Risk Management Process

Is a generic guide of risk management for any

organization regardless of the type of business, activity
or function. The procedures should be in accordance
with the internationally recognized standards or models.
Key steps of the standard are:
Establishing context

1
 Risk Management Process cont…
Conducting risk assessment (i.e. risk identification,
analysis, and evaluation)
Planning and implementing risk treatments

Communicating and consulting

Monitoring and reviewing

2
 Risk Management Process
i. Establishing Context
 The organization articulates its objectives, defines
the external and internal parameters to be taken
into account when managing risk, and sets the
scope and risk criteria for the remaining process.

3
 Establishing context cont…
Establish the internal context

Understand your internal context- goals, objectives and

functions as well as regulations, policies, manuals,
controls etc of the organization.
Also any major strengths and weaknesses on the
strategic and organizational context in which risk
management will take place.
4
 Establishing internal context cont…
• For example, the nature of your business, the risks
inherent in your business and your priorities.
• Is there an internal culture that needs to be considered?
For example, are staff Resistant to change? Is there a
professional culture that might create unnecessary risks
for the business?. What staff groups are present?. What
capabilities does the business have in terms of people,
systems, processes, equipment and other resources? 5
 Risk Management Process Cont…..
 Establish the external context
 This step defines the overall environment in which a business
operates and includes an understanding of the clients’ or
customers’ perceptions of the business. An analysis of these
factors will identify the strengths, weaknesses, opportunities and
threats to the business in the external environment.
 What regulations and legislation must the business comply
with?
 Are there any other requirements the business needs to comply
with?
 What is the market within which the business operates? Who
are the competitors?
 Are there any social, cultural or political issues that need to be
considered? 6
Risk Management Process
 Develop risk criteria

 Risk criteria allow a business to clearly define unacceptable levels of risk.

Conversely, risk criteria may include the acceptable level of risk for a
specific activity or event. In this step the risk criteria may be broadly
defined and then further refined later in the risk management process.
o Decide or define the acceptable level of risk for each activity

o Determine what is unacceptable

o Clearly identify who is responsible for accepting risk and at what level.

7
 Risk Mgt process cont….
Define the structure for risk analysis
Isolate the categories of risk that you want to
manage. This will provide greater depth and
accuracy in identifying significant risks.

The chosen structure for risk analysis will

depend upon the type of activity or issue, its
complexity and the context of the risks.

8
 Risk Management Process………
 Set your Risk Appetite

 Risk appetite is the amount of risk that your organization is willing to

accept in pursuit of the achievement of its objectives or Risk
Appetite is the manner in which an organization and its stakeholders
collectively perceive, assess and treat risk
o It is developed at the entity level by the top management

o It requires re-evaluation due to significant changes-

organizational, political, strategies/objectives, stakeholders’
expectations etc
o Once approved, it is the responsibility of top management to
communicate it to all levels of the PSO including stakeholders 9
 Risk Management Process…….
Determine your risk tolerance- based on the risk
appetite and levels of total risks. Risk Tolerance
requires a company to consider in quantitative terms
exactly how much of its capital its is prepared to put at
risk.
ii. Risk Assessment
 Risk Assessment relates to the organization’s process of evaluating
the impact and likelihood of events, and prioritizing related risks.
 Risk Identification
Risk cannot be managed unless it is first identified.
Once the context of the business has been defined,
the next step is to utilize the information to identify as
many risks as possible.
10
 Risk Management process cont….
 There are two main ways to identify risk:
 Identifying retrospective risks
 Retrospective risks are those that have previously occurred,
such as incidents or accidents. Retrospective risk identification is
often the most common way to identify risk, and the easiest. It’s
easier to believe something if it has happened before. It is also
easier to quantify its impact and to see the damage it has caused.
 There are many sources of information about retrospective
risk. These include:
 Audit reports; Customer complaints; Accreditation documents and
reports; Past staff or client surveys; Newspapers or professional
media, such as journals or websites; Hazard or incident logs or
registers.
11
Risk Management Process
Identifying Prospective Risks

Prospective risks: These are things that have not yet

happened, but might happen sometime in the future. These
are often harder to identify.
Identification should include all risks, whether or not they
are currently being managed. The rationale here is to
record all significant risks and monitor or review the
effectiveness of their control. 12
 Risk Management Process cont…
Methods for identifying prospective risks include:

Brainstorming with staff or external stakeholders

Brainstorming is a technique by which a group

attempts to generate ideas or find a solution for a
specific problem by amassing ideas spontaneously and
without judgment.

13
 Risk Mgt process cont….
• Researching the economic, political, legislative
and operating environment: SWOT analysis
(strengths, weaknesses, opportunities, and threats)
can also be used during risk identification. Project
teams focus on the broad perspectives of potential
risks for particular projects/organization.

14
 Risk Management Process
Conducting interviews with relevant people and/or
organizations
Interviewing is a fact-finding technique for collecting
information in face-to-face, phone, e-mail, or instant-
messaging discussions.
Useful to have a prepared set of questions as a guide
to the interview. Interviewing people with similar
project experience is an important tool for identifying
potential risks
Undertaking surveys of staff or clients to identify
anticipated issues or problems
15
 Risk Mgt Process cont ….
Questionnaires

 Business studies which look at each business process

and describe both the internal processes and external
factors which can influence those processes
 Incident investigation

Auditing and inspection

Risk assessment workshops 16

 Risk Management Process Cont…
 Risk Analysis
 During the risk identification step, a business owner may have
identified many risks and it is often not possible to try to address
all those identified.
 Risk analysis is a systematic process to understanding the nature
of risk and to determine the level of risk. Risks are analyzed by
considering two factors:
 Risk = Likelihood x Consequence
 Likelihood=Frequency of occurrence-tends to be straighter
forward E.g. never, once in five/ten years, once a year, four times
a year, once a month, all times.
 Impact= Consequence/ effect of a risk. Can be estimated either
qualitatively, Semi-quantitatively and Quantitatively 17
 Risk Management Process Cont….
 Qualitative method: This is the kind of risk analysis method most
often used for decision making in organizations; business projects;
entrepreneurs base themselves on their judgment, experience and
intuition for decision making.
 These methods can be used when the level of risk is low and does
not warrant the time and resources necessary for making a full
analysis; Brainstorming; Questionnaire and structured interviews;
Evaluation for multidisciplinary groups; Judgment of specialists and
experts (Delphi Technique)
18
 Risk Management process cont….
• Semi-Quantitative Methods
 Word classifications are used, such as high, medium or low, or
more detailed descriptions of likelihood and consequences.
 These classifications are shown in relation to an appropriate
scale for calculating the level of risk.
 We need to give careful attention to the scale used in order to
avoid misunderstandings or misinterpretations of the results of
the calculation.
19
 Risk Management Process cont…
Quantitative Methods: Quantitative methods are
considered to be those that enable us to assign values
of occurrence to the various risks identified, that is, to
calculate the level of risk of the project/activities
implemented.
Quantitative methods include: Analysis of likelihood;
Analysis of consequences and Computer simulation
20
 Risk Mgt process cont…
The most relevant sources of information used in
analyzing consequences and likelihood may include:
Past records, Practical and relevant experience,
Relevant published literature, Market research, Results
of public consultation, or Expert judgment

21
 Risk Management Process …..
 Performing Risk Rating
 Risks are rated using various classification band-levels
i.e., 5- band level; 4-band level;3-band level etc
• 5- band level: Very High, High, Medium, Low, Very
Low
• 4-band level: Very High, High, Medium, Low
• 3- band level: High, Medium, Low
 In case of Tanzania, we use the 5-band level for both
Likelihood and Impact. This is because it has already
been adopted in the Government’s Risk Management
Guideline (to guide all Public Sector Organizations in
Tanzania)
22
Risk Management Process..
 Risk Rating (Impact and Likelihood)/ Symbols

23
 Risk Management Process …..
 Then Rating is made by multiplying Likelihood and Impact
 The highest level of product is 25 (i.e. 5 x 5) and the lowest level is 1 (i.e. 1 x 1).
 Note: The result (product) is called total risk.
 Make decisions on severity of total risk based on the band levels
 Best practice has made the following categorization for ranking total risks
 Risk Escalation (Decision Levels)

24
Risk Management Process Cont…..
 Risk Evaluation
Risk evaluation involves comparing the level of
risk found during the analysis process with
previously established risk criteria, and deciding
whether these risks require treatment.
The result of a risk evaluation is a prioritized list
of risks that require further action. 25
 Risk Evaluation cont..
Risk evaluation therefore, is used to make decisions about

the significance of risks to the organization and whether

each specific risk should be accepted or treated.

Rank the risks according to management priorities, by risk

category and rated by likelihood and possible cost or

consequence.

 Determine inherent levels of risk

26
Risk Management Process..
 Risk Heat Map (Risk Profiling); Using the risk matrix, you can now assign
each risk a level and score. You do this by plotting the risk’s ‘consequence’
against its ‘likelihood’. For example: if a risk is ‘moderate’ (consequence)
and ‘unlikely’ (likelihood), its risk level will be ‘medium’. In addition, it will
have a score of 6: 3 (for consequence) x 2 (for likelihood) = 6
 Remember that an otherwise significant risk may have a ‘low’ risk level and
score because effective controls are in place to manage it.

27
Planning and implementing risk treatments
Risk Treatment; Risk treatment involves identifying
options for treating or controlling risk, in order to
either reduce or eliminate negative consequences, or
to reduce the likelihood of an adverse occurrence.
Risk treatment should also aim to enhance positive
outcomes
 There are four stages:
• Identify risk treatment options
• Select the most suitable risk treatment option(s)
• Develop risk treatment plans
• Implement and review risk treatments
28
 Risk Management Process………………….
 Options for risk treatment:

 Acceptance – Tolerating the risk when its likelihood and impact

are relatively minor, or when it would be too expensive to mitigate
it. Simply accept that this is a risk. Acceptance is the choice to do
nothing to protect an information asset and to accept the loss
when it occurs.
 Reduction/Treatment-Taking action to minimize either the
likelihood of the risk developing, or its effects. 29
Planning and implementing risk treatments ….
 Share -Transferring the risk to a third party, for
example with an insurance policy. Insurance can be an
effective mechanism of transferring large risks to
someone else.
To be insurable, an adverse event must be important
enough to cause economic hardship to the insured if it
occurs.
30
 Planning and Implementing cont..
Further, there must be a sufficient number of adverse
events or potential quality loss to allow a reasonably
close calculation of the probable loss.
Avoid/ Terminate- Avoiding the risk by not starting or
carrying on the activity that gives rise to it, or by
changing how the activity is undertaken or
implementing an alternative solution.
31
Planning and Implementing risk treatment
Factors to consider while selecting risk treatment
options
1. The financial and other resources required to implement
the treatment
2. The feasibility (including timing) of implementing the
treatment
3. How effective the treatment is likely to be in reducing or
removing the risk
4. The potential impact of the treatment on stakeholders’
values, perceptions and interests–some treatments may
be more acceptable to stakeholders than others 32
 Planning and Implementing cont..
5. Whether the treatment will compromise or be in conflict with
any legal, regulatory or other obligations your organization
has

6. Possible unintended consequences of the treatment – risk

treatments themselves may affect other existing risks, or
may introduce new risks (known as secondary risks)
 The failure or ineffectiveness of a risk treatment is itself a
risk
 Organizations often benefit from adopting a combination of
treatment options. 33
Planning and implementing risk treatments Cont..
Develop Risk Treatment Plan

Risk treatment plans are concerned with how you

document the selected treatment option(s) and where it
will be implemented.
These plans should then be integrated into your
organization's processes and activities and discussed
with appropriate stakeholders.
34
 Planning and Implementing risk
treatment options
The kind of information to include in a risk
treatment at a minimum, include the following:

i. The name of the treatment plan

ii. The risk(s) the plan is intended to mitigate

35
 Planning and Implementing risk treatment

iii. The plan’s objectives

iv. The proposed actions

v. The name(s) of the person(s) accountable for the

plan’s development and execution

vi. The risk owner

36
 Planning and Implementation cont…
vii. Resource requirements including time, costs and
other inputs

viii. Performance measures and monitoring of

progress made (weekly, monthly or quarterly)

ix. Timing and scheduling.

37
Planning and implementing risk treatments
Cont….
 Implement and Review Risk Treatment

 The implementation of a risk treatment may have varying

degrees of success.

 It may lessen the risk, remove the risk entirely, or have no effect

at all. It may also lead to secondary risks. It’s therefore important

to monitor and review treatments.

 Implementing and reviewing risk treatments is a cyclical process

of: implementing the risk treatment , assessing its effectiveness

38
 Planning and Implementing risk treatment
 Deciding whether any remaining risk (known as residual risk) is
at a tolerable level (if it is not tolerable) implementing a new risk
treatment
 Assessing the effectiveness of that treatment

 After implementing a risk treatment, you should also re-assess

and re-rate the risk, but now with the treatment in place.
 At this time, the treatment, in other words, has become a new
risk management control.
39
 Communicating and Consulting
In all steps of the Risk Management Process you
should ensure that the appropriate stakeholders
(external and internal) are consulted and/or informed
about what’s going on.
Effective communication (e.g. reports) will ensure that
those responsible for implementing the Process, as
well as other relevant stakeholders, understand the
basis on which decisions are made and the reasons
why particular actions are required.
It will also support and encourage accountability for
ownership of risks.
40
 Communicating and consulting cont…
 Internal stakeholders
 The Board needs to be fully informed of the outcomes of risk
assessments and risk reviews. In particular, they must be
informed of risks at levels beyond the acceptable or tolerable.
 Staff and managers need to be informed of the outcomes of
risk assessments and risk reviews so they can manage risks
appropriately and in accordance with risk management
policy.
41
 Communicating and consulting cont…
External stakeholders

There may be certain risk information you are required

to communicate to external stakeholders due to
statutory and governance obligations.
Besides that, you should think carefully about what
you choose to communicate.

42
 Communicating and Reviewing cont..
• For example, it is unlikely that you would inform potential
suppliers about individual risks or your Risk Register.
• However, you may decide to inform them that you have a
Risk Management Policy and Framework to manage
risks, because this information may assist in negotiating
favorable terms or conditions for the procurement of
goods and services.
43
 Communicating and Consulting
Consultation; A consultative approach will yield more
successful outcomes by helping to engage managers
and staff in the Risk Management Process and to
integrate risk management into the organization.
For example, it will:
 Help establish the context appropriately
 ensure the interests of stakeholders are understood
and considered 44
 Communicating and consulting
help ensure that risk categories and risks are
adequately identified
 Bring together different areas of expertise for
analyzing risks
 Ensure that different views are considered when
defining risk criteria and evaluating risks
45
 Communicating and Consulting
Secure endorsement and support for treatment
plans
 Enhance appropriate change management during
the Risk Management Process
Develop an appropriate external and internal
communication and consultation plan
46
 Communicating and consulting cont…
Who should be consulted; Senior managers or
officers are usually involved in identifying, assessing
and managing risks, so they should be consulted.
In particular, ensure that those responsible for the
organizational processes and outcomes in each risk
category are consulted.
Consultation can be done through one-on-one
interviews, group workshops or other methods.

47
 Monitoring and Reviewing
The activities of monitoring and reviewing must be
ongoing, and are integral to every step in the Risk
Management Process.
 By monitoring risks, you control the risk, you can
ensure this is done in accordance with your
organization's Risk Management Policy and
Framework.
48
 Monitoring and Reviewing cont..
You can also determine the effectiveness (impacts,
benefits and costs) of your risk management
strategies.
Monitoring is therefore part of the continual
improvement process and will enhance
organizational value

49
 Monitoring and Reviewing cont…
• As well as conducting ongoing monitoring activities, we
recommend you set up formal review and reporting
mechanisms.
• These mechanisms are a requirement of good governance,
provide the management team with regular and up-to-date
information on risks, risk treatment plans and any issues
arising, and assure the Board that risks are being managed
in line with the Risk Management Policy and Framework. 50
 Monitoring and Reviewing Cont….
Formal review and reporting mechanisms would look

something like this:

On an annual basis (typically), review your organization's

Risk Management Policy and Framework, set risk

assessment criteria, and the Risk Management Process
and its integration and alignment with other organizational
processes.
51
 Monitoring and Reviewing cont…
On a monthly or quarterly basis (or whatever the Board

meeting cycle is), report to the Board with an update on

the Risk Register and risk treatment plans (particularly for

‘extreme’ and ‘high’ risks).

On a monthly basis (or whatever the management/senior

staff meeting cycle is), review risks and risk treatment

plans. 52