Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.
This dissertation is based on the journal by The Institute of Risk Management, conducted by The Institute of Risk Management (IRM), The Association of Insurance and Risk Managers (AIRMIC) and ALARM The National Forum for Risk management is a rapidly developing discipline and there are many and varied views and descriptions of what risk management involves, how it should be conducted and what it is for. Some form of standard is needed to ensure that there is an agreed: terminology related to the words used, process by which risk management can be carried out, organisation structure for risk management, objective for risk management. Risk management covers all the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress. Risk is a major factor to be considered during the management of a project. Project management must control and contain risks if a project is to stand a chance of being successful. Risk can be defined as uncertainty of outcome (whether positive opportunity or negative threat). Some amount of risk taking is inevitable if the project is to achieve its objectives. The task of risk management is to manage a project’s exposure to risk (that is, the probability of specific risks occurring and the potential impact if they did occur). The management of risk is not a linear process; rather it is the balancing of a number of interwoven elements which interact with each other and which have to be in balance with each other. Risk management at the project level focuses on keeping unwanted outcomes to an acceptable minimum. Decisions about risk management at this level form an important part of the Business Case. Where suppliers and/or partners are involved, it is important to gain a shared view of the risks and how they will be managed. The aim is to manage that exposure by taking action to keep exposure to an acceptable level in a cost-effective way. Risk management involves having:
Decision-making processes supported by a framework of risk analysis and evaluation
Processes in place to monitor risks
The right balance of control in place to deal with those risks.
According to D.G. Jones and M.R. Endsley risk evaluation is concerned with assessing probability and impact of individual risks, taking into account any interdependencies or other factors outside the immediate scope under investigation:
Probability is the evaluated likelihood of a particular outcome actually happening (including a consideration of the frequency with which the outcome may arise). For example, major damage to a building is relatively unlikely to happen, but would have enormous impact on business continuity. Conversely, occasional personal computer system failure is fairly likely to happen, but would not usually have a major impact on the business
Impact is the evaluated effect or result of a particular outcome actually happening
Impact should ideally be considered under the elements of:
Time, quality, benefit, people/resource
Importantly, the standard recognizes that risk has both an upside and a downside. Risk management is not just something for corporations or public organizations, but for any activity whether short or long term. The benefits and opportunities should be viewed not just in the context of the activity itself but in relation to the many and varied stakeholders who can be affected. There are many ways of achieving the objectives of risk management and it would be impossible to try to set them all out in a single document. By meeting the various component parts of this standard, although in different ways, organizations will be in a position to report that they are in compliance. The standard represents best practice against which organizations can measure themselves. Risk can be defined as the combination of the probability of an event and its consequences. In all types of undertaking, there is the potential for events and consequences that comprise opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognized as being concerned with both positive and negative aspects of risk. Therefore this standard considers risk from both perspectives. In the safety field, it is generally recognized that consequences are only negative and therefore the management of safety risk is focused on prevention and improvement of harm. Risk management is a central part of any organization’s strategic management. It is the process whereby organizations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities. The focus of good risk management is the identification and treatment of these risks. Its objective is to add maximum sustainable value to all the activities of the organisation. It assembles the understanding of the potential upside and downside of all those factors which can affect the organisation. It increases the probability of success, and reduces both the probability of failure and the uncertainty of achieving the organization’s overall objectives. Risk management should be a continuous and developing process which runs throughout the organization’s strategy and the implementation of that strategy. It should address methodically all the risks surrounding the organization’s activities past, present and in particular, future. It must be integrated into the culture of the organisation with an effective policy and a programme led by the most senior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organisation with each manager and employee responsible for the management of risk as part of their job description. It supports accountability, performance measurement and reward, thus promoting operational efficiency at all levels.
3. External and Internal Factors
The risks facing an organisation and its operations can result from factors both external and internal to the organisation. They can be categorized further into types of risk such as strategic, financial, operational, hazard, etc. Risk management protects and adds value to the organisation and its stakeholders through supporting the organisation’s objectives by: providing a framework for an organisation that enables future activity to take place in a consistent and controlled manner improving decision making, planning and prioritization by comprehensive and structured understanding of business activity, instability and project opportunity/threat contributing to more efficient use/allocation of capital and resources within the organisation reducing volatility in the non essential areas of the business protecting and enhancing assets and company image developing and supporting people and the organizations knowledge base optimizing operational efficiency. A big question that companies have to deal with is, “What is enough security?” This can be restated as, “What is our acceptable risk level?” These two questions have an inverse relationship. You can’t know what constitutes enough security unless you know your necessary baseline risk level. To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its national and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. The result of these findings is then used to define the company’s acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures. Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:
Identify company assets
Assign a value to each asset
Identify each asset’s vulnerabilities and associated threats
Calculate the risk for the identified assets
Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.
