management.
Elements of a Successful Risk Management
Understand emerging risk
Foster a risk culture in the organization: Have
the upper, middle, and lower management
manage operational and tactical risks.

Notes:
Risk appetite: The level of risk that an organization is
willing to accept
Fat-tailed distribution: The probability distribution that
display a large skewness or kurtosis in comparison to
a normal or exponential distribution.
Black swan: An event which can have high impacts,
but whose probability of occurrence is low.
Risk Management Process According to ISO
31000
 Risk management is a management process that
stimulates the cost-effective accomplishment of
an organization’s objectives; furthermore, the
standard also states that the purpose of risk
management is the creation and protection of
value.
 This leads us toward the question: How does a
risk management process, based on ISO 31000,
support organizations in the creation and
protection of value, and consequently, in the
achievement of organizational objectives?
Risk Management Process According to ISO
31000
In addition to providing answers to such
questions, ISO 31000 also provides a set of
principles, a framework and a risk management
process that the organizations can follow.
The standard proposes 8 principles which
organizations should consider when establishing
their risk management framework and processes.
The purpose of risk management principles
provided by ISO 31000 is to link the framework
and practice of risk management to the
organization’s strategic goals.
Risk Management Process According to ISO
31000
 Risk Categories
Some risk types that can be faced by organizations
of any type include:
1. Operational Risk
2. Financial Risk
3. Credit Risk
4. Information Technology Risk
5. Integration Risk
6. Security Risk
7. Legal Risk
8. Strategic Risk
 Risk Categories
Operational Risk
 The loss resulting from inadequate procedures,

policies, and systems within the organization is called

Operational Risk.
Financial Risk
 The process of coping with uncertainties that derive

from financial markets. The main sources of financial

risk include:
 The organization’s exposure to changes in market
prices;
 Actions and transactions with other organizations;
 Internal actions and organizational failures.
 Risk Categories
Credit Risk
 The loss that is generated due to the inability of the

counterparty to meet its’ obligations is called Credit

Risk.
Information Technology Risk
 The operational, financial, and project failures due to

the usage of new technology.

Integration Risk
 The negative outcomes triggered by the integration of
new processes and technology, and/or lack of
communication.
Security Risk
 The losses encountered due to the information security incidents
or physical incidents.
 Risk Categories
Security Risk
 The losses encountered due to the information security

incidents or physical incidents.

Legal Risk
 The risk that emerges because of the inability to
comply with the applicable regulatory obligations
Strategic Risk
The following are few types of strategic risk:
 Completive Risk – The risk that you lose ground to
competitors as they improve and innovate
 Change – The risk that change such as new
technology will threaten your business model
 Risk Categories
 Regulatory Risk – The potential for new regulations to
disrupt your business
 Political Risk – Political events and conditions can
disrupt your business or impact the economics of an
industry
 Economic Risk – The potential for economic conditions
to affect your strategy
 Risk Management Process

Risk identification:
 Risk identification is about the creation of a
comprehensive list of risks (both internal and
external) that the organization faces, and can involve
input from sources such as historical data, theoretical
analysis, expert options, and stakeholders’ needs.
 The identification of risks should be a formal,
structured process that includes risk sources, events,
their causes and their potential consequences.
 The risk identification process enables the
organization to identify its assets, risk sources, risk
1.2 events, existing measures and consequences.
 Risk Management Process
Risk Analysis:
 An organization should analyse each risk that was
identified in the previous step.
 Based on the level of risk that is determined after the
risk analysis, the organization is able to define whether
the risk is acceptable or not.
 If the risk turns out to be unacceptable, the organization
can take actions to modify the risk to correspond to the
acceptable level of risk.
 An organization should use a formal technique to
consider the consequence and likelihood of each risk.

