BBK3253 |Risk Management · PDF fileDefinitions •Risk Management is defined "the...
Transcript of BBK3253 |Risk Management · PDF fileDefinitions •Risk Management is defined "the...
Definitions
• Risk is defined as 'the chance of something happening
that will have an impact on objectives'.
It is, therefore, important to understand what the
objectives of the company, subsidiary, work unit or
your position, are, prior to attempting to analyse the
risks.
2
Definitions
• Risk Management is defined "the systematic
application of management policies, procedures
and practices to the tasks of establishing the
context, identifying, analysing, assessing,
treating, monitoring and communicating".
3
What is Risk Management?
• A process to
1. Identify
2. Assess
3. Manage and
4. Control potential events or situations
to provide reasonable assurance regarding the
achievement of organizational objectives.
4
The Risk Management Process
1. It is an iterative process that, with each cycle, can
contribute progressively to organisational
improvement by providing management with a
greater insight into risks and their impact.
2. Risk management can be applied
to all levels of an organisation,
in both the strategic and operational contexts,
to specific projects, decisions and recognised risk
areas.
5
The 8 Step Risk Management Process
6
1. Identify the Risks
2. Identify the Causes
3. Identify the Controls
4. Establish your Likelihood and Consequence Descriptors
5. Establish your Risk Rating Descriptors
6. Add other Controls
7. Make a Decision
8. Monitor and Review
The 8 Step Risk Management Process
7
1. Identify the Risks:
List the things that might inhibit your ability to meet your
objectives.
You can even look at the things that would actually enhance
your ability to meet those objectives eg. a fund-raising
opportunity.
These are the risks that you face, eg.
loss of a key team member;
prolonged IT network outage;
delayed provision of important information by another work
unit/individual;
failure to seize a commercial opportunity etc.
The 8 Step Risk Management Process
1. Identify the Risks:
This involves driving events/conditions from:
• External Environment
Economic-price movements, lower barriers
Natural environment-floods, fire
Social-changing demographics, life priorities
Technological
• Internal Environment
Infrastructure,
personnel,
process.
8
The 8 Step Risk Management Process
9
2. Identify the Causes:
Identify what might cause these things to occur
Examples:
• the key team member might be disillusioned with his/her position,
• might be head hunted to go elsewhere;
• the person upon whom you are relying for information might be very busy;
• going on leave or notoriously slow in supplying such data;
• the supervisor required to approve the commercial undertaking might be
risk averse; and
• need extra convincing before taking the risk etc.
3. Identify the Controls:
• Identify all the things (controls) that you have in place that are
aimed at reducing the Likelihood of your risks from
happening in the first place and,
if they do happen, what do you have in place to reduce
their impact (Consequence)
Example:
• providing a friendly work environment for your team;
• multi-skill across the team to reduce the reliance on one person;
• stress the need for the required information to be supplied in a
timely manner;
• send a reminder before the deadline;
• provide additional information to the supervisor before he/she asks for it etc.
10
The 8 Step Risk Management Process
11
4. Establish your Likelihood and Consequence
Descriptors
• The organisation will be required to determine the
likelihood and consequences of a risk occurring in the
given environment.
• These ratings might include the likelihood of a
catastrophic outcome or it could be a very unlikely
outcome with limited consequences to the function of the
organisation.
The 8 Step Risk Management Process
12
4. Establish your Likelihood and Consequence Descriptors
• Remembering that these depend upon the context of your
analysis ie. if your analysis relates to your work unit, any
financial loss or loss of a key staff member, for example, will
have a greater impact on that work unit than it will have on
the organisation as a whole
• Those descriptors used for the whole-of-organisation
(strategic) context will generally not be appropriate for the
departments, other work unit or the individual eg. a loss of
$300,000 might be considered insignificant to the
organisation, but it could very well be catastrophic to your
work subsidiary.
The 8- Step Risk Management Process
13
5. Establish your Risk Rating Descriptors:
What is meant by a Low, Moderate, High or Extreme Risk
needs to be decided upon ahead of time. Because these
are more generic in terminology though, you might find that
the organisation’s strategic risk rating descriptors are
applicable.
The 8 Step Risk Management Process
14
6. Add other Controls:
Generally speaking, any risk that is rated as High or
Extreme should have additional controls applied to it in
order to reduce it to an acceptable level.
What the appropriate additional controls might be, whether
they can be afforded, what priority might be placed on
them etc is something for the group to determine in
consultation with the senior management.
Head of the work unit (subsidiary) who, ideally, should be a
member of the group doing the analysis in the first place.
The 8 Step Risk Management Process
15
7. Make a Decision:
Once the above process is complete, if there are still some
risks that are rated as High or Extreme, a decision has to
be made as to whether the activity will go ahead.
There will be occasions when the risks are higher than
preferred but there may be nothing more that can be done
to mitigate that risk ie. they are out of the control of the
work unit but the activity must still be carried out. In such
situations, monitoring the circumstances and regular review
is essential.
The 8 Step Risk Management Process
16
8. Monitor and Review:
The monitoring of all risks and regular review of the
unit's risk profile is an essential element for a successful
risk management program.
The 8 Step Risk Management Process
Risk Assessment
L
I
K
E
L
I
H
O
O
D
CONSEQUENCES
Almost Certain
4M4 S8 S12 H16
Likely
3M3 S6 S9 S12
Unlikely
2L2 M4 S6 S8
Rare
1L1 L2 M3 M4
Negligible
1
Minor
2
Major
3
Critical
4
Risk evaluation involves determining the significance of the level and
type of risk and working decisions about future activities.
In determining the significance of the risks, normally a risk assessment
matrix is used. Figure below shows an example of a Risk Assessment
Matrix (RAM).
Risk Assessment
• Using the RAM and the rating of consequences and likelihood earlier, you can then find the risk rating by multiplying the scale of likelihood with consequences for each risk event.
• After the risk rating has been determined, we need to decide on the future action. In determining the action, we can establish a Risk Action Table as shown in the next table
• Using the table, the appropriate action can be decided immediately.
18
Treatment of Risk
• Risk treatment involves identifying the range of options
for treating risk, assessing those options, preparing risk
treatment plans and implementing them.
• The options available for the treatment of risks include:
(1) Retain/accept the risk
(2) Reduce the Likelihood of the risk occurring
(3) Reduce the Consequences of the risk occurring
(4) Transfer the risk
(5) Avoid the risk
20
Treatment of Risk
(1) Retain/accept the risk - if, after controls are put in
place, the remaining risk is deemed acceptable to the
organisation, the risk can be retained.
However, plans should be put in place to manage/fund
the consequences of the risk should it occur.
21
Treatment of Risk
(2) Reduce the Likelihood of the risk occurring –
example
• by preventative maintenance,
• audit & compliance programs
• supervision, contract conditions,
• policies & procedures,
• testing,
• investment & portfolio management,
• training of staff,
• technical controls and quality assurance programs
etc.22
Treatment of Risk
(3) Reduce the Consequences of the risk occurring –
example
• through contingency planning,
• contract conditions,
• disaster recovery & business continuity plans,
• off-site back-up,
• public relations,
• emergency procedures and
• staff training etc.
23
Treatment of Risk
(4) Transfer the risk - this involves another party bearing
or sharing some part of the risk by the use of
• contracts,
• insurance,
• outsourcing,
• joint ventures or
• partnerships etc.
(5) Avoid the risk - decide not to proceed with the
activity likely to generate the risk, where this is
practicable. 24
Risk Likelihood Descriptors
• Rating Description Likelihood of Occurrence
1. Rare/Highly unlikely, but it may occur in
exceptional circumstances. It could happen, but
probably never will.
2. Unlikely/Not expected, but there's a slight
possibility it may occur at some time.
25
Risk Likelihood Descriptors
3. Possible - The event might occur at some time as
there is a history of casual occurrence at the
organization &/or similar organizations.
4. Likely/There is a strong possibility - the event
will occur as there is a history of frequent
occurrence at the institution and/or similar
institutions.
26
Risk Likelihood Descriptors
5. Almost Certain/Very likely -The event is
expected to occur in most circumstances as there
is a history of regular occurrence at the
company/organisation.
27