Risk Management Processes_The Case of Greek Companies
-
Upload
iordanis-eleftheriadis -
Category
Documents
-
view
220 -
download
0
Transcript of Risk Management Processes_The Case of Greek Companies
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
1/20
- 1 -
Risk management processes. The case of Greek companies.
Iordanis Eleftheriadis
University of Macedonia
Department of Business Administration
156 N. Egnatia Str.
54006 Thessaloniki
Greece
Tel. 00302310-891-591
fax. 00302310-891519
Email:[email protected]
Abstract: Whatever business you are in, there will be an almost limitless number of risks that
you must face. To be able to manage these risks you must first identify them. The use of risk
categories helps to provide a framework within which to look for, and latterly, to manage risks.
Thus, in their day-to-day business and in the strategic management of their balance sheet and
capital, companies seek to limit the scope for adverse variations in their earnings and control
exposure to stress events. Excellence in risk management is fundamentally based upon a
management team that makes risk identification and control critical components of its processes
and plans. Failure to identify, manage or control risks, including business risks, may result not
only in financial loss but also in loss of reputation. Although measurement of risk is clearly
important, quantification does not always tell the whole story, because not all risks are
quantifiable. The purpose of this paper is to collect and study observations and experiences from
risk management activities in Greek companies. We are using the answers given to a structuredquestionnaire, in order to present some conclusions.
1. Introduction
Risk Management has been described as 'all the things you need to do to manage an uncertain future'.
In most cases risks are taken so as to achieve some advantage, and managing risks is associated with
making decisions. It is used in a wide range of areas including: engineering, business and finance,
health and safety, environmental management, healthcare, emergency management, business
continuity management, sport and recreation etc. In developing a risk management infrastructure, it is
important that companies follow a methodical process to determine the appropriate types of riskmeasures, processes, policies and controls for their particular company. The purpose of this paper is to
investigate the risk management activities in Greek companies.
2. The Risk Management Process
The risk management process is defined as "the systematic application of management policies,
procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating,
treating, monitoring and communicating risk.". Risk management is also defined as "the culture,
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
2/20
- 2 -
processes and structures, which are directed towards the effective management of potential
opportunities and adverse effects."1
The Risk Management process is outlined in this diagram below:
Figure 1: the risk Management Process
The approach to risk management adopted in this paper is consistent with the Australian and New
Zealand Standard on risk management, AS/NZS 4360 (Figure 1). This approach is consistent with
similar approaches adopted by the major risk management professional bodies and government
agencies that have issued risk guidelines. The steps in the process address important questions for the
risk manager (Table 1).
Risk management process step Management question
Establish the context What are we trying to achieve?Identify the risks What might happen?
Analyze the risks What might that mean for the
projects key criteria?
Evaluate the risks What are the most important
things?
Treat the risks What are we going to do about
them?
Monitor and review How do we keep them under
control?
Communicate and consult Who should be involved in theprocess?
Table 1: Questions for the risk manager
Establish context: Establishing the context is concerned with developing a structure for the risk
identification and assessment tasks to follow. This step:
establishes the company and project environment in which the risk assessment is taking place;
specifies the main objectives and outcomes required;
1 Standards New Zealand and Standards Australia risk management standard (AS/NZS 4360: 1999 Risk
Management).
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
3/20
- 3 -
identifies a set of success criteria against which the consequences of identified risks can be
measured; and
defines a set of key elements for structuring the risk identification and assessment process.
Context inputs include the execution strategy, the cost and schedule assumptions, scope definitions,
engineering designs and studies, economic analyses, and any other relevant documentation.
The output from this stage is a concise statement of the company objectives and specific criteria for
success, the objectives and scope for the risk assessment itself, and a set of key elements for
structuring the risk identification process in the next stage.
Identify Risks: Risk identification sets out to identify an companys exposure to uncertainty. Every
company faces different risks, based on its business, the economic, social and political factors, the
features of the industry it operates in like the degree of competition, the strengths and weaknesses of
its competitors, availability of raw material, factors internal to the company like the competence and
outlook of the management, state of industry relations, dependence on foreign markets for inputs,
sales, or finances, capabilities of its staff, and other innumerable factors. Each corporate needs to
identify the possible sources of risks and the kinds of risks faced by it. This requires an intimateknowledge of the company, the market in which it operates, the legal, social, political and cultural
environment in which it exists, as well as the development of a sound understanding of its strategic
and operational objectives, including factors critical to its success and the threats and opportunities
related to the achievement of these objectives.
