1 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Risk
Management
For MBA/M.Com/BBA Students

By: Prof. Asif Masood Ahmad

MBA, CMA, GCMA
[email protected]
0321-9842495

2 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

What is Risk?
Introduction
Every business faces risks that could present threats to its success.
Risk is defined as the probability of an event and its consequences. Risk management is the
practice of using processes, methods and tools for managing these risks.
Risk management focuses on identifying what could go wrong, evaluating which risks should be
dealt with and implementing strategies to deal with those risks. Businesses that have identified the
risks will be better prepared and have a more cost-effective way of dealing with them.
This guide sets out how to identify the risks your business may face. It also looks at how to
implement an effective risk management policy and program which can increase your business'
chances of success and reduce the possibility of failure.

What is Risk Management?

Risk management is the identification, assessment, and prioritization of risks followed by
coordinated and economical application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risks can come from uncertainty in financial markets, threats from project failures (at any phase in
design, development, production, or sustainment life-cycles), legal liabilities, credit risk,
accidents, natural causes and disasters as well as deliberate attack from an adversary, or events
of uncertain or unpredictable root-cause.
In USA several risk management standards have been developed including the Project
Management Institute, the National Institute of Standards and Technology, actuarial societies, and
ISO standards. Methods, definitions and goals vary widely according to whether the risk
management method is in the context of project management, security, engineering, industrial
processes, financial portfolios, actuarial assessments, or public health and safety.

Risk Management Strategies?

The strategies to manage threats (uncertainties with negative consequences) typically include
transferring the threat to another party, avoiding the threat, reducing the negative effect or
probability of the threat, or even accepting some or all of the potential or actual consequences of a
particular threat, and the opposites for opportunities (uncertain future states with benefits).

The types of risk your business faces

The commonly described main categories of risk to consider are:

Strategic, for example a competitor coming on to the market

Compliance, for example responding to the introduction of new health and safety
legislation

3 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Financial, for example non-payment by a customer or increased interest charges on a

business loan

Operational, for example the breakdown or theft of key equipment

Others, for example natural disaster (floods) and others depend upon the nature and scale
of the industry.

These categories are not rigid and some parts of your business may fall into more than one
category. The risks attached to data protection, for example, could be considered when reviewing
both your operations and your business' compliance.

Strategic risks
Strategic risks are those risks associated with operating in a particular industry.
They include risks arising from:

merger and acquisition activity

changes among customers or in demand

industry changes

research and development

For example you might consider the strategic risks of the possibility of a US company buying one
of your European competitors. This could give the US Company a distribution arm in the UK. In
this situation you might want to consider:

whether there are any US companies which have the cash/share price to do this

whether there are any European competitors who could be a takeover target, perhaps because
of financial difficulties

whether the US company would lower prices or invest more in research and development

Where there's a strong possibility of this happening, you should prepare some sort of response.

Compliance risk
Compliance risks are those associated with the need to comply with laws and regulations. They
also apply to the need to act in a manner which investors and customers expect, for example, by
ensuring proper corporate governance.
You may need to consider whether employment or health and safety legislation could add to your
overheads or force changes in your established ways of working. For advice on how to manage
health and safety risks, read our guide on how to set up a health and safety management system.
You may also want to consider legislative risks to your business. You should ask yourself whether
the products or services you offer could be made less marketable by legislation or taxation - as

4 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

has happened with tobacco and asbestos products. For example, concerns about the increase in
obesity may prompt tougher food labeling regulations, which may push up costs or reduce the
appeal of certain types of food.

Financial risks
Financial risks are associated with your business' financial structure and systems and the
transactions your business makes.
Identifying financial risk involves examining your daily financial operations, especially cash-flow. If
your business is too dependent on a single customer and they became unable to pay you, this
could have serious implications for your business' viability. See our guide on how to identify
potential cash-flow problems.
You might examine:

how you extend credit to customers

who owes you money

how you can recover it

insurance to cover large or doubtful debts

Financial risk assessment should take into account external factors such as interest rates and
foreign exchange rates.
Rate changes will affect your debt repayments and the competitiveness of your goods and
services compared with those produced abroad.
If you are involved in international trade, you will be exposed to even greater financial risks. It can
be more difficult to assess the creditworthiness of an overseas client and to recoup unpaid debts.
You may also be adversely affected by movements in the currency markets. In addition,
depending on the trading terms you choose, it may take longer to receive payment when
compared with a UK client. For more information on managing the financial implications of
international trade see our guides on getting paid when selling overseas and foreign currency and
exchange risks.

Operational risks
Operational risks are associated with your business' operational and administrative procedures.
These include:

recruitment

supply chain

transportation

accounting controls

IT systems

regulations

5 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

board composition

You should examine these operations in turn, prioritize the risks and make necessary provisions.
For example, if you rely on one supplier for a key component you could source other suppliers to
help you minimize the risk.
If your business makes and receives regular deliveries, consider drawing up a continuity plan to
help you maintain operations in the event of a fuel strike or shortage.
IT risk and data protection are increasingly important to business. If hackers break into your IT
systems, they could steal valuable data and even money from your bank account which at best
would be embarrassing and at worst could put you out of business. A secure IT system employing
encryption will safeguard commercial and customer information.

Other risks
Other risks include:

environmental risks, including natural disasters

employee risk management, such as maintaining sufficient staff numbers and cover,
employee safety and up-to-date skills

political and economic instability in any foreign markets you export goods to

health and safety risks

commercial risks, including the failure of key suppliers or customers

Risk Management Process

Businesses face many risks; therefore risk management should be a central part of any business'
strategic management.
Risk management helps you to identify and address the risks facing your business and in doing so
increase the likelihood of successfully achieving your businesses objectives.
A risk management process involves:

methodically identifying the risks surrounding your business activities

assessing the likelihood of an event occurring

understanding how to respond to these events

putting systems in place to deal with the consequences

monitoring the effectiveness of your risk management approaches and controls

As a result, the process of risk management:

improves decision-making, planning and prioritization

helps you allocate capital and resources more efficiently

6 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

allows you to anticipate what may go wrong, minimizing the amount of fire-fighting you
have to do or, in a worst-case scenario, preventing a disaster or serious financial loss

significantly improves the probability that you will deliver your business plan on time and to
budget
Risk management becomes even more important if your business decides to try something new,
for example launch a new product or enter new markets. Competitors following you into these
markets, or breakthroughs in technology which make your product redundant, are two risks you
may want to consider in cases such as these.

Risk Management Process Flowchart

1. Risk Identification
1. Introduction
Risk identification is a deliberate and systematic effort to identify and document the Institutions
key risks. The objective of risk identification is to understand what is at risk within the context of
the Institutions explicit and implicit objectives and to generate a comprehensive inventory of risks
based on the threats and events that might prevent, degrade, delay or enhance the achievement
of the objectives. This necessitated the development of risk identification guidelines to ensure that
Institutions manage risk effectively and efficiently.

2. The risk identification process

7 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Comprehensive identification and recording of risks is critical, because a risk that is not identified
at this stage may be excluded from further analysis. In order to manage risks effectively,
Institutions have to know what risks they are faced with. The risk identification process should
cover all risks, regardless of whether or not such risks are within the direct control of the
Institution. Institutions should adopt a rigorous and on-going process of risk identification that also
includes mechanisms to identify new and emerging risks timeously.
Risk identification should be inclusive, not overly rely on the inputs of a few senior officials and
should also draw as much as possible on unbiased independent sources, including the
perspectives of important stakeholders.
2.1 Risk workshops and interviews
Risk workshops and interviews are useful for identifying, filtering and screening risks but it is
important that these judgment based techniques be supplemented by more robust and
sophisticated methods where possible, including quantitative techniques.
Risk identification should be strengthened by supplementing Managements perceptions of risks,
inter alia, with:

review of external and internal audit reports;

review of the reports of the Standing Committee on Public Accounts and the relevant
Parliamentary Committee(s);

financial analyses;

historic data analyses;

actual loss data;

interrogation of trends in key performance indicators;

benchmarking against peer group or quasi peer group;

market and sector information;

scenario analyses; and

Forecasting and stress testing.

