This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
"Risk management has taken a more important role in the existence of businesses today" (Bowden et. al, 2001). In recent years, dynamic market relation has increased the uncertainty of organization's business environment and with the intense existence of market pressure, norms certifications and higher consumer expectations; organization is no longer able to avoid a substantial assessment of the risks within the business processes. Consequently, for any organization to sustain within this competitive business environment, risk analysis and risk management process has start taking the fundamental importance and becoming one of the central parts of any organisations.
Good risk management focus to identify and prevent possible risks that marshals the understanding of 'potential upside and downside' of all factors that possibly affect an organization. Well manage risks will reduces the probability of failure and uncertainty of achieving the organisation's overall objectives; and ultimately able to increase the probability of success. This value need to be integrated into the culture of the organisation together with an effective policy and strategy that is translated-able into tactical and operational objectives of which the responsibility can be assigned throughout the organisation as part of everyone job description.
Repeatedly, the 'human element' and 'human error' has been cited when explaining why risk events or disasters arise. Undeniably, 'human factor' is unavoidable and have an important influence on the organization's strategy but human is also the crucial factor to ensure the success implementation of organization's risk management strategy. Therefore, this essay will discuss on the consideration of implication of human factors for organization's risk management strategies.
the DEFINITIONS - RISK, RISK MANAGEMENT AND RISK ASSESSMENT
There are many different ways of defining risk, depending on the concentration of the business area. However, two possible general definitions of risk are that "risk is a chance or possibility of danger, loss, injury, or other adverse consequences" (The Oxford Encyclopaedic Dictionary) and "risk is the possibility of suffering loss or injury" (Online Merriam Webster Dictionary). Risk and opportunity generally goes hand in hand; when businesses strives to reach something innovative that hasn't been done before the opportunity for advancement cannot be achieved without taking risks. The following citation explains how the concept of risk versus opportunity assimilates and the rationale of continuous risk management:
"Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. But we must learn to balance the possible negative consequences of risk against the potential benefits of its associated opportunity" (Scoy and Roger, 1992).
Meanwhile, risk management is a process where organization methodically addresses the risks attaching to the organization's activities with the goal of achieving continuous benefit within each activity. Risk management is considered as a logical, consistent and disciplined approach that prudently manage the future uncertainties (with organized methodology) that includes (i) identifying and measuring the unknowns (ii) learning the lessons from mistake (iii) developing mitigation options (that's includes risk transfer through insurance); selecting, planning, implementing appropriate risk mitigation and tracking as to ensure successful risk reduction and (iv) productively avoiding unnecessary waste of resources.
Subsequently, risk assessment is also another important aspect for business continuity plan development and a fundamental requirement to all organization. This risk process involves a careful examination of diverse factors to determine what type of risks the organization face and the relative importance of these risks, to consider what goes wrong and to decide on suitable control measures of preventing loss, damage or injury in the workplace. There are two words commonly associated with risk assessment: 'Hazard' (anything that can cause harm) and 'Risk' (the chance that somebody will be harmed by the hazard).
Ideally, risks with the highest loss and the greatest probability of occurring need to be handled first, and risks with lower probability of occurrence and lower loss can be handled later. In practice, to observe this ideal prioritization process can be very challenging; and to balance between risk with high probability of occurrence but lower loss and risk with high loss but lower probability of occurrence can also be mishandled. Another concern of risk management is the idea of 'opportunity cost' when instead of allocating resources for risk management, the amount could better off be spent on more profitable activities.
THE 'HUMAN error'
Human are never perfect and always prone to error making. Understanding human behaviour remains as a mystery as these individuals react differently depending on the environment and other physiological factors as well. According to Reason (2000:1) "â€¦human error problem can be viewed in two ways: the person approach and the system approach with each approaches has its own model of error causation and each model gives rise to quite different philosophies of error management." The person approach focus on the unsafe act - errors and procedural violation and these act rise mainly from unpredicted mental process such as carelessness, negligence and recklessness. Conversely, the basis for system approach error is that humans are not perfect and errors are to be expected even in the best organisations.
Arising from the majority loss suffered by the financial services industry in recent years, human factor especially the 'unsafe act' has been recognized as one of the major factor in this global financial crisis. Thus, it is not wrong to conclude that human error is an important contributor to risk for most business processes as this is being evidenced by the number of major accidents that have been attributed to this cause. According to Furst (2010:1) almost all serious accidents in the last 50 years has the initial findings that attributed the failures primarily to human error with several examples as follows:
"In 1984, in Bhopal, India, a Union Carbide plant explosion released cyanide gas, killing 20,000 people.
The 1989, Exxon Valdez oil spill in Alaska was a major environmental disaster;
In 2010, BP Deepwater Horizon oil spill in the Gulf of Mexico killed 11 men and injured 17 others."