Senior management can then choose one of the following activities pertaining to each of the identified risks: Mitigate the risk by implementing the recommended countermeasure, Accept the risk, Avoid the risk, Transfer the risk by purchasing insurance. According to Frederick Funston, Stephen Wagner and Henry Ristuccia many times senior management will follow the advice of the risk analysis team and allocate the necessary funds to implement the suggested countermeasures. Countermeasures can come in many different forms: firewalls, IDS, training, written policies and procedures, and so on. What is important to understand is that no countermeasure can completely eliminate risk – there is always some risk. This is called residual risk. The question is if this residual risk is still too high or if it is below the organization’s acceptable risk level. The internal audit function is an integral part of the corporate governance regime of most public companies and a number of larger private companies. The primary goal of internal audit is to evaluate the company’s risk management, internal control and corporate governance processes and ensure that they are adequate and are functioning correctly. King II views the existence of an internal audit function as essential for all affected companies and suggests that where the board of such a company decides not to implement an internal audit function, full reasons for its decision should be advanced in the company’s Annual Report. In addition, the board should consider how, in the absence of internal audit, the effectiveness of the company’s internal processes and systems will be verified.
Internal audit may be carried out by an in-house division or outsourced, although where the function is outsourced to the same firm that performs the company’s external audit, care should be taken to ensure that suitable. The separateness of the external and internal audit functions are essential to proper corporate governance, as the one acts as a system of checks and balances in respect of the other. In practice there is often a high degree of cooperation between the external and internal audit functions of a company, and the external auditors usually affirm in their audit report the extent to which reliance has been placed on the work performed by internal audit. The purpose, authority and responsibility of the internal audit function should be formally defined in a form consistent with the standards of the Institute of Internal Auditors, and a formal Internal Audit Charter should be approved by the board. The charter should define the mission and scope of the internal audit function, its sphere of responsibility, its authority within the company, and its accountability and reporting obligations. The internal audit function should be sufficiently independent of the activities audited to ensure that the fact that internal auditors may be employees of the company does not hamper their independence and their ability to be objective. Internal audit should report at a level within the company that allows it to accomplish its responsibilities without undue interference, preferably to the CEO or the chairman. As previously stated, the head of the company’s internal audit function should have regular, independent access to the chairman of the audit committee. The appointment or dismissal of the head of internal audit should be dealt with in consultation with the audit committee. Risks are uncertain future events that could influence the achievement of a company’s strategic, operational, financial and compliance objectives. Risks are an unavoidable part of the business process, but good risk management at least protects an organisation against avoidable losses. Risk management is the process of deciding which risks to avoid, control, transfer or tolerate. The overall responsibility for risk management, which includes internal controls, rests with the board of directors. The board is responsible for ensuring that a formal risk assessment is undertaken at least annually for the purposes of making its public statement on risk management, including internal control. The board should acknowledge, in this statement, its responsibility for the risk management process and for reviewing its effectiveness. Management is accountable to the board for designing, implementing and monitoring the process of risk management, and integrating it into the day-to-day activities of the company. Management is also accountable to the board for providing assurances that it has done so. Risk management is multi-faceted and requires a team-based approach. Boards are encouraged to appoint dedicated committees to oversee the risk management process. Members of a risk committee should be executive directors and senior management who are involved with the operational functions of the organisation in addition to non executive directors with relevant skills or experience.
4. Scope of risk management
According to k. borrington and P. Stimpson (2002) risk management aims to create a disciplined, structured and controlled environment within which risks to the organisation can be anticipated and maintained within predetermined, acceptable limits. Risk assessment is a continuous process requiring regular review as internal and external changes influence the company’s strategies and objectives. Circumstances demanding close attention include substantive changes to the operating environment, new personnel, new or revamped information systems, rapid growth, new technology, products or activities, corporate restructuring, acquisitions and disposals, and foreign operations.
4.1 Control activities
Control activities such as approvals, authorizations, verifications, operating reviews and reporting, and division of duties should be implemented in order to try and avoid risks materializing.
4.2 Information and communication
Relevant information should be communicated in an appropriate and timely way in order to enable employees to properly carry out their responsibilities. The communication system should ensure that all information, positive and negative, reaches senior management without delay.
The monitoring process assesses the quality of control systems over time.This may be accomplished through ongoing monitoring activities, separate evaluations or by a combination of the two.