2.2 Focus points of risk identification
To ensure comprehensiveness of risk identification the Institution should identify risk factors
through considering both internal and external factors, through appropriate processes of:
2.2.1 Strategic risk identification
Strategic risk identification to identify risks emanating from the strategic choices made by the
Institution, specifically with regard to whether such choices weaken or strengthen the Institution's
ability to execute its Constitutional mandate:

strategic risk identification should precede the finalization of strategic choices to ensure that
potential risk issues are factored into the decision making process for selecting the strategic
options;

risks inherent to the selected strategic choices should be documented, assessed and
managed through the normal functioning of the system of risk management; and

Strategic risks should be formally reviewed concurrently with changes in strategy, or at

8 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

least once a year to consider new and emerging risks.

2.2.2 Operational risk identification
Operational risk identification to identify risks concerned with the Institutions operations:

operational risk identification should seek to establish vulnerabilities introduced by

employees, internal processes and systems, contractors, regulatory authorities and external
events;

operational risk identification should be an embedded continuous process to identify new

and emerging risks and consider shifts in known risks through mechanisms such as management
and committee meetings, environmental scanning, process reviews and the like; and

Operational risk identification should be repeated when changes occur, or at least once a
year, to identify new and emerging risks.
2.2.3 Project risk identification
Project risk identification to identify risks inherent to particular projects:

project risks should be identified for all major projects, covering the whole lifecycle; and

for long term projects, the project risk register should be reviewed at least once a year to
identify new and emerging risks.

3. Risk Identification Methods - 12 Types

3.1 Brainstorming is a technique that is best accomplished when the approach is unstructured
(the facilitator encourages random inputs from the group). Group members verbally identify risks
that provide the opportunity to build on others ideas. To achieve the desired outcome, it is
essential to select participants that are familiar with the topics discussed, relevant documentation
is provided and a facilitator that knows the risk process leads the group.
A note-taker should be appointed to capture the ideas that are being discussed. A structured
brainstorming session, where each group member presents an idea in turn, may be used where
not all group members are participating. Structured brainstorming ensures participation by all
group members. Brainstorming can also be used during planning to generate a list of migration
strategies, possible causes for the risk, or other areas of impact. It is not intended for an in-depth
risk analysis of risk.
3.2 Surveys are a technique where lists of questions are developed to seek out risk in a particular
area. A limitation of this method is that people inherently don't like to complete surveys and may
not provide accurate information. The value of the surveys may be difficult to determine due to
subjectivity in the answers or because of the focus of the questions themselves.
3.3 Interviews are an effective way to identify risk areas. Group interviews can assist in
identifying the baseline of risk on a project. The interview process is essentially a questioning
process. It is limited by the effectiveness of the facilitator and the questions that are being asked.
The interview can be conducted before or after the brainstorming session. However if it is
accomplished before the brainstorming session, the results should be shared with the group after

9 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

they have provided their input to the risk list. If the interview(s) are completed after the
brainstorming session has been completed, the list of risks should be provided to all participants
for comment before they are added to the risk list.
3.4 Working Groups are great way to analyze a particular area or topic in a discussion process to
identify risks that may not be obvious to the risk identification group. The working group is usually
a separate group of people working a particular area within the project that is conducting the risk
identification.
3.5 Experiential Knowledge is the collection of information that a person has obtained through
their experience. Caution must be used when using any knowledge based information to ensure it
is relevant and applicable to the current situation.
3.6 Documented Knowledge is the collection of information or data that has been documented
about a particular subject. This is a source of information that provides insight into the risks in a
particular area of concern. Caution must be used when using any knowledge based information
to ensure it is relevant and applicable to the current situation
3.7 Risk Lists are usually lists of risks that have been found in similar municipalities and/or similar
situations. Caution must be used when using this type of information to ensure it is relevant and
applicable to the current situation.
3.8 Risk Trigger Questions are lists of situations or events in a particular area of a municipality
that can lead to risk identification. These are situations or areas where risks have been
discovered within the organization. These trigger questions may be grouped by areas such as
performance, cost, schedule, software, etc.
3.9 Lessons Learned is experiential knowledge that has been organized into information that
may be relevant to the different areas within the organization. This source of information may
guide you in identifying risk in your municipality. Caution must be used when using this type of
information to ensure it is relevant and applicable to the current situation.
3.10 Outputs from Risk-Oriented Analysis - There are various types of risk oriented
analysis. Two such techniques are fault tree analysis and event tree analysis. These are top
down analysis approaches that attempt to determine what events, conditions, or faults could lead
to a specific top level undesirable event. This event with the associated consequence could be a
risk for your program.
3.11 Historical Information is basically the same as documented knowledge. The difference is
that historical information is usually widely accepted as fact.
3.12 Engineering Templates are a set of flow charts for various aspects of the development
process. These templates are preliminary in nature and are intended as general guidance to
accomplish a top down assessment of activities.

4. How to perform risk identification

It is crucial to have knowledge of the business before commencing with risk identification process.
It is also important to learn from both past experience and experience of others when considering
the risks to which an Institution may be exposed and the best strategy available for responding to

10 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

those risks.
Risk identification starts with understanding the Institutional objectives, both implicit and
explicit. The risk identification process must identify unwanted events, undesirable outcomes,
emerging threats, as well as existing and emerging opportunities. By virtue of an Institution's
existence, risks will always prevail, whether the Institution has controls or not.
When identifying risks, it is also important to bear in mind that "risk" also has an opportunity
component. This means that there should also be a deliberate attention to identifying potential
opportunities that could be exploited to improve Institutional performance. In identifying risks,
consideration should be given to risks associated with not pursuing an opportunity, e.g. failure to
implement an IT system to collect municipal rates.
Risk identification exercise should not get bogged down in conceptual or theoretical detail. It
should also not limit itself to a fixed list of risk categories, although such a list may be helpful.
The following are key steps necessary to effectively identify risks from across the Institution:

Understand what to consider when identifying risks;

Gather information from different sources to identify risks;
Apply risk identification tools and techniques;
Document the risks;
Document the risk identification process; and
Assess the effectiveness of the risk identification process.

4.1 Understand what to consider when identifying risks

In order to develop a comprehensive list of risks, a systematic process should be used that starts
with defining objectives and key success factors for their achievement. This can help provide
confidence that the process of risk identification is complete and major issues have not been
missed.
4.2 Gather information from different sources to identify risks
Good quality information is important in identifying risks. The starting point for risk identification
may be historical information about this or similar Institutions and then discussions with a wide
range of stakeholders about historical, current and evolving issues, data analysis, review of
performance indicators, economic information, loss data, scenario planning and the like can
produce important risk information.
Furthermore, processes used during strategic planning like Strength Weakness Opportunity and
Threat SWOT Analysis, Political Economic Social Technological Environment & Legal. PEST (EL)
Analysis and benchmarking will have revealed important risks and opportunities that should not be
ignored, i.e. they should be included in the risk register.
Certain disciplines like IT, Strategic Management, Health and Safety etc. already have in place
established risk identification methodologies as informed by their professional norms and
standards. The risk identification process should recognize and utilize the outputs of these
techniques in order not to "re-invent the wheel".

11 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

4.3 Apply risk identification tools and techniques

An Institution should apply a set of risk identification tools and techniques that are suited to its
objectives and capabilities, and to the risk the Institution faces. Relevant and up-to-date
information is important in identifying risks. This should include suitable background information
where possible. People with appropriate knowledge should be involved in identifying risks.
Approaches used to identify risks could include the use of checklists, judgments based on
experience and records, flow charts, brainstorming, systems analysis, scenario analysis, and
system engineering techniques.

The approach used will depend on the nature of the activities under review, types of risks,
the Institutional context, and the purpose of the risk management exercise.