These examples cited clearly that large proportion of risk events that happened because of human action. There is also situation where some risk events could be extremely destructive with very high cost implications that could cause the organization to have immediate financial difficulty or can be low in cost liability but at a rate that may be too high that the long term cost implications is also damaging to the financial obligation of the organization. Therefore, before any organization can formulate and implement any model of risk management strategy, the probability and severity of potential risk need to be evaluated. However, this requires the ability to identify and assess the uncertainty events and prioritize them depending on the probability of uncertainties' occurrence and the severity of the effects of risk. The capability to assess risk and to differentiate between acceptable and unacceptable risk is an obligatory characteristic of all employees especially in current century.
the evolution of risk management
Although risks management strategies are generally categorized into risk: avoidance, reduction, retention and allocation; the key to a proactive risk management process lies in the organization's ability to mobilize the knowledge and expertise of its employees as this will ensure the organization to obtain accurate and timely information on any potential harmful incident. This insight has also created a new notion of the integrated knowledge and risk management (KRM) and in fact many has agrees that "an organization can't manage its risk today without managing its knowledge" (Lelic, 2002). This "knowledge management tools, i.e. e-mail, the internet, early alert teams," (Marquardt, 1994:41) together with "communities of practice, capturing and distributing lessons learned can all be applied in a formal process that will help a company to sense and respond to potential risks" (Neef, 2005:115) and making sure business decision are made after due consideration given to all aspect of risks.
However, the above is not sufficient as there is a suggestion proposing that behavioural risk improvement is also a significant and growing area of risk management that plays an important factor in organization's risk. It has been mentioned that some of the largest losses suffered by businesses is from the exposure to derivative products that have been caused by bonus and reward systems that actually encouraged "at risk" behaviours (Mundy, 2004:16). This behavioural issue can practically impact all areas of an organization; internally and externally, and can wreak havoc at many levels. It is always important to balance those risks by having executives who, when confronted with a broad range of risks, and extreme pressure from shareholders, counterparties, government departments or their own peers, can take calculated decisions. This risk decision and behaviours around decision-making, applies to all levels of employee throughout the organization, but with extreme focus is on two sets of decision-makers; the top management and the implementers i.e. persons who have to deal with disasters.
To establish the best risk management strategy require a crucial skill; making knowledge requirement of the involved tools, the 'how and when' they are best deployed is critical especially by those at the 'Board' level. The increase of corporate scandals, coupled with recent legislation like the Sarbanes Oxley Act of 2002, has made businesses start giving more focused on risk management. Almost all organizations' boards will have a requirement for people that are well trained in the disciplines of risk management as the Board Directors; executive or non-executive; is responsible to understand and manage the risks of which their business is exposed.
Therefore, it is not surprise that enterprise risk management (ERM) has now becoming a practice that provides a framework to analyse and confront risks to be accepted by business managers; making ERM as a key component of corporate governance. ERM is a process realized by organization's Board of Directors, Senior Management and other personnel; and is being design to identify potential events that may affect the organization. ERM intend to manage these risks to be within the organization's risk appetite and to provide reasonable assurance regarding the achievement of organization objectives due to the increased expectations from shareholders, regulators, rating agencies and other stakeholders, and if being implemented appropriately, it will not only protect but create the stakeholder value
This risk governance is also offering a solid foundation for an organization to manage its risk profile within an ethical ERM system because as required by various risk management standards, this approach ensures that ethical values, codes, roles and responsibilities are implemented in a clear risk management structure with a defined set of accountabilities. Frigo and Anderson (2011:87) describes how the "keys to success for improving ERM as described in a recent COSO report are very applicable in strategic risk management, which include building ERM in incremental steps and focusing on the top risks of an organization, the strategic risks."
The evolution of this ERM when combined with the disastrous losses has given rise to a focus on 'strategic risk management'; that targeted to manage risks that are significant to the organization's ability to execute its strategies to achieve the business objectives. According to Standard & Poor of 2008, strategic risk management includes: "Management's view of the most consequential risk the firm faces, their likelihood, and potential effect; The frequency and nature of updating the identification of these top risks; The influence of risk sensitivity on liability management and financial decisions; and The role of risk management in strategic decision making." This is clearly an area that merits the time and attention of executive management and the directors.
human factor IMPLICATION for organization's rISK MANAGEMENT StrategY
The 'human factor' exists in practically all organization and through different roles and positions especially at the senior management level. Therefore, risk management professionals need an efficient communication skill and reporting relationships with all key individuals within the organization as it could affect the organization's risk management strategies. Risk management to human factor is a holistic, proactive and systematic consideration of human capabilities and limitations. Human factors are crucial in most functions and activities performed by organizations where it acknowledged the link between the personnel and the performance (financial and operational performance) of the organization. Furthermore, business leaders recognize that personnel-related issues is one of the main agenda of the organization requiring most managers to implement human factor's risk management strategies that support the organization's business objectives as well as increased the accountability and transparency around human factor management and reporting. Human factors are the most significant soft side of an organization with these human resources are one of the important sources of risks. Additionally, human resources manage and control the hard side of corporate management systems and thus making human factors as a leading element that influence organisation's strategic risk management.
