Lecture 2 – Risk Management Process www.notes638.wordpress.com BBK3253 | Risk Management Prepared by Khairul Anuar Lecture 2 – Risk Management Process www.notes638.wordpress.com

Definitions Risk is defined as 'the chance of something happening that will have an impact on objectives'. It is, therefore, important to understand what the objectives of the company, subsidiary, work unit or your position, are, prior to attempting to analyse the risks.

Definitions Risk Management is defined "the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, assessing, treating, monitoring and communicating".

What is Risk Management? A process to Identify Assess Manage and Control potential events or situations to provide reasonable assurance regarding the achievement of organizational objectives.

The Risk Management Process It is an iterative process that, with each cycle, can contribute progressively to organisational improvement by providing management with a greater insight into risks and their impact. Risk management can be applied to all levels of an organisation, in both the strategic and operational contexts, to specific projects, decisions and recognised risk areas.

The 8 Step Risk Management Process Identify the Risks 2. Identify the Causes 3. Identify the Controls 4. Establish your Likelihood and Consequence Descriptors 5. Establish your Risk Rating Descriptors 6. Add other Controls 7. Make a Decision 8. Monitor and Review

The 8 Step Risk Management Process Identify the Risks: List the things that might inhibit your ability to meet your objectives. You can even look at the things that would actually enhance your ability to meet those objectives eg. a fund-raising opportunity. These are the risks that you face eg. loss of a key team member; prolonged IT network outage; delayed provision of important information by another work unit/individual; failure to seize a commercial opportunity etc. Look at history and future estimates.

The 8 Step Risk Management Process 1. Identify the Risks: This involves driving events/conditions from: External Environment Economic-price movements, lower barriers Natural environment-floods, fire Social-changing demographics, life priorities Technological Internal Environment Infrastructure, personnel, process.

The 8 Step Risk Management Process 2. Identify the Causes: Try to identify what might cause these things to occur Eg. the key team member might be disillusioned with his/her position, might be head hunted to go elsewhere; the person upon whom you are relying for information might be very busy, going on leave or notoriously slow in supplying such data; the supervisor required to approve the commercial undertaking might be risk averse and need extra convincing before taking the risk etc.

The 8 Step Risk Management Process 3. Identify the Controls: Identify all the things (controls) that you have in place that are aimed at reducing the Likelihood of your risks from happening in the first place and, if they do happen, what you have in place to reduce their impact (consequence) Eg. providing a friendly work environment for your team; multi-skill across the team to reduce the reliance on one person; stress the need for the required information to be supplied in a timely manner; send a reminder before the deadline; provide additional information to the supervisor before he/she asks for it etc.

The 8 Step Risk Management Process 4. Establish your Likelihood and Consequence Descriptors The organisation will be required to determine the likelihood and consequences of a risk occurring in the given environment.   These ratings might include the likelihood of a catastrophic outcome or it could be a very unlikely outcome with limited consequences to the function of the organisation.

The 8- Step Risk Management Process 4. Establish your Likelihood and Consequence Descriptors Remembering that these depend upon the context of your analysis ie. if your analysis relates to your work unit, any financial loss or loss of a key staff member, for example, will have a greater impact on that work unit than it will have on the organisation as a whole Those descriptors used for the whole-of-organisation (strategic) context will generally not be appropriate for the departments, other work unit or the individual eg. a loss of $300,000 might be considered insignificant to the organisation, but it could very well be catastrophic to your work subsidiary.

The 8 Step Risk Management Process 5. Establish your Risk Rating Descriptors: What is meant by a Low, Moderate, High or Extreme Risk needs to be decided upon ahead of time. Because these are more generic in terminology though, you might find that the organisation’s strategic risk rating descriptors are applicable.

The 8 Step Risk Management Process 6. Add other Controls: Generally speaking, any risk that is rated as High or Extreme should have additional controls applied to it in order to reduce it to an acceptable level. What the appropriate additional controls might be, whether they can be afforded, what priority might be placed on them etc is something for the group to determine in consultation with the senior management. Head of the work unit (subsidiary) who, ideally, should be a member of the group doing the analysis in the first place.

The 8 Step Risk Management Process 7. Make a Decision: Once the above process is complete, if there are still some risks that are rated as High or Extreme, a decision has to be made as to whether the activity will go ahead. There will be occasions when the risks are higher than preferred but there may be nothing more that can be done to mitigate that risk ie. they are out of the control of the work unit but the activity must still be carried out. In such situations, monitoring the circumstances and regular review is essential.

The 8 Step Risk Management Process 8. Monitor and Review: The monitoring of all risks and regular review of the unit's risk profile is an essential element for a successful risk management program.

Risk Assessment Risk evaluation involves determining the significance of the level and type of risk and working decisions about future activities. In determining the significance of the risks, normally a risk assessment matrix is used. Figure below shows an example of a Risk Assessment Matrix (RAM). Almost Certain 4 M4 S8 S12 H16 Likely 3 M3 S6 S9 Unlikely 2 L2 Rare 1 L1   Negligible Minor 2 Major 3 Critical 4 L I KE HOOD CONSEQUENCES

Risk Assessment Using the RAM and the rating of consequences and likelihood earlier, you can then find the risk rating by multiplying the scale of likelihood with consequences for each risk event. After the risk rating has been determined, we need to decide on the future action. In determining the action, we can establish a Risk Action Table as shown in the previous table Using the table, the appropriate action can be decided immediately.

Risk Assessment Example of Risk Action Table

Treatment of Risk Risk treatment involves identifying the range of options for treating risk, assessing those options, preparing risk treatment plans and implementing them. The options available for the treatment of risks include: Retain/accept the risk Reduce the Likelihood of the risk occurring Reduce the Consequences of the risk occurring Transfer the risk Avoid the risk

Treatment of Risk Retain/accept the risk - if, after controls are put in place, the remaining risk is deemed acceptable to the organisation, the risk can be retained. However, plans should be put in place to manage/fund the consequences of the risk should it occur. Reduce the Likelihood of the risk occurring - by preventative maintenance, audit & compliance programs, supervision, contract conditions, policies & procedures, testing, investment & portfolio management, training of staff, technical controls and quality assurance programs etc.

Treatment of Risk Reduce the Consequences of the risk occurring - through contingency planning, contract conditions, disaster recovery & business continuity plans, off-site back-up, public relations, emergency procedures and staff training etc. Transfer the risk - this involves another party bearing or sharing some part of the risk by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc.

Treatment of Risk (5) Avoid the risk - decide not to proceed with the activity likely to generate the risk, where this is practicable.

Risk Likelihood Descriptors Rating Description Likelihood of Occurrence 1. Rare/Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will. 2. Unlikely/Not expected, but there's a slight possibility it may occur at some time.

Risk Likelihood Descriptors 3. Possible - The event might occur at some time as there is a history of casual occurrence at the organization &/or similar organizations. 4. Likely/There is a strong possibility - the event will occur as there is a history of frequent occurrence at the institution and/or similar institutions.

Risk Likelihood Descriptors 5. Almost Certain/Very likely -The event is expected to occur in most circumstances as there is a history of regular occurrence at the company/organisation.

What mode do you go into if Risk Management fails Question What mode do you go into if Risk Management fails

Case studies for next week 1. Risk Management in Vodafone plc Refer pages 51, 32 – 37 of 2015 Annual Report 2.. Singapore Airlines Risk Management Framwork