Team-based brainstorming for example, where facilitated workshops is a preferred

approach as it encourages commitment, considers different perspectives and incorporates
differing experiences.

Structured techniques such as flow charting, system design review, systems analysis,
Hazard and Operability (HAZOP) studies and operational modeling should be used where the
potential consequences are catastrophic and the use of such intensive techniques are cost
effective.

Since risk workshops are useful only for filtering and screening of possible risks, it is
important that the workshops are supplemented by more sophisticated or structured techniques
described above.

For less clearly defined situations, such as the identification of strategic risks, processes
with a more general structure, such as 'what-if' and scenario analysis could be used.

Where resources available for risk identification and analysis are constrained, the structure
and approach may have to be adapted to achieve efficient outcomes within budget limitations. For
example, where less time is available, a smaller number of key elements may be considered at a
higher level, or a checklist may be used.
4.4 Document the risks identified
The risks identified during the risk identification are typically documented in a risk register that,
includes (at this stage):

risk description;
how and why the risk can happen (i.e. causes and consequences); and
the existing internal controls that may reduce the likelihood or consequences of the risks.
It is essential when identifying a risk to consider the following three elements:
description/event - an occurrence or a particular set of circumstances;
causes - the factors that may contribute to a risk occurring or increase;
the likelihood of a risk occurring; and
consequences - the outcome(s) or impact(s) of an event.

It is the combination of these elements that make up a risk and this level of detail will enable an
Institution to better understand its risks.
4.5 Document your risk identification process

12 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

In addition to documenting identified risks, it is also necessary to document the risk identification
process to help guide future risk identification exercises and to ensure good practices are
maintained by drawing on lessons learned through previous exercises. Documentation of this
step should include:

the approach or method used for identifying risks;

the scope covered by the identification; and
the participants in the risk identification and the information sources consulted.

Experience has shown that management often disregards well controlled risks when documenting
the risk profile of the Institution. It is stressed that a well-controlled risk must still be recorded in
the risk profile of the Institution. The reason for this logic is that the processes for identifying risks
should ignore at that point any mitigating factors (these will be considered when the risk is being
assessed).

5. The outputs of risk identification

The document in which the risks are recorded is known as the "risk register" and it is the main
output of a risk identification exercise.
A risk register is a comprehensive record of all risks across the Institution or project depending on
the purpose/context of the register. There is no single blueprint for the format of a risk register and
Institutions have a great degree of flexibility regarding how they lay out their documents.
The risk register serves three main purposes

It is a source of information to report the key risks throughout the Institution, as well as to key stakeholders.
Management uses the risk register to focus their priorities risks.
It is to help the auditors to focus their plans on the Institution's top risks.

As a minimum, the risks register records:

the risk;

risk category;

how and why the risk can happen "cause of risk";

how will the risk impact the Institution if it materializes "impact on Institution";

the qualitative and / or quantitative cost should the risk materialize;

the likelihood and consequences of the risk to the Institution;

the existing internal controls that may minimize the likelihood of the risk occurring;

a risk level rating based on pre-established criteria;

framework, including an assessment of whether the risk is acceptable or whether it needs

to be treated;

a clear prioritization of risks (risk profile);

accountability for risk treatment (may be part of the risk treatment plan); and

Timeframe for risk treatment.

Once the risks have been identified and existing control have been assessed and it is has been
established that controls are inadequate, an assessment of whether the risk is acceptable or

13 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

whether it needs to be treated needs to be performed.

2. Risk assessment
Businesses face many risks; therefore risk management should be a central part of any business'
strategic management.
Risk management helps you to identify and address the risks facing your business and in doing so
increase the likelihood of successfully achieving your businesses objectives.
A risk management process involves:

methodically identifying the risks surrounding your business activities

assessing the likelihood of an event occurring

understanding how to respond to these events

putting systems in place to deal with the consequences

monitoring the effectiveness of your risk management approaches and controls

As a result, the process of risk management:

improves decision-making, planning and prioritization

helps you allocate capital and resources more efficiently

allows you to anticipate what may go wrong, minimizing the amount of fire-fighting you have to do
or, in a worst-case scenario, preventing a disaster or serious financial loss

significantly improves the probability that you will deliver your business plan on time and to budget
Risk management becomes even more important if your business decides to try something new,
for example launch a new product or enter new markets. Competitors following you into these
markets, or breakthroughs in technology which make your product redundant, are two risks you
may want to consider in cases such as these.

Risk assessment Definition

Risk assessment is the determination of quantitative or qualitative value of risk related to a
concrete situation and a recognized threat (also called hazard). Quantitative risk
assessment requires calculations of two components of risk (R), the magnitude of the potential
loss (L), and the probability (P) that the loss will occur. Acceptable risk is a risk that is
understood and tolerated usually because the cost or difficulty of implementing an effective
countermeasure for the associated vulnerability exceeds the expectation of loss.
In all types of engineering of complex systems sophisticated risk assessments are often made
within Safety engineering and Reliability engineering when it concerns threats to life,
environment or machine functioning. The nuclear, aerospace, oil, rail and military industries have
a long history of dealing with risk assessment. Also, medical, hospital, social service and food

14 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

industries control risks and perform risk assessments on a continual basis. Methods for
assessment of risk may differ between industries and whether it pertains to general financial
decisions or environmental, ecological, or public health risk assessment.

Explanation
Risk assessment consists of an objective evaluation of risk in which assumptions and
uncertainties are clearly considered and presented. Part of the difficulty in risk management is that
measurement of both of the quantities in which risk assessment is concerned potential loss and
probability of occurrence can be very difficult to measure. The chance of error in measuring
these two concepts is high. Risk with a large potential loss and a low probability of occurrence, is
often treated differently from one with a low potential loss and a high likelihood of occurrence. In
theory, both are of near equal priority, but in practice it can be very difficult to manage when faced
with the scarcity of resources, especially time, in which to conduct the risk management process.
Expressed mathematically,

Risk assessment from a financial point of view.

Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk
assessment is used for public health or environmental decisions, loss can be quantified in a
common metric such as a country's currency or some numerical measure of a location's quality of
life. For public health and environmental decisions, loss is simply a verbal description of the
outcome, such as increased cancer incidence or incidence of birth defects. In that case, the "risk"
is expressed as

If the risk estimate takes into account information on the number of individuals exposed, it is
termed a "population risk" and is in units of expected increased cases per a time period. If the risk

15 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

estimate does not take into account the number of individuals exposed, it is termed an "individual
risk" and is in units of incidence rate per a time period. Population risks are of more use for
cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals
are "acceptable".

Risk Assessment?
Essential steps for performing a risk assessment

How to evaluate risks?

Risk evaluation allows you to determine the significance of risks to the business and decide to
accept the specific risk or take action to prevent or minimize it.
To evaluate risks, it is worthwhile ranking these risks once you have identified them.
This can be done by considering the consequence and probability of each risk. Many
businesses find that assessing consequence and probability as high, medium or low is adequate
for their needs.
These can then be compared with your business plan - to determine which risks may affect your
objectives - and evaluated in the light of legal requirements, costs and investor concerns. In some
cases, the cost of mitigating a potential risk may be so high that doing nothing makes more
business sense.
There are some tools you can use to help evaluate risks. You can plot on a risk map the
significance and likelihood of the risk occurring. Each risk is rated on a scale of one to ten. If a risk
is rated ten this means it is of major importance to the company. One is the least significant. The
map allows you to visualize risks in relation to each other, gauge their extent and plan what type
of controls should be implemented to mitigate the risks.
Prioritizing risks, however you do this, allows you to direct time and money toward the most
important risks. You can put systems and controls in place to deal with the consequences of an
event. This could involve defining a decision process and escalation procedures that your
company would follow if an event occurred.

Types of Risk assessment

Risk assessment can therefore be conducted at various levels of the organization. The objectives
and events under consideration determine the scope of the risk assessment to be undertaken.
Examples of frequently performed risk assessments include:
Strategic risk assessment. Evaluation of risks relating to the organizations mission and
strategic objectives, typically performed by senior management teams in strategic planning
meetings, with varying degrees of formality.

16 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Operational risk assessment. Evaluation of the risk of loss (including risks to financial
performance and condition) resulting from inadequate or failed internal processes, people, and
systems, or from external events. In certain industries, regulators have imposed the requirement
that companies regularly identify and quantify their exposure to such risks. While responsibility for
managing the risk lies with the business, an independent function often acts in an advisory
capacity to help assess these risks.
Compliance risk assessment. Evaluation of risk factors relative to the organizations
compliance obligations, considering laws and regulations, policies and procedures, ethics and
business conduct standards, and contracts, as well as strategic voluntary standards and best
practices to which the organization has committed. This type of assessment is typically performed
by the compliance function with input from business areas.
Internal audit risk assessment. Evaluation of risks related to the value drivers of the
organization, covering strategic, financial, operational, and compliance objectives. The
assessment considers the impact of risks to shareholder value as a basis to define the audit plan
and monitor key risks. This top-down approach enables the coverage of internal audit activities to
be driven by issues that directly impact shareholder and customer value, with clear and explicit
linkage to strategic drivers for the organization.
Financial statement risk assessment. Evaluation of risks related to a material misstatement of
the organizations financial statements through input from various parties such as the controller,
internal audit, and operations. This evaluation, typically performed by the finance function,
considers the characteristics of the financial reporting elements (e.g., materiality and susceptibility
of the underlying accounts, transactions, or related support to material misstatement) and the
effectiveness of the key controls (e.g., likelihood that a control might fail to operate as intended,
and the resultant impact).
Fraud risk assessment. Evaluation of potential instances of fraud that could impact the
organizations ethics and compliance standards, business practice requirements, financial
reporting integrity, and other objectives. This is typically performed as part of Sarbanes-Oxley
compliance or during a broader organization-wide risk assessment, and involves subject matter
experts from key business functions where fraud could occur (e.g., procurement, accounting, and
sales) as well as forensic specialists.
Market risk assessment. Evaluation of market movements that could affect the organizations
performance or risk exposure, considering interest rate risk, currency risk, option risk, and
commodity risk. This is typically performed by market risk specialists.
Credit risk assessment. Evaluation of the potential that a borrower or counterparty will fail to
meet its obligations in accordance with agreed terms. This considers credit risk inherent to the
entire portfolio as well as the risk in individual credits or transactions, and is typically performed by
credit risk specialists.
Customer risk assessment. Evaluation of the risk profile of customers that could potentially
impact the organizations reputation and financial position. This assessment weighs the
customers intent, creditworthiness, affiliations, and other relevant factors. This is typically
performed by account managers, using a common set of criteria and a central repository for the
assessment data.

17 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Supply chain risk assessment. Evaluation of the risks associated with identifying the inputs
and logistics needed to support the creation of products and services, including selection and
management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing quality
assurance reviews to assess any changes that could impact the achievement of the organizations
business objectives).

How risk is determined

In the estimation of risks, three or more steps are involved that require the inputs of different
disciplines:
1. Hazard Identification aims to determine the qualitative nature of the potential adverse
consequences of the contaminant (chemical, radiation, noise, etc.) and the strength of the
evidence it can have that effect. This is done, for chemical hazards, by drawing from the
results of the sciences of toxicology and epidemiology. For other kinds of hazard,
engineering or other disciplines are involved.
2. Dose-Response Analysis is determining the relationship between dose and the probability
or the incidence of effect (dose-response assessment). The complexity of this step in many
contexts derives mainly from the need to extrapolate results from experimental animals
(e.g. mouse, rat) to humans, and/or from high to lower doses. In addition, the differences
between individuals due to genetics or other factors mean that the hazard may be higher
for particular groups, called susceptible populations. An alternative to dose-response
estimation is to determine a concentration unlikely to yield observable effects, that is, a no
effect concentration. In developing such a dose, to account for the largely unknown effects
of animal to human extrapolations, increased variability in humans, or missing data, a
prudent approach is often adopted by including safety factors in the estimate of the "safe"
dose, typically a factor of 10 for each unknown step.
3. Exposure Quantification aims to determine the amount of a contaminant (dose) that
individuals and populations will receive. This is done by examining the results of the
discipline of exposure assessment. As different location, lifestyles and other factors likely
influence the amount of contaminant that is received, a range or distribution of possible
values is generated in this step. Particular care is taken to determine the exposure of the
susceptible population(s).
Finally, the results of the three steps above are then combined to produce an estimate of risk.
Because of the different susceptibilities and exposures, this risk will vary within a population.

Small sub-populations
When risks apply mainly to small sub-populations, there is uncertainty at which point intervention
is necessary. For example, there may be a risk that is very low for everyone, other than 0.1% of
the population. It is necessary to determine whether this 0.1% is represented by:

all infants younger than X days or

recreational users of a particular product.

18 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

If the risk is higher for a particular sub-population because of abnormal exposure rather than
susceptibility, strategies to further reduce the exposure of that subgroup are considered. If an
identifiable sub-population is more susceptible due to inherent genetic or other factors, public
policy choices must be made. The choices are:

to set policies for protecting the general population that are protective of such groups, e.g. for
children when data exists, the Clean Air Act for populations such as asthmatics or
not to set policies, because the group is too small, or the costs too high.

Acceptable risk criteria

The idea of not increasing lifetime risk by more than one in a million has become commonplace in
public health discourse and policy. It is a heuristic measure. It provides a numerical basis for
establishing a negligible increase in risk.
Environmental decision making allows some discretion for deeming individual risks potentially
"acceptable" if less than one in ten thousand chance of increased lifetime risk. Low risk criteria
such as these provide some protection for a case where individuals may be exposed to multiple
chemicals e.g. pollutants, food additives or other chemicals.
In practice, a true zero-risk is possible only with the suppression of the risk-causing activity.
Stringent requirements of 1 in a million may not be technologically feasible or may be so
prohibitively expensive as to render the risk-causing activity unsustainable, resulting in the optimal
degree of intervention being a balance between risks vs. benefit. For example, emissions from
hospital incinerators result in a certain number of deaths per year. However, this risk must be
balanced against the alternatives. There are public health risks, as well as economic costs,
associated with all options. The risk associated with no incineration is potential spread of
infectious diseases, or even no hospitals. Further investigation identifies options such as
separating noninfectious from infectious wastes, or air pollution controls on a medical incinerator.
Intelligent thought about a reasonably full set of options is essential. Thus, it is not unusual for
there to be an iterative process between analyses, consideration of options, and follow up
analysis.

Risk Assessment in Various Sectors

In public health
In the context of public health, risk assessment is the process of quantifying the probability of a
harmful effect to individuals or populations from certain human activities. In most countries the use
of specific chemicals or the operations of specific facilities (e.g. power plants, manufacturing
plants) is not allowed unless it can be shown that they do not increase the risk of death or illness
above a specific threshold. For example, the American Food and Drug Administration (FDA)
regulate food safety through risk assessment. The FDA required in 1973 that cancer-causing
compounds must not be present in meat at concentrations that would cause a cancer risk greater

19 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

than 1 in a million over a lifetime. The US Environmental Protection Agency provides basic
information about environmental risk assessments for the public via its risk assessment
portal. The Stockholm Convention on persistent organic pollutants (POPs) supports a qualitative
risk framework for public health protection from chemicals that display environmental and
biological persistence, bioaccumulation, toxicity (PBT) and long range transport; most global
chemicals that meet this criteria have been previously assessed quantitatively by national and
international health agencies.

In auditing
For audits performed by an outside audit firm, risk assessment is a very crucial stage before
accepting an audit engagement. According to ISA315 Understanding the Entity and its
Environment and Assessing the Risks of Material Misstatement, "the auditor should perform risk
assessment procedures to obtain an understanding of the entity and its environment, including its
internal control. Evidence relating to the auditors risk assessment of a material misstatement in
the clients financial statements. Then, the auditor obtains initial evidence regarding the classes of
transactions at the client and the operating effectiveness of the clients internal controls. In
auditing, audit risk is defined as the risk that the auditor will issue a clean unmodified opinion
regarding the financial statements, when in fact the financial statements are materially misstated,
and therefor do not qualify for a clean unmodified opinion. As a formula, audit risk is the product of
two other risks: Risk of Material Misstatement and Detection risk. This formula can be further
broken down as follows: (inherent risk X control risk X detection risk).

Human health
There are many resources that provide health risk information.
The National Library of Medicine provides risk assessment and regulation information tools for a
varied audience. These include:

TOXNET (databases on hazardous chemicals, environmental health, and toxic releases)

the Household Products Database (potential health effects of chemicals in over 10,000
common household products).
TOXMAP (maps of the U.S. Environmental Protection Agency Superfund and Toxics Release
Inventory data).

The United States Environmental Protection Agency provides basic information about
environmental risk assessments for the public.

In information security
IT risk assessment can be performed by a qualitative or quantitative approach, following different
methodologies.

20 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

In project management
In project management, risk assessment is an integral part of the risk management plan, studying
the probability, the impact, and the effect of every known risk on the project, as well as the
corrective action to take should that risk occur. Of special consideration in this area is the relevant
codes of practice that are enforce in the specific jurisdiction. Understanding the regime of
regulations that risk management must abide by is integral to formulating safe and compliant risk
assessment practices.

For megaprojects
Megaprojects (sometimes also called "major programs") are extremely large-scale investment
projects, typically costing more than US$1 billion per project. Megaprojects include bridges,
tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal
flood protection, oil and natural gas extraction projects, public buildings, information technology
systems, aerospace projects, and defence systems. Megaprojects have been shown to be
particularly risky in terms of finance, safety, and social and environmental impacts.

Quantitative risk assessment

Quantitative risk assessments include a calculation of the single loss expectancy (SLE) of an
asset. The single loss expectancy can be defined as the loss of value to asset based on a single
security incident. The team then calculates the Annualized Rate of Occurrence (ARO) of the threat
to the asset. The ARO is an estimate based on the data of how often a threat would be successful
in exploiting vulnerability. From this information, the Annualized Loss Expectancy (ALE) can be
calculated. The annualized loss expectancy is a calculation of the single loss expectancy
multiplied by the annual rate of occurrence, or how much an organization could estimate to lose
from an asset based on the risks, threats, and vulnerabilities. It then becomes possible from a
financial perspective to justify expenditures to implement countermeasures to protect the asset.

In software evolution
Studies have shown that early parts of the system development cycle such as requirements and
design specifications are especially prone to error. This effect is particularly notorious in projects
involving multiple stakeholders with different points of view. Evolutionary software processes offer
an iterative approach to requirement engineering to alleviate the problems of uncertainty,
ambiguity and inconsistency inherent in software developments.

In shipping industry
In July 2010, shipping companies agreed to use standardized procedures in order to assess risk
in key shipboard operations. These procedures were implemented as part of the amended ISM
code.

3. Risk Prioritization

21 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Risk analysis and evaluation criteria to prioritize risk

The next step is to evaluate the risk arising from each hazard. This can be done by considering:

how likely it is that a hazard will cause harm (e.g. whether it is improbable, possible but not
very likely, probable, or inevitable over time)

how serious that harm is likely to be (e.g. resulting in minor damage, a non-injury incident,
a minor injury (bruise, laceration), a serious injury (fracture, amputation, chronic ill-health), a
fatality, or a multiple-fatality)

How often (and how many) workers are exposed.

A straightforward process based on judgment and requiring no specialist skills or complicated

techniques could be sufficient for many workplace hazards or activities. These include activities
with hazards of low concern, or workplaces where risks are well known or readily identified and
where a means of control is readily available. This is probably the case for most businesses
(mainly small and medium-sized enterprises SMEs).
In some other cases it may not be possible to identify the hazards and evaluate risks without
professional knowledge, support and advice. This may arise in respect of the more complex
processes and technologies in the workplace, or hazards, such as those related to health, which
may not be readily or easily identifiable, and may require analysis and measurements.

Evaluate Risk
In the risk analysis stage, each risk has been assigned a level based on likelihood and
consequences. The purpose of evaluation is to compare the levels of risk and decide whether the
level of each risk is acceptable or not. There may also be a number of risks that fall into the same
level where each of them would not be treated equally.
In determining whether a risk is acceptable or not, the evaluation would take into account a
number of factors:

How does the level of each risk (from the analysis step in 'Analyse risks') stand up
against the level of acceptable risk in 'About establishing the context'?

Is the level of the risk so low that treatment is not appropriate? (As Low As
Reasonably Practicable - ALARP)

Do the opportunities outweigh the threats to such a degree that the risk is justified?

Is the cost excessive compared to the benefit?

Is there no treatment available?

If risk criteria were established when setting the context, the level of risk would now be compared
against this criteria in order to determine whether the risk is acceptable. If acceptable, there would
be no further action taken. The justification for this would be documented and the risk monitored to
ensure that no factors arise that would require assessment of the risk to be reviewed.

22 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

If the risk is not acceptable, then the risk assessment process would continue to determine
appropriate treatment options in order that the risk is reduced to As Low as Reasonably
Practicable (ALARP).
Level of risk

Sample response expectations

Severe risk

must be managed by senior management with a detailed plan

High risk

detailed research and management planning required at senior levels

Major risk

senior management attention is needed

Significant risk management responsibility must be specified

Moderate risk

manage by specific monitoring or response procedures

Low risk

manage by routine procedures

Trivial risk

unlikely to need specific application of resources

As Low As Reasonably Practicable (ALARP)

In general two criteria can be defined using the ALARP concept:

risk is negligible and can be accepted without specific treatment other than
monitoring

risk is intolerable and the activity must cease, unless risk can be reduced.
Between these levels is a region where costs and benefits are taken into account. When risk is
close to the intolerable level the expectation is that risk will be reduced unless the cost of reducing
the risk is grossly disproportionate to the benefits gained. Where risks are close to the negligible
level then action may only be taken to reduce risk where benefits exceed the costs of reduction.

23 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Prioritizing Risk
Once the level of risk has been determined for each risk, this information can be entered onto a
risk register showing the level of risks. The evaluation will decide the risk priority, showing which
risk must be managed first in order to reduce the exposure of the organisation to serious loss. Of
course, small or insignificant risks might be treated immediately where it would be quick and / or
low cost to do so.
Once the priority is determined and risks are to be treated, those will then be included on a risk
treatment schedule where they can be tracked until the risks are treated.

Risk Register
Risk Register Definition
A Risk Register, also referred to as a Risk Log, is a master document which is created during the early
stages of your project. It is a tool that plays an important part in your Risk Management Plan, helping
you to track issues and address problems as they arise.
The Risk Register will generally be shared between project stakeholders, allowing those involved in
the project to be kept aware of issues and providing a means of tracking the response to issues. It can
be used to flag new project risks and to make suggestions on what course of action to take to resolve
any issues.
All corporate and organizational projects face risk at one time or another. Having a Risk Register in
place simply provides a better means of responding to problems as they arise. The Risk Register is
there to help with the decisions making process and enables managers and project stakeholders to
handle risk in the most appropriate way. A risk needn't be a threat to your project, it is simply an issue
that can arise during the project; if effectively managed, it shouldn't prevent your project from attaining
its goals and objectives. The Risk Register is a document that contains information about identified
project risks, analysis of risk severity and evaluations of the possible solutions to be applied.

24 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Presenting this in a spreadsheet if often the easiest way to manage things, so that key information can
be found and applied quickly and easily.

How Risk Register is created?

If you're going to create a Risk Register and the following is a brief guide on how to get started in just a
few steps:
1. Create the Risk Register - this step will be undertaken when the project plan is approved and
the Risk Section of the project plan should serve as the basis for the document.
2. Record active risks - keep track of active risks by recording them in the Risk Register along
with the date identified, date updated, target date and closure date. Other useful information to
include is the risk identification number, a description of the risk, type and severity of risk, its
impact, possible response action and the current status of risk.
3. Assign a unique number to each risk element - this will help to identify each unique risk, so that
you know if that risk eventuates during the project and what the status of the risk is at any given
time. Keeping this number consistent throughout the project will make it easy to see how this
risk links in to the Project Status Report, Risk Identification and Risk Impact Form.
4. The risk register addresses risk management in four key steps:
(1) identifying the risk,
(2) evaluating the severity of any identified risks,

25 | Page

Risk Management
by: Asif Masood Ahmad

Superior University, Lahore

(3) applying possible solutions to those risks and

(4) monitoring and analysing the effectiveness of any subsequent steps taken.
5. By learning how to create a Risk Register, you can be proactive about managing your projects
and handling any risks associated with them. Any issues that are likely to impact upon the
success of your project and the speedy completion of the project is categorised as risk.
Implementing strategies to handle this, such as a risk register, will help to prevent risk from
becoming an issue that may cause significant delays or even lead to the project failing.

RISK REGISTER TEMPLATE

Risk Identification

Qualitative Rating

Risk Risk
Category

Probability Impact Risk

Score

Risk Response
Risk
Ranking

Risk
Response

Trigger Risk
Owner

Example of a risk register

The risk: what can happen and Injury caused by falling
how it can happen tree branch
Consequences of an event
happening
Likelihood of an event
happening
Adequacy of current controls
Consequence rating
Likelihood rating
Level of risk

Serious injury

Rare, trees are not in

immediate vicinity
Adequate
3
D
M
Moderate risk
Risk priority Accept and monitor
Not possible within
context to treat the trees.

River could be polluted by waste from

festival grounds
Non-toxic waste, cost of clean-up
Likely to be some rubbish blown in by wind
Adequate
1
C
L
Low risk
Manage
Easy and cheap to control. Low cost
placement of bins and staff to pick up
rubbish.

Risk Matrix
A Risk Matrix is a matrix that is used during Risk Assessment to define the various levels of risk
as the product of the harm probability categories and harm severity categories. This is a simple
mechanism to increase visibility of risks and assist management decision making.
Although many standard risk matrices exist in different contexts (US DoD, NASA, ISO), individual
projects and organizations may need to create their own or tailor an existing risk matrix.

26 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

The matrix below is adapted from the Risk Management Standard. It can be used to record a
priority rating for each risk identified in the risk audit. Each risk identified must be evaluated in
terms of:

The probability of occurrence (the likelihood).

The severity of the consequence should the risk actually occur.

A risk exposure that has both a high likelihood and a high severity of consequence should be
given the greatest consideration for elimination or control. A risk that is both low in likelihood and
low in severity can easily be retained and self-funded.
If an evaluation of a risk gives rise to a rating of "Extreme", it must be dealt with straight away.

Legend

Extreme Risk

Immediate action required

High Risk

Senior management attention needed

Moderate Risk

Management responsibility must be specified

Low Risk

Manage by routine procedures

Here are few other of the examples of Risk Matrix:

27 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

4. Risk Mitigation Planning and Implementation

Definition: Risk mitigation planning is the process of developing options and actions to enhance
opportunities and reduce threats to project objectives. Risk mitigation implementation is the
process of executing risk mitigation actions. Risk mitigation progress monitoring includes tracking

28 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

identified risks, identifying new risks, and evaluating risk process effectiveness throughout the
project.

Background
Risk mitigation planning, implementation, and progress monitoring are depicted in Figure 1. As
part of an iterative process, the risk tracking tool is used to record the results of risk prioritization
analysis (step 3) that provides input to both risk mitigation (step 4) and risk impact assessment
(step 2).

Figure 1. Risk Management: Fundamental Steps [3]

The risk mitigation step involves development of mitigation plans designed to manage, eliminate,
or reduce risk to an acceptable level. Once a plan is implemented, it is continually monitored to
assess its efficacy with the intent of revising the course-of-action if needed.
Risk Mitigation Strategies
General guidelines for applying risk mitigation handling options are shown in Figure 2. These
options are based on the assessed combination of the probability of occurrence and severity of
the consequence for an identified risk. These guidelines are appropriate for many, but not all,
projects and programs.

29 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Figure 2. Risk Mitigation Handling Options [3]

Risk mitigation handling options include:

Assume/Accept: Acknowledge the existence of a particular risk, and make a

deliberate decision to accept it without engaging in special efforts to control it. Approval of
project or program leaders is required.

Avoid: Adjust program requirements or constraints to eliminate or reduce the risk.

This adjustment could be accommodated by a change in funding, schedule, or technical
requirements.

Control: Implement actions to minimize the impact or likelihood of the risk.

Transfer: Reassign organizational accountability, responsibility, and authority to

another stakeholder willing to accept the risk.

Watch/Monitor: Monitor the environment for changes that affect the nature and/or
the impact of the risk.
Each of these options requires developing a plan that is implemented and monitored for
effectiveness. More information on handling options is discussed under best practices and lessons
learned below.
From a systems engineering perspective, common methods of risk reduction or mitigation with
identified program risks include the following, listed in order of increasing seriousness of the risk:
1.
2.
3.
4.
5.
6.

Intensified technical and management reviews of the engineering process

Special oversight of designated component engineering
Special analysis and testing of critical design items
Rapid prototyping and test feedback
Consideration of relieving critical design requirements
Initiation of fallback parallel developments

30 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

When determining the method for risk mitigation, the MITRE SE can help the customer assess the
performance, schedule, and cost impacts of one mitigation strategy over another. For something
like "parallel" development mitigation, MITRE SEs could help the government determine whether
the cost could more than double, while time might not be extended by much (e.g., double the cost
for parallel effort, but also added cost for additional program office and user engagement). For
conducting rapid prototyping or changing operational requirements, MITRE SEs can use
knowledge in creating prototypes and using prototyping and experimenting (see SE Guide article
on Special Considerations for Conditions of Uncertainty: Prototyping and Experimentation and
the Requirements Engineering topic) for projecting the cost and time to conduct a prototype to
help mitigate particular risks (e.g., requirements). Implementing more engineering reviews and
special oversight and testing may require changes to contractual agreements. MITRE systems
engineers can help the government assess these (schedule and cost) by helping determine the
basis of estimates for additional contractor efforts and providing a reality check for these
estimates. MITRE's CASA [Center for Acquisition and Systems Analysis] and the CCG [Center for
Connected Government] Investment Management practice department have experience and a
knowledge base in many development activities across a wide spectrum of methods and can help
with realistic assessments of mitigation alternatives.
For related information, refer to the other articles in this Risk Management topic area of the SE
Guide.
Best Practices and Lessons Learned
What actions are needed?
When must actions be completed?

Handling Options
o
Assume/Accept. Collaborate with the operational users to create a collective
understanding of risks and their implications. Risks can be characterized as
impacting traditional cost, schedule, and performance parameters. Risks should also
be characterized as impact to mission performance resulting from reduced technical
performance or capability. Develop an understanding of all these impacts. Bringing
users into the mission impact characterization is particularly important to selecting
which "assume/accept" option is ultimately chosen. Users will decide whether
accepting the consequences of a risk is acceptable. Provide the users with the
vulnerabilities affecting a risk, countermeasures that can be performed, and residual
risk that may occur. Help the users understand the costs in terms of time and
money.
o
Avoid. Again, work with users to achieve a collective understanding of the
implications of risks. Provide users with projections of schedule adjustments needed
to reduce risk associated with technology maturity or additional development to
improve performance. Identify capabilities that will be delayed and any impacts
resulting from dependencies on other efforts. This information better enables users
to interpret the operational implications of an "avoid" option.
o
Control. Help control risks by performing analyses of various mitigation
options. For example, one option is to use a commercially available capability
instead of a contractor developed one. In developing options for controlling risk in

31 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

your program, seek out potential solutions from similar risk situations of other MITRE
customers, industry, and academia. When considering a solution from another
organization, take special care in assessing any architectural changes needed and
their implications.
o
Transfer. Reassigning accountability, responsibility, or authority for a risk area
to another organization can be a double-edged sword. It may make sense when the
risk involves a narrow specialized area of expertise not normally found in program
offices. But, transferring a risk to another organization can result in dependencies
and loss of control that may have their own complications. Position yourself and your
customer to consider a transfer option by acquiring and maintaining awareness of
organizations within your customer space that focus on specialized needs and their
solutions. Acquire this awareness as early in the program acquisition cycle as
possible, when transfer options are more easily implemented.
o
Watch/Monitor. Once a risk has been identified and a plan put in place to
manage it, there can be a tendency to adopt a "heads down" attitude, particularly if
the execution of the mitigation appears to be operating on "cruise control." Resist
that inclination. Periodically revisit the basic assumptions and premises of the risk.
Scan the environment to see whether the situation has changed in a way that affects
the nature or impact of the risk. The risk may have changed sufficiently so that the
current mitigation is ineffective and needs to be scrapped in favor of a different one.
On the other hand, the risk may have diminished in a way that allows resources
devoted to it to be redirected.
Determining Mitigation Plans
o
Understand the users and their needs. The users/operational decision makers
will be the decision authority for accepting and avoiding risks. Maintain a close
relationship with the user community throughout the system engineering life cycle.
Realize that mission accomplishment is paramount to the user community and
acceptance of residual risk should be firmly rooted in a mission decision.
o
Seek out the experts and use them. Seek out the experts within and outside
MITRE. MITRE's technical centers exist to provide support in their specialty areas.
They understand what's feasible, what's worked and been implemented, what's
easy, and what's hard. They have the knowledge and experience essential to risk
assessment in their area of expertise. Know our internal centers of excellence,
cultivate relationships with them, and know when and how to use them.
o
Recognize risks that recur. Identify and maintain awareness of the risks that
are "always there" interfaces, dependencies, changes in needs, environment and
requirements, information security, and gaps or holes in contractor and program
office skill sets. Help create an acceptance by the government that these risks will
occur and recur and that plans for mitigation are needed up front. Recommend
various mitigation approaches including adoption of an evolution strategy,
prototyping, experimentation, engagement with broader stakeholder community, and
the like.
o
Encourage risk taking. Given all that has been said in this article and its
companions, this may appear to be an odd piece of advice. The point is that there
are consequences of not taking risks, some of which may be negative. Help the
customer and users understand that reality and the potential consequences of being

32 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

overly timid and not taking certain risks in your program. An example of a negative
consequence for not taking a risk when delivering a full capability is that an
adversary might realize a gain against our operational users. Risks are not defeats,
but simply bumps in the road that need to be anticipated and dealt with.
o
Recognize opportunities. Help the government understand and see
opportunities that may arise from a risk. When considering alternatives for managing
a particular risk, be sure to assess whether they provide an opportunistic advantage
by improving performance, capacity, flexibility, or desirable attributes in other areas
not directly associated with the risk.
o
Encourage deliberate consideration of mitigation options. This piece of advice
is good anytime, but particularly when supporting a fast-paced, quick reaction
government program that is juggling many competing priorities. Carefully analyze
mitigation options and encourage thorough discussion by the program team. This is
the form of the wisdom "go slow to go fast."
o
Not all risks require mitigation plans. Risk events assessed as medium or
high criticality should go into risk mitigation planning and implementation. On the
other hand, consider whether some low criticality risks might just be tracked and
monitored on a watch list. Husband your risk-related resources.
Mitigation Plan Content
o
Determine the appropriate risk manager. The risk manager is responsible for
identifying and implementing the risk mitigation plan. He or she must have the
knowledge, authority, and resources to implement the plan. Risk mitigation activities
will not be effective without an engaged risk manager. It may be necessary to
engage higher levels in the customer organization to ensure the need for the risk
manager is addressed. This can be difficult and usually involves engaging more
senior levels of the MITRE team as well.
o
Develop a high-level mitigation strategy. This is an overall approach to reduce
the risk impact severity and/or probability of occurrence. It could affect a number of
risks and include, for example, increasing staffing or reducing scope.
o
Identify actions and steps needed to implement the mitigation strategy. Ask
these key questions:
What actions are needed?
o
Make sure you have the right exit criteria for each. For example, appropriate
decisions, agreements, and actions resulting from a meeting would be required for
exit, not merely the fact that the meeting was held.
o
Look for evaluation, proof, and validation of met criteria. Consider, for
example, metrics or test events.
o
Include only and all stakeholders relevant to the step, action, or decisions.
When must actions be completed?
o
Backward Planning: Evaluate the risk impact and schedule of need for the
successful completion of the program and evaluate test events, design
considerations, and more.
o
Forward Planning: Determine the time needed to complete each action step
and when the expected completion date should be.
o
Evaluate key decision points and determine when a move to a contingency
plan should be taken.

33 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Who is the responsible action owner?

What resources are required? Consider, for example, additional funding or
collaboration.
How will this action reduce the probability or severity of impact?

Develop a contingency plan ("fall back, plan B") for any high risk.
o
Are cues and triggers identified to activate contingency plans and risk
reviews?
o
Include decision point dates to move to fallback plans. The date to move must
allow time to
execute the contingency plan.

Evaluate the status of each action. Determine when each action is expected to be
completed successfully.

Integrate plans into IMS and program management baselines. Risk plans are
integral to the program, not something apart from it.

5.

Risk Monitoring, Review & Reporting

Risk Monitoring Definition

The ongoing and systematic tracking and evaluating of risk management decisions and actions
against strategies, risk appetite, policies, limits and key risk indicators. Risk monitoring
incorporates a feedback loop into the other components of the risk management process, namely
risk identification, measurement/assessment, management and/or reporting.

34 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

Monitoring and review should be a planned part of the risk management process and involve
regular checking or surveillance. The results should be recorded and reported externally and
internally, as appropriate. The results should also be an input to the review and continuous
improvement of the firm's risk management framework.
Responsibilities for monitoring and review should be clearly defined. The firm's monitoring and
review processes should encompass all aspects of the risk management process for the purposes
of:

Ensuring that controls are effective and efficient in both design and operation
Obtaining further information to improve risk assessment
Analysing and learning lessons from risk events, including near-misses, changes, trends,
successes and failures

Detecting changes in the external and internal context, including changes to risk criteria
and to the risks, which may require revision of risk treatments and priorities

Identifying emerging risks.