1.2
 Risk Management Process
Risk Evaluation:
 This step offers the organization the opportunity to have
a mechanism that helps it rank the relative importance
of each risk so that a treatment priority can be
established
Risk treatment:
 Proper risk management requires rational and informed
decisions about risk treatment.
 Typically, such treatments include: avoidance of the
activity from which the risk originates, risk sharing,
managing the risk by the application of controls, risk
acceptance and taking no further action, or risk taking
1.2 and risk increasing in order to pursue an opportunity.
 Risk Management Process
Communication and consultation:
 Proper risk management requires structured and
ongoing communication and consultation with those
affected by the organization’s operations.
 The communication seeks to promote awareness and
understanding of risk and the means to respond to it,
whereas consultation involves obtaining feedback and
information to support decision-making.

1.2
 Risk Management Process
Recording and reporting:
 The outcomes of the risk management process are to
be documented and reported through appropriate
mechanisms.
 Recording and reporting is important for reasons such
as communication of the risk management activities and
outcomes pertaining to those activities throughout the
organization and providing the necessary basis and
information for making informed decisions.

1.2
 Risk Management Process
Monitor and review:
 Considering that both the external and internal
environment are subject to constant change, the
purpose of this step is to help organizations assure and
improve the quality and effectiveness of the risk
management process.
 Monitoring includes actions such as examining the
progress of treatment plans, monitoring the established
controls and their effectiveness, ensuring that activities
which are proscribed are being avoided, and checking
that the environment has not changed in a way that
affects the risks.
1.2
 Risk Management Process

1.2
 Type of Risks
The risk types that an organization faces depend
heavily on the context of that organization, its
industry sector, and the environment in which it
operates.
Therefore, it is difficult to define a universal list of
all risk type, perhaps with the expiation of one
risk that impacts all organization.
 Type of Risks
Operational Risk
 Operational risk involves any event that disrupts the

normal operations of the organization. Operational risk

can also include employee errors, fraud, or criminal
activities.
 These types of risks happen everywhere, not just in a
business environment, for example:
 Injuries sustained from a design weakness in playground
equipment
 Engineering flaws resulting in a mass recall of motor cars
 Poor labelling on pharmaceutical packaging leading to
the wrong dose being administered
 Swabs or instruments left in a patient after surgery
 Type of Risks
Opportunity-Based Risk
 An organization faces opportunity-based risks when

it takes one opportunity over another, and by doing

so, the organization has the risk of:
 Receiving results, it did not expect
 Missing out on better opportunities
 Examples of opportunity-based risks include

relocation, introduction of a new product line,

purchase of a new property, etc.
 Type of Risks
Uncertainty-Based Risk
 An organization faces uncertainty-based risks when

it deals with an unexpected or unknown event.

These events are hard to predict and it can be
difficult to control the damage caused by them.
 Examples include:

 Unpredicted financial loss due to bankruptcy, an

economic downturn, or other reasons
 Destruction by natural calamities
 Loss in market share due to new entrants in the
market or due to changing customer habits
 Type of Risks
Uncertainty-Based Risk
 Organizations can take several measures to reduce

the impact of uncertainty-based risks, for example:

 Analyse the business environment to identify
customer expectation and trends in the market
 Establish an emergency response plan, a
business continuity plan, etc. Check the
organization’s financial health
 Establish a feedback culture
 Type of Risks
Hazard-Based Risk
 When an organization faces dangerous situations in

the workplace, it means that it is prone to hazard-

based risks.
 Example of this type of risk include:

 Physical hazards (e.g. extreme weather)

 Chemical hazards (e.g. toxic chemicals)
 Biological hazards (e.g. bacteria)
 Ergonomic hazards (e.g. poor workplace design)
 Psychological hazards (e.g. stress, discrimination,
burnout)
 Terminologies associated with Risks
Opportunity
 Terminologies associated with Risks
Threat
Terminologies associated with Risks
Event
Terminologies associated with Risks
Consequences
 Terminologies associated with Risks
Residual Risk
End of Lecture
Q&A