Notes on Approaches to Defining Risk and Risk Management

RISK AND RETURNS

  • Clear and direct relationship between risk and reward. If a company wants to minimize risks, there is a high chance of minimizing the rewards as well. Having a policy of risk minimization and reward maximization can be inconsistent and can create negative outcomes.

APPROACHES TO RISK MANAGEMENT

  • Risk Avoidance: Under this approach, the company avoids taking on risks as much as possible.
  • Diversification: The company deliberately tries to engage in business activities that are very different from one another.
  • Risk Transfer: An organization or individual shifts the financial consequences of a specific risk to another party.
  • Risk Retention: The company decides to retain the risk on its books. This policy may be the result of the high cost of the transfer or the company’s high confidence in its internal controls.
  • Risk Sharing: The company faces the consequences of risk up to a certain threshold level. Once the threshold level is breached, the risk gets transferred to an external party.
  • Loss Control: Used by organizations that have a certain amount of liquid assets on hand. They tend to hold on to the assets till a certain predefined threshold is reached. This threshold is often called the “stop-loss” point.

ORGANIZATION DEFINITION OF RISK

  • ISO Guide 73 defines risk as the effect of uncertainty on objectives. An event may be positive, negative, or a deviation from the expected. Risk is often described by an event, a change in circumstances, or consequences.
  • Risk is the combination of the possibility of an event and its consequences. Consequences can range from positive to negative.
  • Definitions cited: ISO Guide 73; Institute of Risk Management (IRM); Institute of Internal Auditors (IIA).

ORGANIZATION DEFINITIONS OF RISK (CONTINUED)

  • The uncertainty of an event occurring that could have an impact on the achievement of the objectives. Risk is measured in terms of consequences and likelihood.

TYPES OF RISKS

1) Compliance Risk — The risk of legal or regulatory penalties arising from a failure to comply with laws, regulations, or industry standards.
2) Hazard Risk — A source of potential harm with the potential to undermine objectives in a negative way.
3) Control Risks — Associated with unknown and unexpected events. Difficult to quantify.
4) Opportunity Risks — The potential loss or missed opportunities when a decision is made, particularly in investment or business contexts.
5) Operational Risk — The risk of financial loss due to operational failures, including human errors, system breakdowns, and process failures.
6) Market Risk — The risk of financial loss due to fluctuations in stock prices, bond prices, or other financial instruments.
7) Investment Risk — The risk associated with investing in assets that may not perform as expected, leading to financial loss.
8) Credit Risk — The risk of financial loss due to the default of borrowers or counterparties in repaying loans or fulfilling financial obligations.

BENEFITS OF RISK MANAGEMENT

  • Assurance
  • Mandatory
  • Decision-Making
  • Effective and Efficient Core Processes

FEATURES OF RISK MANAGEMENT

  • Inadequate Risk Recognition
  • Insufficient Analysis of Significant Risk
  • Failure to identify suitable risk response activities

INHERENT LEVEL OF RISK

  • Inherent risk refers to the level of risk that exists naturally or inherently within a particular activity, process, investment, or situation before any risk mitigation measures or controls are implemented. It represents the baseline or starting point for assessing risk.
  • Baseline Risk: The inherent level of risk represents the risk that would exist if no actions were taken to reduce or manage it.
  • Assessment: Assessing the inherent risk involves identifying and evaluating potential risks and their potential impacts.
  • Comparison: After assessing the inherent risk, organizations or individuals can compare it to their risk tolerance to determine whether the level of risk is acceptable or if further risk mitigation measures are necessary.
  • Risk Mitigation: Once the inherent risk is understood, organizations or individuals can implement risk mitigation strategies and controls to reduce the level of risk to an acceptable or manageable level.
  • Dynamic Nature: The inherent level of risk may change over time due to various factors, including changes in the business environment, industry trends, regulatory developments, and external events.
  • Industry-Specific: The inherent level of risk can vary significantly between industries and activities.
  • Risk Assessment Framework: In formal risk management processes, organizations often use a risk assessment framework to categorize and prioritize inherent risks.
  • Understanding the inherent level of risk is a fundamental step in effective risk management.

RISK CLASSIFICATION SYSTEMS

  • Definition: Frameworks or methods used to categorize and organize various types of risks based on common characteristics, attributes, or criteria to help understand, assess, and manage risks.

RISK CLASSIFICATION SYSTEMS: TIMESCALE

  • Short-term risk: Can impact objectives, key dependencies, and core processes with immediate impact; disruptions can occur immediately when the event happens. extShortterm<br/>ightarrowextimmediateimpactext{Short-term} <br /> ightarrow ext{immediate impact}
  • Medium-term risk: Can impact the organization following a short delay after the event; impact not immediately apparent but within extmonthsext{months}, or at most 1extyear1 ext{ year} after the event.
  • Long-term risk: Can impact the organization sometime after the event; 15extyears1-5 ext{ years} or more after the event.

RISK CLASSIFICATION SYSTEMS: RISK ASSESSMENT

  • High-risk: A risk for which potential protection is required by law or that, if compromised, can lead to a significant impact on an organization’s business, safety, or finances.
  • Moderate risk: A risk that has potentially been compromised; can lead to a noticeable impact on an organization’s business, safety, or finances.
  • Low-risk: Risks not classified as high-risk or moderate-risk.

RISK SCORING/SCORING MATRIX

  • Risk scoring typically uses a matrix with Likelihood vs Impact to categorize overall risk level.
  • Likelihood categories (examples): Very Likely, Likely, Possible, Unlikely.
  • Impact categories (examples): Negligible, Minor, Moderate, Significant, Severe.
  • Intersections yield overall risk levels such as Low, Moderate, or High. The matrix can indicate higher risk when both likelihood and impact are high.
  • Example interpretation: A combination of a high likelihood with a high impact generally yields a High risk rating; lower likelihood or lower impact tends toward Moderate or Low risk ratings.

CRITERIA IN EVALUATING RISK

  • Likelihood (Probability): What is the probability that something bad could occur? This attribute quantifies the chance or likelihood of a risk event occurring. It is often expressed as a percentage or a probability value, such as 10%10\%.
  • Impact (Consequence): If something bad were to occur, what would be the consequences to the organization? Impact measures the severity or magnitude of the potential consequences if a risk event were to occur. It can be expressed in terms of financial losses, operational disruptions, or other relevant metrics.

CLOSING

  • The presentation emphasizes ISO 9001:2015 certification status (certified) and the ongoing importance of risk management in achieving objectives and maintaining process integrity.
  • Thank you.