This human factor plays dual roles in almost all organization, the source of risk and the manager of risk. As a source of risk, human could become the barrier for an organization to implement its plans or to achieve goals via unqualified person, human failures and errors, disagreement amongst personnel, fraudulent act, judgment mistakes, health and safety, malfeasance, frailty decision making, low performance or unethical behaviours. As a manager of risk, human resource personnel are responsible to position the organization into practice through an establishment of the corporate mission/vision, strategy and objectives. The personnel can play a significant part of the strategy dealing with human factor based risks i.e. dealing with fraud risk, all management and an organization based risks. These roles require a different approach for the fact that human factors are highly dynamic, hardly controllable and have different characteristics.
The effectiveness of an organization's risk management strategy is also affected by the integrity and ethical values of senior management who has the authority to set good values of the organization. In a standard model organization, the chief executive officer (CEO) roles is to provide a critical link to the entity's governing board and offers support for the risk management strategy. Those shouldering the CEO position serve as the key decision maker for numerous activities that is critical to the risk management strategy of an organisation. These CEOs are also regarded as guidance to team of senior managers that are responsible for the development of new business opportunities, mergers and acquisitions.
For a risk management strategy of an organization to excel, the organization's Board of Directors, Senior Management and other personnel, of all types and sizes, need to challenge themselves and their organizations. By developing strategic risk management processes and capabilities, it can be a platform to improve the risk management and risk governance. This can be achieved through the establishment of an audit committee that focus on the challenge of overall risk profile and framework; the internal audit that focus on assurance of effective risk management and maintains its objectivity consistent with its establishment; and a chief risk officer that execute both consulting and executive duties when reporting to the board.
Meanwhile, the other senior management team such as the financial chief officer should have multiple financial risk responsibilities and offer support for valuable information for the risk management strategy and makes appropriate decisions regarding risk-financing activities depending on information provided by the risk management professional. The performance improvement director is responsible to provide an important source of information and assist a risk management professional who lacks training in analysing and interpreting information. Whilst the compliance officer helps the development of policy and staff education efforts related to regulatory and legislative initiatives, the safety holds the responsibility to assist risk management professionals in hazardous materials management, performing fire safety and employee safety activities, and is usually the one who chairs the organization's safety committee. The risk manager must deal with highly sensitive and confidential information that directly affects the organization's financial status and public image.
Therefore, in this commonly existed organization set up, all appointed risk management professional need to have sufficient respect from others, and authority in practice, procedure and policy to fulfil the objective of the risk management strategy because with the roles assumes by everyone, they are held responsible to coordinate the risk management activities with other organization's affiliates and external parties, as well as with employees and managers at all levels of the organization. Thus, the risk management professional's position should always be place high within the organization's hierarchy because of the possible adverse implications it may have to the implementation of risk strategy.
Ideally, a reporting structure of a risk management professional should be directly to the CEO or to other senior management team of the organization. However, in most organization setup, apart than the separation of function handled by different positions, a risk management professional's is also being positioned below the department manager that causes the difficulty to deal with staff and department managers; and creates difficulty in obtaining access to senior management and outside parties. For example, financial risks are being handled by the finance department; reward, remuneration or compensation risks are managed by the human resource department whilst the safety programs are managed by a safety manager.
It is difficult to obtain the wide range of expertise to fulfil their risk management obligations and to stay on top of rapidly changing environments, as complex regulatory and legal developments also affect this field. Every large organization needs an experienced risk management professional and resources, and for any risk management strategy to accomplish its goals, various key components must be in place. Risk management involves strategic planning, branding, and marketing and all risk management activities need to be part of the organization's strategic plan and risk management programs will not be successful unless staff members at all levels understand the systems and purpose.
It is by nature that human are unpredictable. Even though it is not always the case but it is always true that no organization will know what will happen in future thus when considering the human factors implication for organization's risk management strategies, any possible consequence that could arise when working with human need to be considered i.e. sudden resignation or immediate termination of key personnel, disagreement or disharmony among employee, failure to obtain adequate support, that this may cause the whole project to fall apart no matter how well planned it may be.
Because "each individual brings to the workplace a unique background and technical ability, and has different needs and priorities" (COSO, 2004: 5), risk management professional in various organization must maintain sufficient respect and authority in practice, procedure and policies to achieve the objective of the risk management strategy. Ultimately, at each and every step of decision making, the process should involve its stakeholders because they should be aware of even the smallest decision made in the organizations.