4.4 Internal control
The formality and nature of a company’s system of internal control will generally vary with the size of the company and the level of public interest in it. Since profits are in essence the reward for successful risk-taking by a company, the purpose of an internal control system is to help manage and control risk appropriately rather than to eliminate it. Control mechanisms should be incorporated into the business plan and embedded in the day-to-day activities. The environment in which a company operates and the risks it faces are continually evolving; the challenge for the board remains to ensure that the company’s system of internal control remains relevant and is effective in managing the risks confronting the company at any given time. The system of internal control should be capable of responding quickly to the needs of the business arising from factors within the company and changes in the internal and external business environment. It should include procedures for reporting to appropriate levels of management any significant control failings or weaknesses that are identified.
An effective system of internal control should enable the company to:
Identify key objectives and those risks that may impact their delivery
measure performance of staff, policies, systems and processes in managing these risks
manage the process through timely and meaningful communication of relevant information available via workable and effective reporting structures
monitor the effectiveness with which risk is identified, measured and managed
According to G. Johnson, K. Scholes, and R. Whittington (exploring corporate strategy) since risk management includes a system of internal control, the internal auditing function should assist the board and management in identifying, evaluating and assessing significant organisational risks, and provide assurance as to the effectiveness of related internal controls. There is nobody on this planet who has not taken a single risk in his or her life, each and every person journeys through life taking some risk or the other. All that varies from person to person is the degree and amount of risk that is taken. Risk management is something that is applicable to one and all, regardless of whether you happen to be a businessman, an entrepreneur, a freelancer, a self-employed individual or a 9 to 5 working employee. For corporate “biggies”, a properly designed risk management process can often prove to be a life-saver. The concept behind a risk management process is extremely simple. It is the process of anticipating and analyzing risks and coming up with effective and efficient ways of managing as well as eradicating them. Here are the different steps that are involved in this process:
Risk Identification: The first step involves identifying risks. Certain risks could be quite obvious whereas a few others may need a certain amount of anticipation. There could be various types of risks such as:
commercial market-related risks
short term risks, long terms risks
personal risks, etc.
Try doing a SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis; it will give you systematic results which will prove beneficial in risk identification. Identifying and anticipating risks is extremely important as it sets the stage for all further action and steps as part of the risk management plan(G.A. Cole).
Risk Analysis: This is the next step as part of the risk management process. Once all the risks have been identified, it is time to analyze and scrutinize each one of them. Risk analysis should be done both qualitatively as well as quantitatively. Determine how big a threat each risk is, what could be its consequence, its impact, etc. Each risk will have a likelihood factor i.e., a probability factor. On the basis of its impact and its likelihood factor, you can prioritize different risks as serious, moderate, mild, etc. Use a color coding system for easy graphical analysis. Once you have all this data laid out in front of you, you will be in a position to rank individual risks.
Risk Evaluation: This basically involves comparing the identified and analyzed risks with your individual goals or your company’s preset goals and objectives. You can then choose to grade risks and decide the future course of action to be taken based on how severely the risk is likely to impact your goals, objectives and targets.
Risk Treatment and Contingency Plan: The next step involves preparing a risk treatment and contingency plan. It is vital from the perspective of enterprise risk management. What will you do if the risk materializes? Can you do something to overcome the risk? Can you take some measures to lessen its impact? You should think about all these questions and come up with a risk treatment and contingency plan for the same. It should include ways in which to control as well as overcome the risk conditions.
Risk Monitoring: This is not the next step as such, rather it is something that should happen on a continuous basis at all stages of the risk management process. Have a RMMM (Risk Mitigation, Monitoring and Management) plan in place for the same. You can also make use of certain risk management softwares for this purpose. At the same time, there should be proper communication between the different departments involved in the risk management process. Communication is vital because it can affect the entire process both negatively as well as positively.
Risk identification sets out to identify an organization’s exposure to uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. Risk identification should be approached in a methodical way to ensure that all significant activities within the organisation have been identified and all the risks flowing from these activities defined. All associated volatility related to these activities should be identified and categorized. Business activities and decisions can be classified in a range of ways, examples of which include:
â€¢ Strategic – These concern the long-term strategic objectives of the organisation. They can be affected by such areas as capital availability, sovereign and political risks, legal and regulatory changes, reputation and changes in the physical environment.
â€¢ Operational – These concern the day-today issues that the organisation is confronted with as it strives to deliver its strategic objectivesâ€¢ Financial – These concern the effective management and control of the finances of the organisation and the effects of external factors such as availability of credit, foreign exchange rates, interest rate movement and other market exposures.
â€¢ Knowledge management – These concern the effective management and control of the knowledge resources, the production, protection and communication thereof. External factors might include the unauthorized use or abuse of intellectual property, area power failures, and competitive technology. Internal factors might be system malfunction or loss of key staff.