The risk identification process must be comprehensive, as risks that have not been identified cannot be
assessed, and their emergence at a later time may threaten the success of the company and cause
unpleasant surprises. Risk identification should be approached in a methodical way to ensure that all
significant activities within the company have been identified and all the risks flowing from these
activities defined. A number of techniques can be used for risk identification, but brainstorming is a
preferred method because of its flexibility and capability, when appropriately structured, of generatinga wide and diverse range of risks.
Information used in the risk identification process may include historical data, theoretical analysis,
empirical data and analysis, informed opinions, and the concerns of stakeholders.
The output is a comprehensive list of possible risks, usually in the form of a risk register, with
management responsibilities allocated to them. A list of the most important categories of risks is the
following2:
Business risk, is the risk of failing to achieve business targets due to inappropriate strategies,
inadequate resources or changes in the economic or competitive environment.
Credit risk, is the risk that a counterparty may not pay amounts owed when they fall due.
Sovereign risk the credit risk associated with lending to the government itself or a partyguaranteed by the government.
Market risk, is the risk of loss due to changes in market prices. This includes
interest rate risk
foreign exchange risk
commodity price risk
share price risk
Liquidity risk the risk that amounts due for payment cannot be paid due to a lack of available
funds.
2Carl Olsson, Risk Management in Emerging Markets. How to survive and prosper.
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
4/20
- 4 -
Operational risk the risk of loss due to actions on or by people, processes, infrastructure or
technology or similar, which have an operational impact including fraudulent activities.
Accounting risk the risk that financial records do not accurately reflect the financial position
of an company.
Country risk, is the risk that a foreign currency will not be available to allow payments due to
be paid, because of a lack of foreign currency or the government rationing what is available.
Political risk is the risk that there will be a change in the political framework of the country.
Industry risk is the risk associated with operating in a particular industry.
Environmental risk, the risk that an company may suffer loss as a result of environmental
damage caused by themselves or others which impacts on their business.
Legal/regulatory risk is the risk of non-compliance with legal or regulatory requirements.
Systemic risk is the risk that a small event will produce unexpected consequences in local,
regional or global systems not obviously connected with the source of the disturbance.
Reputational risk is the risk that the reputation of an company will be adversely affected.
Analyze Risks: During the Risk Analysis step the company transforms risk data into decision making
information. The company has to evaluate impact, probability and timeframe. This means that they
have to classify and prioritize risks. Risk analysis is the systematic use of available information to
determine how often specified events may occur and the magnitude of their consequences. The
analysis stage assigns each risk a priority rating, taking into account existing activities, processes or
plans that operate to reduce or control the risk.
The significance of a risk can be expressed as a combination of its consequences or impacts on the
companys objectives, and the likelihood of those consequences arising. This can be accomplished
with qualitative consequence and likelihood scales and a matrix defining the significance of various
combinations of these. Table 2 shows the structure of a five-by-five matrix.
A matrix, like Table 2, can be structured according to the kinds of risks involved in the companys
objectives, criteria and attitudes to risk. For example, the specific Table 2 is not symmetric, indicating
that the company is concerned about most catastrophic events, even if they are rare. This might be
appropriate where human safety is threatened and the company needs to ensure the associated risks are
being managed whatever the likelihood of their occurrence. Where the impacts of potential risks are
purely economic, and particularly where there may be limit to the potential exposure, catastrophic but
rare events may be viewed as moderate risks and not treated in such detail.
To implement a structure like this, it is important that clear and consistent definitions of the
consequence and likelihood scales are used.3
Consequences
Likelihood Insignificant Minor Moderate Major Catastrophic
Almost certain Medium Medium High High High
Likely Low Medium Medium High High
Possible Low Medium Medium Medium High
Unlikely Low Low Medium Medium High
Rare Low Low Low Medium Medium
1. 3 Steinberg M. Richard, Everson E.A. Miles, Martens J. Frank, Nottingham E. Lucy, Enterprise Risk
Management - Integrated Framework. Executive Summary, Committee of Sponsoring Companys of the
Treadway Commission (COSO) , September 2004
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
5/20
- 5 -
Table 2: Priority setting matrix
Scales like these often generate considerable discussion amongst senior managers and risk managers.
The numerical limits in a financial impacts scale are often linked to the size of the company
undertaking it, or the amount it can afford to lose. There is often a trade-off between risk and
opportunity, the resolution to which must usually take place at managerial levels. Generally, we
should review carefully the consequence scales we intend to use, to ensure they reflect the companys
objectives and criteria for success. If they are not agreed and accepted by senior management the
outcomes from the risk assessment may not be accepted readily.
A consequence scale like Table 3 might be appropriate. It is important to remember that scales are to
be used for assessing priorities, so comparability and consistency are often more important than
absolute numbers.