As part of the monitoring process, the thresholds for the risk criteria should be reviewed at the
commencement of each risk assessment cycle to identify the processes that may be subject to
increased risks and, as such, would derive the greatest value from the risk assessment.
Step I Monitor & Review
Regularly review risks identified in the firms risk register. Document any actions or events that
change the status of a risk, for example:

Changes to a risk evaluation as a result of improvements in controls

A control breach and near miss should be logged at the time of the event
A new risk that has been identified.
Partners should review the risk register on a regular basis, such as at a monthly partners
meeting, to determine if any remedial action needs to be taken immediately.
Step II Continuous Improvement
The effectiveness of the risk management framework implemented needs to be periodically
reviewed to ensure continuous improvement of risk management in the firm.
The purpose of the framework is to embed a risk aware culture within the firm. This can be
evaluated in light of breaches and near misses, the effectiveness of communication, and
assessing what lessons have been learned and remedial actions taken.
The framework is only effective if the context remains relevant to the firm, as this sets the scope
for risk management. Ensure the practice objectives and the internal and external context for risk
management are current and accurate.
The assessment criteria used in the risk framework also need to be reviewed to ensure they
remain relevant to the size and complexity of the practice.
Example of Risk Monitoring & Review
The key output from the monitor and review stage of the risk management process is ongoing. An
example of how this can be documented in a risk register is shown:
RISK IDENTIFICATION

RISK MONITORING & REVIEW

35 | Page

Risk Management
by: Asif Masood Ahmad

Superior University, Lahore

Event

Method

Progress and Compliance

Reporting

Status

OPEN

Failure to meet compliance

obligations

Monthly review at
Practitioner/Partner meeting

1. Compliance review incomplete

2. Research delayed on potential
system/tool

Loss of Practitioner

Quarterly review of succession

plan

1. Power of attorney in place

2. Documentation of key processes in OPEN
progress

Failure to collect receivables in a

timely manner

Report fortnightly on receivables 1. Receivables tracking under review

OPEN

Risk Reporting
The communication of risk information in all phases of the risk management process, namely
identification, measurement, management and monitoring. Risk reporting includes at least the
reporting of: aggregate exposures against targets/strategies; key issues for the key issues control
log; compliance with limit system; key risk indicators; and review findings.
Detailed information about the risk at individual level and at portfolio level are required to manage
effectively. It is also the task of risk reporting, an independent unit of the market division, to
consolidate and process the information related to risk controlling and to aggregate it into a risk
report covering the following four areas:
1. The report has to show the development of the total portfolio and sub-portfolios in terms of risk;
furthermore, important individual positions have to be elaborated on.
2. The report must foster the need for action, that is mainly risk mitigation measures, resulting from
the assessment of future market trends, the coordination with risk-bearing capacity and risk
strategy, as well as findings from analyzing the competition
3. The risk report has to explain how the measures will affect the institutions risk situation and
what the deadline for the implementation of the measures is.
4. The risk report must summarize the efficiency of risk identification, assessment and control, by
disclosing weak/problematic points to be processed in the future and a short term guideline for
concerns to be under the internal audit attention.
The risk department/sector prepares the risk report and submits it to the risk committee. The
reports level of detail has to be adapted to the information required by the recipient in each case.
This would require an analysis as to the needs of the respective decision-making levels, resulting
in the preparation of reports in accordance with those needs. In its final version, the credit risk
report should contain all levels of detail to ensure that the data communicated within the bank are
consistently available for all levels of detail should those data be required in the decision-making
process.

Enterprise Risk Management [ERM] Framework

36 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

ERM frameworks defined

There are various important ERM frameworks, each of which describes an approach for
identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal
and external environment facing the enterprise. Management selects a risk response strategy for
specific risks identified and analyzed, which may include:
1. Avoidance: exiting the activities giving rise to risk
2. Reduction: taking action to reduce the likelihood or impact related to the risk
3. Alternative Actions: deciding and considering other feasible steps to minimize risks.
4. Share or Insure: transferring or sharing a portion of the risk, to finance it
5. Accept: no action is taken, due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as
review of analytical reports or management committee meetings with relevant experts, to
understand how the risk response strategy is working and whether the objectives are being
achieved.

Casualty Actuarial Society framework

In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an
organization in any industry assesses, controls, exploits, finances, and monitors risks from all
sources for the purpose of increasing the organization's short- and long-term value to its
stakeholders." The CAS conceptualized ERM as proceeding across the two dimensions of risk
type and risk management processes. The risk types and examples include:
Strategic risks
Competition, Social trend, Capital availability
Financial risk
Pricing risk, Asset risk, Currency risk, Liquidity risk
Operational risk
Customer satisfaction, Product failure, Integrity, Reputational risk

Hazard risk (Compliance risks + Other risks)

Liability torts, Property damage, Natural catastrophe

The risk management process involves:

1. Establishing Context: This includes an understanding of the current conditions in which
the organization operates on an internal, external and risk management context.

37 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

2. Identifying Risks: This includes the documentation of the material threats to the
organizations achievement of its objectives and the representation of areas that the
organization may exploit for competitive advantage.
3. Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of
probability distributions of outcomes for each material risk.
4. Integrating Risks: This includes the aggregation of all risk distributions, reflecting
correlations and portfolio effects, and the formulation of the results in terms of impact on the
organizations key performance metrics.
5. Assessing/Prioritizing Risks: This includes the determination of the contribution of each
risk to the aggregate risk profile, and appropriate prioritization.
6. Treating/Exploiting Risks: This includes the development of strategies for controlling and
exploiting the various risks.
7. Monitoring and Reviewing: This includes the continual measurement and monitoring of
the risk environment and the performance of the risk management strategies.

RIMS Risk Maturity Model

The RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, published in 2008, is an
umbrella framework of content and methodology that detail the requirements for sustainable and
effective enterprise risk management. The RMM model consists of twenty-five competency drivers
for seven attributes that create ERMs value and utility in an organization. The 7 attributes are:

ERM based approach

ERM process management
Risk appetite management
Root cause discipline
Uncovering risks
Performance management
Business resiliency and sustainability

The model was published by the Risk and Insurance Management society and developed with the
support of co-developer Steven Minsky, CEO of Logic Manager. The Risk Maturity Model is based
on the Capability Maturity Model, a methodology founded by the Carnegie Mellon University
Software Engineering Institute (SEI) in the 1980s.

COSO (Committee of Sponsoring Organizations)

ERM framework
The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM
as a "process, effected by an entity's board of directors, management, and other personnel,

38 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

applied in strategy setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives."
The COSO ERM Framework has eight Components and four objectives categories. It is an
expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in
1994. The eight components are:

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information and Communication

Monitoring

The four objectives categories are:

Strategy - high-level goals, aligned with and supporting the organization's mission

Operations - effective and efficient use of resources

Financial Reporting - reliability of operational and financial reporting

Compliance - compliance with applicable laws and regulations

COCO (Criteria of Control)

When the CICA's Criteria of Control Board issued Guidance on Control in November 1995, its aim
was to provide a modern framework that stakeholders could use to develop, assess and change
control.1While there are elements to praise in that and subsequent documents issued by the
board, Guidance on Control largely fails to recognize that issues of power are crucial for
understanding and designing control systems. Accountants need a more complete view of control.
Guidance on Control can be seen as a response from the profession in Canada to recent
management trends. First, there are increasing calls for public reporting about the effectiveness of
an organization's control systems. Second, control systems in many organizations have changed
significantly due to downsizing and increasing global competition. Many organizations have
decided to put greater emphasis on informal controls, such as shared values and open
communication. These developments led the Criteria of Control Board to conceive control broadly,

39 | Page

Superior University, Lahore

Risk Management
by: Asif Masood Ahmad

to go beyond financial controls, and to consider control within the context of both the public and
private sectors. The outcome of those considerations, Guidance on Control, identifies 20 criteria of
control (CoCo) to help accountants and auditors make judgments about the effectiveness of
control.
Power is traditionally viewed in terms of getting one's way, despite resistance. Control is then
conceived of in terms of organizations realizing their objectives. While there is merit in this twopronged view, it neglects two important features of power. First, by ignoring how authority is
achieved, the view of control as the authorized power to achieve objectives fails to examine the
legitimacy of those in authority and how their power is sustained. The traditional view of power
confuses power, control and authority, thereby failing to ask why those in authority should have
the ability to determine the objectives of the organization. Second, by emphasizing overt
resistance (often in a form where those resisting authority are typically seen as uninformed or
mistaken), it fails to recognize that power is often most effective when it shapes people's interests
and there is no resistance. For example, the power of language (including the language of
accounting) rests in influencing the way people think, and what they see as problems and possible
solutions.
Guidance on Control classifies the criteria of control under four headings: (1) purpose, (2)
commitment, (3) capability, and (4) monitoring and learning. For each of those headings, we offer
a comparison of CoCo's basic assumptions to research findings, particularly those related to the
interrelation between power and control.