â€¢ Compliance – These concern such issues as health & safety, environmental, trade descriptions, consumer protection, data protection, employment practices and regulatory issues. Whilst risk identification can be carried out by outside consultants, an in-house approach with well communicated, consistent and co-ordinate processes and tools is likely to be more effective. In-house ‘ownership’ of the risk management process is essential. The use of a well designed structure is necessary to ensure a comprehensive risk identification, description and assessment process. Author Nassim Taleb considered the consequence and probability of each of the risks set out in the table, it should be possible to prioritize the key risks that need to be analyzed in more detail. Identification of the risks associated with business activities and decision making may be categorized as strategic, project/tactical, operational. It is important to incorporate risk management at the conceptual stage of projects as well as throughout the life of a specific project.
Table – Risk Description
1. Name of risk
2. Scope of risk
Qualitative description of the events, their size, type,
number and dependencies
3. Nature of Risk
Eg. strategic, operational, financial, knowledge or compliance
Stakeholders and their expectations
5. Quantification of Risk
Significance and Probability
6. Risk Tolerance/
Loss potential and financial impact of risk
Value at risk
Probability and size of potential losses/gains
Objective(s) for control of the risk and desired level of
7. Risk Treatment &
Primary means by which the risk is currently managed
Levels of confidence in existing control
Identification of protocols for monitoring and review
8. Potential Action for
Recommendations to reduce risk
9. Strategy and Policy
Identification of function responsible for developing strategy
Risk estimation can be quantitative, semiquantitative or qualitative in terms of the probability of occurrence and the possible consequence.
Table – Both Consequences Opportunities and Threats
Financial impact on the organisation is likely to exceed X
Significant impact on the organization’s strategy or operational activities
Significant stakeholder concern
Financial impact on the organisation likely to be between X and X
Moderate impact on the organization’s strategy or operational activities
Moderate stakeholder concern
Financial impact on the organisation likely to be less that X
Low impact on the organization’s strategy or operational activities
Low stakeholder concern
A range of techniques can be used to analyze risks. These can be specific to upside or downside risk or be capable of dealing with both. The result of the risk analysis process can be used to produce a risk profile which gives a significance rating to each risk and provides a tool for prioritizing risk treatment efforts, this ranks each identified risk so as to give a view of the relative importance (Blanchard and Thacker 2007). This process allows the risk to be mapped to the business area affected, describes the primary control procedures in place and indicates areas where the level of risk control investment might be increased, decreased or reapportioned. Accountability helps to ensure that ‘ownership’ of the risk is recognized and the appropriate management resource allocated. An organization’s risk management policy should set out its approach to and appetite for risk and its approach to risk management. The policy should also set out responsibilities for risk management throughout the organisation. Furthermore, it should refer to any legal requirements for policy statements. Attaching to the risk management process is an integrated set of tools and techniques for use in the various stages of the business process. In addition to other operational functions they may have, those involved in risk management should have their roles in coordinating risk management policy/strategy clearly defined. The same clear definition is also required for those involved in the audit and review of internal controls and facilitating the risk management process. Risk management should be embedded within the organisation through the strategy and budget processes. It should be highlighted in induction and all other training and development as well as within operational processes e.g. product/service development projects.
According to Courtland and John 2008 risk treatment is the process of selecting and implementing measures to modify the risk. Risk treatment includes as its major element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc.
The risk analysis process assists the effective and efficient operation of the organisation by identifying those risks which require attention by management. They will need to priorities risk control actions in terms of their potential to benefit the organisation. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures. Cost effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits expected. The proposed controls need to be measured in terms of potential economic effect if no action is taken versus the cost of the proposed actions and invariably require more detailed information and assumptions than are immediately available. One method of obtaining financial protection against the impact of risks is through risk financing which includes insurance. However, it should be recognized that some losses or elements of a loss will be uninsurable e. g the uninsured costs associated with work-related health, safety or environmental incidents, which may include damage to employee morale and the organization’s reputation. The loss to be expected if no action is taken must also be estimated and by comparing the results, management can decide whether or not to implement the risk control measures. Compliance with laws and regulations is not an option. An organisation must understand the applicable laws and must implement a system of controls to achieve compliance. There is only occasionally some flexibility where the cost of reducing a risk may be totally disproportionate to that risk. Effective risk management requires a reporting and review structure to ensure that risks are effectively identified and assessed and that appropriate controls and responses are in place. Regular audits of policy and standards compliance should be carried out and standards performance reviewed to identify opportunities for improvement. It should be remembered that organizations are dynamic and operate in dynamic environments. Changes in the organisation and the environment in which it operates must be identified and appropriate modifications made to systems. The monitoring process should provide assurance that there are appropriate controls in place for the organization’s activities and that the procedures are understood and followed.
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on the UKDiss.com website then please: