BBK3253 |Risk Management · PDF fileDefinitions •Risk Management is defined "the...

1

BBK3253 | Risk ManagementPrepared by Khairul Anuar

Lecture 2 & 3 – Risk Management Process

Definitions

• Risk is defined as 'the chance of something happening

that will have an impact on objectives'.

It is, therefore, important to understand what the

objectives of the company, subsidiary, work unit or

your position, are, prior to attempting to analyse the

risks.

2

Definitions

• Risk Management is defined "the systematic

application of management policies, procedures

and practices to the tasks of establishing the

context, identifying, analysing, assessing,

treating, monitoring and communicating".

3

What is Risk Management?

• A process to

1. Identify

2. Assess

3. Manage and

4. Control potential events or situations

to provide reasonable assurance regarding the

achievement of organizational objectives.

4

The Risk Management Process

1. It is an iterative process that, with each cycle, can

contribute progressively to organisational

improvement by providing management with a

greater insight into risks and their impact.

2. Risk management can be applied

to all levels of an organisation,

in both the strategic and operational contexts,

to specific projects, decisions and recognised risk

areas.

5

The 8 Step Risk Management Process

6

1. Identify the Risks

2. Identify the Causes

3. Identify the Controls

4. Establish your Likelihood and Consequence Descriptors

5. Establish your Risk Rating Descriptors

6. Add other Controls

7. Make a Decision

8. Monitor and Review


7

1. Identify the Risks:

List the things that might inhibit your ability to meet your

objectives.

You can even look at the things that would actually enhance

your ability to meet those objectives eg. a fund-raising

opportunity.

These are the risks that you face, eg.

loss of a key team member;

prolonged IT network outage;

delayed provision of important information by another work

unit/individual;

failure to seize a commercial opportunity etc.


1. Identify the Risks:

This involves driving events/conditions from:

• External Environment

Economic-price movements, lower barriers

Natural environment-floods, fire

Social-changing demographics, life priorities

Technological

• Internal Environment

Infrastructure,

personnel,

process.

8


9

2. Identify the Causes:

Identify what might cause these things to occur

Examples:

• the key team member might be disillusioned with his/her position,

• might be head hunted to go elsewhere;

• the person upon whom you are relying for information might be very busy;

• going on leave or notoriously slow in supplying such data;

• the supervisor required to approve the commercial undertaking might be

risk averse; and

• need extra convincing before taking the risk etc.

3. Identify the Controls:

• Identify all the things (controls) that you have in place that are

aimed at reducing the Likelihood of your risks from

happening in the first place and,

if they do happen, what do you have in place to reduce

their impact (Consequence)

Example:

• providing a friendly work environment for your team;

• multi-skill across the team to reduce the reliance on one person;

• stress the need for the required information to be supplied in a

timely manner;

• send a reminder before the deadline;

• provide additional information to the supervisor before he/she asks for it etc.

10


11

4. Establish your Likelihood and Consequence

Descriptors

• The organisation will be required to determine the

likelihood and consequences of a risk occurring in the

given environment.

• These ratings might include the likelihood of a

catastrophic outcome or it could be a very unlikely

outcome with limited consequences to the function of the

organisation.


12

4. Establish your Likelihood and Consequence Descriptors

• Remembering that these depend upon the context of your

analysis ie. if your analysis relates to your work unit, any

financial loss or loss of a key staff member, for example, will

have a greater impact on that work unit than it will have on

the organisation as a whole

• Those descriptors used for the whole-of-organisation

(strategic) context will generally not be appropriate for the

departments, other work unit or the individual eg. a loss of

$300,000 might be considered insignificant to the

organisation, but it could very well be catastrophic to your

work subsidiary.

The 8- Step Risk Management Process

13

5. Establish your Risk Rating Descriptors:

What is meant by a Low, Moderate, High or Extreme Risk

needs to be decided upon ahead of time. Because these

are more generic in terminology though, you might find that

the organisation’s strategic risk rating descriptors are

applicable.


14

6. Add other Controls:

Generally speaking, any risk that is rated as High or

Extreme should have additional controls applied to it in

order to reduce it to an acceptable level.

What the appropriate additional controls might be, whether

they can be afforded, what priority might be placed on

them etc is something for the group to determine in

consultation with the senior management.

Head of the work unit (subsidiary) who, ideally, should be a

member of the group doing the analysis in the first place.


15

7. Make a Decision:

Once the above process is complete, if there are still some

risks that are rated as High or Extreme, a decision has to

be made as to whether the activity will go ahead.

There will be occasions when the risks are higher than

preferred but there may be nothing more that can be done

to mitigate that risk ie. they are out of the control of the

work unit but the activity must still be carried out. In such

situations, monitoring the circumstances and regular review

is essential.


16

8. Monitor and Review:

The monitoring of all risks and regular review of the

unit's risk profile is an essential element for a successful

risk management program.


Risk Assessment

L

I

K

E

L

I

H

O

O

D

CONSEQUENCES

Almost Certain

4M4 S8 S12 H16

Likely

3M3 S6 S9 S12

Unlikely

2L2 M4 S6 S8

Rare

1L1 L2 M3 M4

Negligible

1

Minor

2

Major

3

Critical

4

Risk evaluation involves determining the significance of the level and

type of risk and working decisions about future activities.

In determining the significance of the risks, normally a risk assessment

matrix is used. Figure below shows an example of a Risk Assessment

Matrix (RAM).

Risk Assessment

• Using the RAM and the rating of consequences and likelihood earlier, you can then find the risk rating by multiplying the scale of likelihood with consequences for each risk event.

• After the risk rating has been determined, we need to decide on the future action. In determining the action, we can establish a Risk Action Table as shown in the next table

• Using the table, the appropriate action can be decided immediately.

18

Risk Assessment

19

Example of Risk Action Table

Treatment of Risk

• Risk treatment involves identifying the range of options

for treating risk, assessing those options, preparing risk

treatment plans and implementing them.

• The options available for the treatment of risks include:

(1) Retain/accept the risk

(2) Reduce the Likelihood of the risk occurring

(3) Reduce the Consequences of the risk occurring

(4) Transfer the risk

(5) Avoid the risk

20

Treatment of Risk

(1) Retain/accept the risk - if, after controls are put in

place, the remaining risk is deemed acceptable to the

organisation, the risk can be retained.

However, plans should be put in place to manage/fund

the consequences of the risk should it occur.

21

Treatment of Risk

(2) Reduce the Likelihood of the risk occurring –

example

• by preventative maintenance,

• audit & compliance programs

• supervision, contract conditions,

• policies & procedures,

• testing,

• investment & portfolio management,

• training of staff,

• technical controls and quality assurance programs

etc.22

Treatment of Risk

(3) Reduce the Consequences of the risk occurring –

example

• through contingency planning,

• contract conditions,

• disaster recovery & business continuity plans,

• off-site back-up,

• public relations,

• emergency procedures and

• staff training etc.

23

Treatment of Risk

(4) Transfer the risk - this involves another party bearing

or sharing some part of the risk by the use of

• contracts,

• insurance,

• outsourcing,

• joint ventures or

• partnerships etc.

(5) Avoid the risk - decide not to proceed with the

activity likely to generate the risk, where this is

practicable. 24

Risk Likelihood Descriptors

• Rating Description Likelihood of Occurrence

1. Rare/Highly unlikely, but it may occur in

exceptional circumstances. It could happen, but

probably never will.

2. Unlikely/Not expected, but there's a slight

possibility it may occur at some time.

25


3. Possible - The event might occur at some time as

there is a history of casual occurrence at the

organization &/or similar organizations.

4. Likely/There is a strong possibility - the event

will occur as there is a history of frequent

occurrence at the institution and/or similar

institutions.

26


5. Almost Certain/Very likely -The event is

expected to occur in most circumstances as there

is a history of regular occurrence at the

company/organisation.

27

Question

What mode do you go into

if Risk Management fails

28

BBK3253 |Risk Management · PDF fileDefinitions •Risk Management is defined "the...

Documents

Transcript of BBK3253 |Risk Management · PDF fileDefinitions •Risk Management is defined "the...