Rating Consequence description
A Catastrophic Extreme event, potential for large financial costs or delays, or
damage to the companys reputation
B Major Critical event, potential for major costs or delays, or
inappropriate products
C Moderate Large impact, but can be managed with effort using standard
procedures
D Minor Impact minor with routine management procedures
E Insignificant Impact may be safely ignored
Table 3: Consequence scale for a repetitive procurement
Likelihoods are rated in terms of annual occurrence on a five-point descriptive scale, showing the
likelihoods of specific risks arising and leading to the assessed levels of consequences. Table 4 shows
an example of a scale suitable for a major asset procurement, where the time span of the scale is linked
loosely to the 40-year nominal life of the asset.4
Rating Likelihood description
The potential for problems to occur and lead to the assessed consequences
AAlmost
certain
Very high, may
occur at least several
times per year
Probability over
0.8
A similar outcome has
arisen several times per
year in the same location,
operation or activity
B Likely High, may arise
about once per year
Probability 0.5
0.8
A similar outcome has
arisen several times per
year in this company
C Possible Possible, may arise
at least once in a 1
10-year period
Probability 0.1
0.5
A similar outcome has
arisen at some time
previously in this
company
D Unlikely Not impossible, Probability 0.02 1 A similar outcome has
4 Dale F. Cooper, Stephen Grey, Geoffrey Raymond and Phil Walker, Project Risk Management Guidelines:
Managing Risk in Large Projects and Complex Procurements, John Wiley & Sons Ltd, 2005.
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
6/20
- 6 -
likely to occur
during the next 10 to
40 years
0.1 arisen at some time
previously in a similar
company
E Rare
Very low, very
unlikely during thenext 40 years
Probability less
than 0.02
A similar outcome has
arisen in the world-wide
industry, but not in this
company
Table 4: Likelihood ratings
Evaluate Risk Priorities: Risk evaluation is the process of comparing the estimated risk against given
risk criteria to determine the significance of the risk. When the risk analysis process has been
completed, it is necessary to compare the estimated risks against risk criteria which the company has
established. The risk criteria may include associated costs and benefits, legal requirements, socio-
economic and environmental factors, concerns of stakeholders, etc. Any risks that have been accorded
too high or too low a rating are adjusted, with a record of the adjustment being retained for tracking
purposes. The outcome is a list of risks with agreed priority ratings. Adjustments to the initialpriorities may be made for several reasons.
Risks may be moved down. Typically these will be routine, well-anticipated risks that are
highly likely to occur, but with few adverse consequences, and for which standard responses
exist.
Risks may be moved up. Typically there will be two categories of risks like this: those risks
that are more important than the initial classification indicates; and those risks that are similar
to other high-priority risks and hence should be considered jointly with them.
Some risks may be moved up to provide additional visibility if the project team feels they
should be dealt with explicitly.
Risk evaluation therefore, is used to make decisions about the significance of risks to the company andwhether each specific risk should be accepted or treated. For the purpose of risk management, risks
need to be classified as primary risks and secondary risks. Primary risks are those that are an essential
part of the business undertaken. Secondary risks are those that arise out of the business activities, but
are not integrally related to them. For example, the risks arising out of the industry structure are
primary in nature, foreign currency exposure arising due to exports are secondary in nature. To a large
extent, primary risks have to be borne in order to generate cash flows. They can be covered only
partly. Unlike primary risks, secondary risks can be covered to a large extent, and only a part of them
are unavoidable. This distinction becomes very important while deciding on the risks to be covered.
Further, it is generally observed that when a firm faces a high degree of primary risk, it can bear less
of secondary risk. A firm having a low degree of primary risk may be able to bear higher secondaryrisk, depending on the managements risk bearing capacity
Treat Risks: The purpose of risk treatment is to determine what will be done in response to the risks
that have been identified, in order to reduce the overall risk exposure. Unless action is taken, the risk
identification and assessment process has been wasted. Risk treatment converts the earlier analyses
into substantive actions to reduce risks. Any controls and plans in place before the risk management
process began are augmented with risk action plans to deal with risks before they arise and
contingency plans with which to recover if a risk comes to pass. At the end of successful risk
treatment planning, detailed ideas will have been developed and documented about the best ways of
dealing with each major risk, and risk action plans will have been formulated for putting the responses
into effect.
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
7/20
- 7 -
Risk treatment might also include alteration of the base plans of the business. Occasionally the best
way to treat a risk might be to adopt an alternative strategy, to avoid a risk or make the company less
vulnerable to its consequences.
During the response identification and assessment process, it is often helpful to think about responses
in terms of broad risk management strategies. The following are the different approaches5:
Risk Avoidance: An extreme way of managing risk is to avoid it altogether. This can be done
by not undertaking the activity that entails risk. Though this approach is relevant under certain
circumstances, it is more of an exception rather than a rule. It is neither prudent, nor possible
to use it for managing all kinds of risks. The use of risk avoidance for managing all risks
would result in no activity taking place, as all activities involve risk, while the level may vary.
Loss Control: Loss control refers to the attempt to reduce either the possibility of a loss or the
quantum of loss. This is done by making adjustments in the day-to-day business activities.
Combination: Combination refers to the technique of combining more than one business
activities in order to reduce the overall risk of the firm. It is also referred to as aggregation or
diversification. It entails entering into more than one business, with the different businesses
having the least possible correlation with each other.
Separation: Separation is the technique of reducing risk through separating parts of businesses
or assets or liabilities. A firm having two highly risky businesses with a positive correlation
may spin-off one of them as a separate entity in order to reduce its exposure to risk.
Risk Transfer: Risk is transferred when the firm originally exposed to a risk transfers it to
another party which is willing to bear the risk. This may be done in three ways. The first is to
transfer the asset itself. There is a subtle difference between risk avoidance and risk transfer
through transfer of the title of the asset. The former is about not making the investment in the
first place, while the latter is about disinvesting an existing investment. The second way is to
transfer the risk without transferring the title of the asset or liability. This may be done by
hedging through various derivative instruments like forwards, futures, swaps and options. Thethird way is through arranging for a third party to pay for losses if they occur, without
transferring the risk itself. This is referred to as risk financing. This may be achieved by
buying insurance. A firm may insure itself against certain risks like risk of loss due to fire or
earthquake, risk of loss due to theft, etc.
Risk Retention: Risk is retained when nothing is done to avoid, reduce, or transfer it. Risk
may be retained consciously because the other techniques of managing risk are too costly or
because it is not possible to employ other techniques. Risk may even be retained
unconsciously when the presence of risk is not recognized. It is very important to distinguish
between the risks that a firm is ready to retain and the ones it wants to offload using risk
management techniques. This decision is essentially dependent upon the firms capacity tobear the loss.
Risk Sharing: This technique is a combination of risk retention and risk transfer. Under this
technique, a particular risk is managed by retaining a part of it and transferring the rest to a
party willing to bear it.
Risk Monitor and Review : Effective risk management requires a reporting and review structure to
ensure that risks are effectively identified and assessed and that appropriate controls and responses are
5
Project Management Institute; A Guide to the Project Management Body of Knowledge (PMBoK Guide);2000 Edition; Algonquin College Bookstore; (Approved by ANSI as American National Standard ANSI-PMI
99-001-2000), 2000
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
8/20
- 8 -
in place. Regular audits of policy and standards compliance should be carried out and standards
performance reviewed to identify opportunities for improvement. It should be remembered that
companies are dynamic and operate in dynamic environments. Changes in the company and the
environment in which it operates must be identified and appropriate modifications made to systems.
Continuous monitoring and review of risks ensures new risks are detected and managed, and that
action plans are implemented and progressed effectively. The monitoring process should provide
assurance that there are appropriate controls in place for the companys activities and that the
procedures are understood and followed. Any monitoring and review process should also determine
whether:
the measures adopted resulted in what was intended
the procedures adopted and information gathered for undertaking the assessment were
appropriate
improved knowledge would have helped to reach better decisions and identify what lessons
could be learned for future assessments and management of risks
Review processes are often implemented as part of the regular management meeting cycle,
supplemented by major reviews at significant project phases and milestones. Monitoring and reviewactivities link risk management to other management processes. They also facilitate better risk
management and continuous improvement.
The main input to this step is the risk watch list of the major risks that have been identified for risk
treatment action. The outcomes are in the form of revisions to the risk register, and a list of new action
items for risk treatment. Risk monitor and review involves:
Choosing alternative response strategies
Implementing a contingency plan
Taking corrective actions
Re-planning
The risk manager reports periodically to the senior managers on the effectiveness of the plan, anyunanticipated effects, and any correction that the company must take to mitigate the risk.
Communication and consultation: Communication and consultation may be a critical factor in
undertaking good risk management and achieving outcomes that are broadly accepted. They help
owners, clients and end users understand the risks and trade-offs that must be made. This ensures all
parties are fully informed, and thus avoids unpleasant surprises. Within the risk management team,
they help maintain the consistency and reasonableness of risk assessments and their underlying
assumptions.
In practice, regular reporting is an important component of communication. Managers report on the
current status of risks and risk management as required by sponsors and company policy. Senior
managers need to understand the risks they face, and risk reports provide a complement to other
management reports in developing this understanding.
The risk register and the supporting action plans provide the basis for most risk reporting. Reports
provide a summary of risks, the status of treatment actions and an indication of trends in the incidence
of risks. They are usually submitted on a regular basis or as required, as part of standard management
reporting.
3. Methodology
We carried out the survey between October and December 2005. The purpose of the survey was to
provide an overview of the extent and practice of risk management across Greek companies. The
survey asked them about their understanding of risk management and its importance to their
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
9/20
- 9 -
performance, how they identify and assess risks, and the action they take to deal with them. The
survey used a written questionnaire and was directed to the appropriate manager in each company. The
questionnaire was, therefore, designed to identify the extent to which companies identify, assess,
manage and report on risk across the whole company, covering all aspects of risk linked to the
achievement of the companys objectives.
In order to carry out our survey we used a sample of Greek companies from the commercial,
manufacturing construction and services sectors. Recipients were followed up with a telephone chase
for completion and return of the questionnaire. A number of questionnaire responders were
interviewed. The interviews gathered qualitative information which gave a more in-depth
understanding of the risk management activities undertaken in these companies. We sent the
questionnaire to 80 companies. No distinction has been made between the types of company or their
size. In the future this survey needs to be done in a way that reflects the nature and size of the
company. A total of 50 responses were received (a 62,5 per cent response). The size of the sample is
not efficient to perform pure quantitative analysis. However we performed qualitative analysis which
guided to very important conclusions.
The questionnaire is based predominantly on the requirements of Risk Management Standard AS/NZS4360.1999 issued by Standards Australia. Generally questions are of three types:
Questions containing a statement.
Multiple response questions.
Text response questions.
4. Findings
We carried out this survey in order to determine how well risk management is understood and
implemented. The purpose of the survey was to provide an overview of the extent and practice of risk
management across Greek companies. Risk management involves a series of well defined steps thatsupport better decision-making contributing to a greater insight into risks and their likely impacts. We
focused our examination on the following steps:
STEP 1: Clarity of objectives. This means that their objectives are clearly expressed and
communicated throughout the company. If objectives are unclear then the risks of under-performance
or failing to meet objectives will be unclear also.
Seventy-eight percent of companies responding to our survey agree or strongly agree that they have
set out the priority of the companys business and policy objectives. Only ten percent give a negative
answer in this question.(Figure 2)
Eighty-four per cent of companies responding to our survey agree or strongly agree that effective riskmanagement is important in the achievement of the companys objectives (Figure 3).
We asked companies whether they have clear management statements on the importance of risk
management and guidance on how to implement it. Sixteen percent of companies responding to our
survey say that their risk management objectives have been clearly set out. On the other hand sixty
four per cent say they have not (Figure 4).
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
10/20
- 10 -
Figure 2:
The relative
priority of the
companys
business and
policy
objectives are
set out
Figure 3:
Effective risk
management is
important in
the
achievement of
the companys
objectives
Figure 4:
The companys
risk
management
objectives have
been clearlyset out
Thirty two percent say they use a common definition of risk management throughout the company.
However, forty four percent disagree or strongly disagree with this statement. (Figure 5).
The relative priority of the companys business and policy objectives are set out
Strongly Disagree4%
Disagree6%
Neutral12%
Agree62%
Strongly Agree16%
Effective risk management is important in the achievement of the companys objectives
Strongly Disagree0%
Disagree4%
Neutral12%
Agree60%
Strongly Agree24%
The companys risk management objectives have been clearly set out
Strongly Disagree12%
Disagree52%
Neutral20%
Agree16%
Strongly Agree0%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
11/20
- 11 -
Figure 5:
There is a
common
understanding
of risk
management
across the
organization
Twenty percent of companies say that there are clear management statements on risk management in
the company. However, sixty percent disagree with this statement. (Figure 6)
Figure 6:
There are
clear
management
statements on
risk
management
in the
company
Only twenty percent say that the linking of risks to objectives is effective with forty four percent
saying that the link is ineffective and 10 percent saying that the link is not in place. That means that
not enough attention is paid by managers to identifying the main factors that could put the
achievement of key objectives at risk.
There are clear management statements on risk management in the company
Strongly Disagree14%
Disagree46%
Neutral20%
Agree20%
Strongly Agree0%
There is a common understanding of risk management across the organization
Strongly Disagree10%
Disagree34%
Neutral24%
Agree
30%
Strongly Agree2%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
12/20
- 12 -
STEP 2: Identification of risk. This means recognizing and identifying the key risks for which they areresponsible and those risks which are most likely to impact on their performance. Ensuring that risks
are identified and managed requires that responsibility for risk management activities is clearly
allocated to appropriate staff; the frequency with which risk is assessed is determined; the types of
risks most likely to impact on a companys performance are identified; and appropriate techniques are
used to assess risk. Our survey covered these aspects of risk management.
Companies say that they face a range of risks (Figure 8). The most common risk that was referred
from companies (100 per cent) is market risk. Eighty-eight percent of companies refer to business
risk, eighty percent to credit risk and seventy four percent to liquidity risk. Very significant reference
was also made to reputational (72 percent) , environmental (70 percent), and operational risk (68percent).
Figure 8:
What Kind of
risks are
identified
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Business risk
Credit risk
Sovereign risk
Market risk
Liquidity risk
Operational risk
Accounting risk
Country risk
Political risk
Industry risk
Legal/regulatory risk
Systemic risk
Reputational risk
Environmental risk
What Kind of risks are identified
Forty two percent of companies told us that responsibility for the identification of risk rests with the
Director of Finance, twenty two percent with the Production Manager, sixteen percent with the Chief
Executive and eight percent say it is the responsibility of the Board or senior management team
(Figure 9). Ten percent of companies say that a mechanical engineer has responsibility for identifying
risks. Only one company (2 percent) indicated the existence of a dedicated risk manager with
responsibility for identifying risk.
Figure 7:
Your company
carries out a
comprehensive
and systematicidentification
of its risks
relating to
each of its
declared aims
and objectives
Your company carries out a comprehensive and systematic identification of its risks relating to
each of its declared aims and objectives
Strongly Disagree
10%
Disagree
44%Neutral
26%
Agree
20%
Strongly Agree
0%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
13/20
- 13 -
Figure 9:
Who has
responsibility
for Risk
Identification
We asked the companies about the terms that they use to identify risks. The answers show that most of
them use a combination of terms. Seventy four percent say that they identify the source of risk, fifty
eight percent try to answer the question what can happen or why and how risk arises. Only eighteen
percent investigates the area of impact. (Figure 10)
Figure 10:
Does your
company
identify risks
in terms of:
Another important issue that we covered in our survey concerns the tools and techniques that
companies use for risk identification. Seventy percent of companies referred to past company
experience, fifty six percent referred to judgment, forty four percent to brainstorming, thirty percent to
physical inspection and only four percent to surveys. It is important to mention that there is no
reference in the use of a scientific method, such as process analysis, operational modeling or SWOT
analysis.
0% 10% 20% 30% 40% 50% 60% 70% 80%
what can happen?
how and why risks arise?
area of impact?
the source of the risk?
Does your company identify risks in terms of:
Who has responsibility for Risk Identification
Chief
Executive/Director
16%Board / Management
Team
8%
Director of Finance
42%Internal Audit
0%
Risk manager
2%
Production managers
22%
All staff
0%
Other (please specify)
10%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
14/20
- 14 -
Figure 11:
What tools and
techniques are
used by your
company for
identifying
risks:
STEP 3: Assessment of risk. Risk assessment involves an analysis and evaluation of risks to provide
the potential impact of identified risks, and the timescale over which the risks need to be managed.
Analysis should determine the likelihood maturing and the consequences of risk. Consequence and
likelihood may be combined to produce estimated level of risks, quantified wherever possible, or
qualified in a range of low to high. Evaluation then enables identified risks to be ranked.
Forty percent of companies told us that responsibility for risk assessment rests with the Director of
Finance, twenty four percent with the Chief Executive, twenty percent with the Board or senior
management and ten percent say it is the responsibility of the Production Manager team (Figure 12).
Only one company (2 percent) had a dedicated risk manager who is responsible for risk assessment.
Figure 12:
Who has
responsibility
for Risk
Assessment
Over half of companies say that they do not find it difficult to assess the likelihood of risks occurring
(52 per cent). However 30 percent of them face difficulties when they try to assess likelihood of risk.
Similar are the results concerning the prioritization of main risks. Forty six percent of companies find
no difficulties to assess the relative priority which they should give to risks. However, thirty eight
percent of companies find difficulties in risk prioritization. On the other hand forty percent that they
do not find it difficult to assess the potential impact of risks and forty two percent do find it difficult.
(Figure 13); 16-18 percent neither agree nor disagree with these statements.
0% 10% 20% 30% 40% 50% 60% 70%audits or physical inspection?
brainstorming?
examination of local/overseas experience?
SWOT analysis?
interview/focus group discussion?
udgemental?
surveys/questionnaires?
scenario analysis?
operational modelling?
past companyal experience?
process analysis?
other? (please specify below)
What tools and techniques are used by your company for identifying risks:
Who has responsibility for Risk Assessment
Chief Executive/Director
24%
Board / Management
Team
20%Director of Finance
40%
Internal Audit
0%
Risk manager
2%
Production managers
10%
All staff
0%
Other (please specify)
4%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
15/20
- 15 -
Figure 13:
Risk
Prioritization -
Assessment of
Likelihood -
Impact
Sixty four percent also say that the level of risk which they face has increased in the last five years.
Only ten percent of the companies, say that they believe that the risk they face have decreased in the
last five years (Figure 14).
Figure 14:
In the last five
years the level
of risk faced
by the
company has
....
STEP 4: Response to risk. This means determining the level and type of risk that is acceptable,
determining resources needed to manage identified risks, and prioritizing and allocating responsibility
for them.
In order to determine what do the companies believe that will be done to the risks that they have
identified, in order to reduce the overall risk exposure, we asked them to what extent does your
company use the risk treatment option of:
transferring the risk
accepting/ retaining the risk
reducing the risk
avoiding the risk
Forty four percent say that they prefer risk transfer, thirty eight percent say that they prefer to avoid
the risk, fourteen percent accept/ retain the risk, and only four percent try to reduce the risk
StronglyDisagree
Disagree Neutral Agree StronglyAgree
0%
5%
10%
15%
20%
25%
30%
35%
40%
Risk Prioritization - Assessment of Likelihood - Impact
The company finds it difficult to prioritize its main risks
The company finds it difficult to assess the likelihood of risks occurringThe company finds it difficult to assess the potential impacts of risks materializing
In the last five years the level of risk faced by the company has ....
Increased
64%
Decreased
10%
Not changed
12%
Not sure
14%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
16/20
- 16 -
Figure 15:
To what extent
does your
company use
the risk
treatment
option of:
To what extent does your organisation use the risk treatment option of:
accepting/retaining
the risk?14%
avoiding the risk egnot proceeding with
activity?38%
reducing the risk eg
controlling the risk?4%
transferring the risk eginsurance?
44%
The companys response to risk is the prioritization of risks that they need active management. Sixty
percent of the companies agree with this statement. On the other hand, twenty two percent of thecompanies say that response to risk includes an evaluation of the effectiveness of the existing controls
and risk management responses. Only twenty six percent of the companies say that response to risk
includes action plans for implementing decisions about identified risks. Finally only twenty six percent
of the companies say that response to risk includes an assessment of the costs and benefits of
addressing risks.
Figure 16:
The companys
response to
risk includes ..
STEP 5: Monitoring and review. Risk management is a continuous process which should include
monitoring and reviewing identified risks, and being open to new or changed risks and opportunities
resulting from evolving circumstances.
We asked the companies how regularly they review their insurance coverage. Sixty six percent of the
companies say that they review their insurance coverage annually. Fourteen percent of the companies
say that they review their insurance coverage quarterly and four percent of the companies say that they
review their insurance coverage monthly. Only sixteen percent of the companies say that they review
their insurance coverage less frequently than annually.
0%
10%
20%
30%
40%
50%
60%
Strongly Disagree Disagree Neutral Agree Strongly Agree
The companys response to risk includes ..
An evaluation of the effectiveness of the existing controls and risk management responsesAction plans for implementing decisions about identified risks
An assessment of the costs and benefits of addressing risks
Prioritizing of risks that need active management
Other
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
17/20
- 17 -
Figure 17:
How regularly
does the
company
review its
insurance
coverage
We asked the companies if they believe that their management procedures have improved, worsened
or did not change at all, in the last five years. Most of them (62 percent) believe that nothing have
changed. Twenty four percent say that their management procedures have improved. It is impressive
that no one says that his management procedures have worsened.
Figure 18:
In the last five
years the
companys risk
management
procedures
have
In the last part of the questionnaire we examined the companies culture about risk. The questions tent
to relate the culture of the company and the degree to which policies and procedures support risk and
risk management.
Although in practice companies can be major risk takers they tend to regard themselves as more risk
averse than risk taking. We asked those in our survey to rate their department on a scale of 1 to 5 with
1 representing a more risk taking approach and 5 suggesting a risk averse culture. Forty six percent of
companies told us that they tend to be more risk averse than risk taking, whereas twenty six percent
regarded themselves as more risk taking than risk averse (Figure 19).
How regularly does the company review its insurance coverage:
monthly?
4%quarterly?
14%
annually?
66%
less frequently than
annually (please
specify below) ?
16%
In the last five years the companys risk management procedures have .
Improved24%
Worsened
0%
Not changed
62%
Not sure
14%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
18/20
- 18 -
Figure 19:
The company
regards itself
as having a
risk taking or
risk averse
culture? from
1: risk taking
to 5: risk
averse
0
2
4
6
8
10
12
14
1 2 3 4 5
The organization regard itself as having a risk taking or risk averse culture? from 1: risk taking to 5: risk
averse
Thirty six percent of the companies say that they know how much risk they may take in order to
achieve their objectives. However thirty two percent of the companies say that they do not know howmuch risk they may take in order to achieve their objectives.
Figure 20:
The company
knows how
much risk it
may take in the
achievement of
its objectives
In responding to our survey companies identify the lack of appropriate training in risk management.
Thirty four percent of companies say that they covered training about risk management strategies.
Twenty percent of companies say that they covered training about risk management processes. Only
two percent (one company) of companies say that they covered training about risk taking
The company knows how much risk it may take in the achievement of its objectives
StronglyDisagree10
%
Disagree
22%
Neutral 32%
Agree
32%
StronglyAgree4%
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
19/20
- 19 -
Figure 21:
Management
have received
training in ...
5. Conclusions
Risk management is part of any companys strategic management. It is the process whereby
companies methodically address the risks attaching to their activities with the goal of achieving
sustained benefit within each activity and across the portfolio of all activities. The focus of good risk
management is the identification and treatment of these risks. Its objective is to add maximum
sustainable value to all the activities of the company.
Our survey asked companies about:
their understanding of risk management and its importance to their performance;
how they identify and assess risks; and
the action which they take to manage risks.
While our survey found growing recognition of the importance of risk management, companies were
less sure as to how it should be implemented in practice.
The results of the survey indicate that:
Determination of objectives is the first step in the risk management function. The objective of
risk management needs to be decided upon by the management, so that the company may
fulfill its responsibilities in accordance with the set objectives.
The impact of risk management was seen as too low. With systematic risk management,
however, this impact can be improved.
The number of identified but not analyzed risks is quite large. A relatively small proportion of
identified risks were considered during risk analysis.
A few companies apply systematic, documented risk management methods, most managers
rely on intuition and luck instead of managing risks systematically and consistently.
Companies need effective training on risk and risk management.
There is some inconsistency in companies' approach to risk management in that while many recognize
that it is important to the achievement of their objectives they are less clear on how risks should be
managed and few provide training on how to do so. Risk management will only become standard
practice in companies if there is better understanding of what it involves and the benefits which it can
help to secure in terms of improved service delivery and achieving key objectives.
The findings suggest that a significant amount of work still needs to be done by companies to achieve
best practice.
0% 5% 10% 15% 20% 25% 30% 35%
Risk management strategy
Risk management processes
Risk taking
Management have received training in ...
-
8/14/2019 Risk Management Processes_The Case of Greek Companies
20/20
This was the first in a series of such surveys, to be produced regularly to provide comparisons over
time, and updates on this rapidly changing business environment.
6. References
1. AIRMIC, A Risk Management Standard, The association of Insurance and Risk Management.,
2002
2. Carl Olsson, Risk Management in Emerging Markets. How to survive and prosper., Prentice
Hall, Pearson Education, 2002.
3. Cooper Dale, Grey Stephen, Geoffrey Raymond, Walker Phil, Project Risk Management
Guidelines, John Wiley & Sons, Ltd, 2005.
4. Dan Paterson, Improving Project Decision Making and Reduction Exposure Through Risk
Management, A Welcome White Paper, 2004
5. Ian Hawkins, Risk Analysis Techniques, www.EuclidResearch.com, 1998.6. Project Management Institute; A Guide to the Project Management Body of Knowledge (PMBoK
Guide); 2000 Edition; Algonquin College Bookstore; (Approved by ANSI as American National
Standard ANSI-PMI 99-001-2000), 2000.
7. Steinberg M. Richard, Everson E.A. Miles, Martens J. Frank, Nottingham E. Lucy, Enterprise
Risk Management - Integrated Framework. Executive Summary, Committee of Sponsoring
Companys of the Treadway Commission (COSO) , September 2004
8. Kontio Jyrki, Getto Gerhard and Landes Dieter, Experiences in improving risk management
processes using the concepts of the Riskit method, Proceedings of the Sixth International
Symposium on the Foundation of Software Engineering, SIGSOFT 98, Florida USA, November
1998.9. Freimut Bernd, Hartkopf Susanne, Kontio Jyrki, Kobitzsch Werner, An Industrial Case Study of
Implementing Software Risk Management, ESEC/FSE, Vienna, Austria, 2001.
10.Swiss Bank Corporation, Goldman Sachs & Co, The Practice of Risk Management,
EUROMONEY BOOKS, London, 1998.