FIMA 40053 – RISK MANAGEMENT

MODULE 3: RISK MANAGEMENT PROCESS

The risk management process should be an integral part of management and decision-
makingand integrated into the structure, operations and processes of the organization. It
can be applied at strategic, operational, program or project levels.

There can be many applications of the risk management process within an organization,
customized to achieve objectives and to suit the external and internal context in which they
areapplied.

The dynamic and variable nature of human behavior and culture should be considered
throughout the risk management process.

Communication and Consultation

The purpose of communication and consultation is to assist relevant stakeholders in

understanding risk, the basis on which decisions are made and the reasons why particular
actions are required. Communication seeks to promote awareness and understanding of
risk, whereas consultation involves obtaining feedback and information to support
decision-making. Close coordination between the two should facilitate factual, timely,
relevant, accurate and understandable exchange of information, taking into account the
confidentiality and integrity ofinformation as well as the privacy rights of individuals.

Communication and consultation with appropriate external and internal stakeholders

should take place within and throughout all steps of the risk management process.

Communication and consultation aim to:

▪ bring different areas of expertise together for each step of the risk management process;
▪ ensure that different views are appropriately considered when defining risk
criteria andwhen evaluating risks;
▪ provide sufficient information to facilitate risk oversight and decision-making;
▪ build a sense of inclusiveness and ownership among those affected by risk.

Establishing the Scope, Context and Criteria

The purpose of establishing the scope, the context and criteria is to customize the risk
management process, enabling effective risk assessment and appropriate risk treatment.
Scope, context and criteria involve defining the scope of the process, and understanding
the external and internal context.
Defining the scope

The organization should define the scope of its risk management activities. As the risk
management process may be applied at different levels (e.g. strategic, operational,
program, project, or other activities), it is important to be clear about the scope under
consideration, the relevant objectives to be considered and their alignment with
organizational objectives.

When planning the approach, considerations include:

▪ objectives and decisions that need to be made;

▪ outcomes expected from the steps to be taken in the process;
▪ time, location, specific inclusions and exclusions;
▪ appropriate risk assessment tools and techniques;
▪ resources required, responsibilities and records to be kept;
▪ relationships with other projects, processes and activities.

External and Internal Context

The external and internal context is the environment in which the organization seeks to
defineand achieve its objectives.

The context of the risk management process should be established from the
understanding ofthe external and internal environment in which the organization operates
and should reflect thespecific environment of the activity to which the risk management
process is to be applied.

An organization’s external context includes all of the external environmental parameters

and factors that influence how it manages risk and how it tries to achieve its objectives. It
includes its external stakeholders, its local, national, and international environment, as
well as key drivers and important trends that influence its objectives. It also includes
stakeholder values, perceptions, and relationships, as well as its social, cultural, political,
legal, regulatory, technological, economic, natural, and competitive environment.

An organization’s internal context includes all of the internal environmental parameters

and factors that influence how it manages risk and tries to achieve objectives. It includes
its internalstakeholders, its approach to governance, its contractual relationships, and its
capabilities, culture, and standards.

Governance includes the organization’s structure, policies, objectives, roles,

accountabilities, and decision-making process, and capabilities include its knowledge and
human, technological, capital, and systemic resources.
Understanding the context is important because:

▪ risk management takes place in the context of the objectives and activities
of theorganization;
▪ organizational factors can be a source of risk;
▪ the purpose and scope of the risk management process may be interrelated
with theobjectives of the organization as a whole.

Defining Risk Criteria

Risk criteria are terms of reference and are used to evaluate the significance or
importance ofyour organization’s risks. They are used to determine whether a specified
level of risk is acceptable or tolerable. Risk criteria should reflect your organization’s
values, policies, and objectives, should be based on its external and internal context,
should consider the views of stakeholders, and should be derived from standards, laws,
policies, and other requirements.

The organization should specify the amount and type of risk that it may or may not take,
relativeto objectives. It should also define criteria to evaluate the significance of risk and
to support decision-making processes. Risk criteria should be aligned with the risk
management framework and customized to the specific purpose and scope of the activity
under consideration.

While risk criteria should be established at the beginning of the risk assessment process,
theyare dynamic and should be continually reviewed and amended, if necessary.

To set risk criteria, the following should be considered:

▪ the nature and type of uncertainties that can affect outcomes and objectives
(bothtangible and intangible);
▪ how consequences (both positive and negative) and likelihood will be
defined andmeasured;
▪ time-related factors;
▪ consistency in the use of measurements;
▪ how the level of risk is to be determined;
▪ how combinations and sequences of multiple risks will be taken into account;
▪ the organization’s capacity.

Risk Assessment

▪ the overall process of risk identification, risk analysis and risk evaluation.

Risk assessment should be conducted systematically, iteratively and collaboratively,

drawing on the knowledge and views of stakeholders. It should use the best available
information, supplemented by further enquiry as necessary.

Risk Identification

Risk cannot be managed unless it is first identified

The aim of risk identification is to identify possible risks that may affect, either negatively
or positively, the objectives of the business and the activity under analysis.

The organization should identify risks, whether or not their sources are under its control.
Consideration should be given that there may be more than one type of outcome, which
may result in a variety of tangible or intangible consequences.

What information should we collect during the risk identification step? Identifying risks
involves considering what, when, why, where and how things can happen. More
specifically:

What are the sources of risk or threat?

– the things which have the inherent potential to harm or facilitate harm.
What could happen?
–events or incidents that could occur whereby the source of risk or threat has an
impact on the achievement of objectives.

Where?
–the physical locations/assets where the event could occur or where the direct or
indirect consequences may be experienced.

When?
– specific times or time periods when the event is likely to occur
and/or theconsequences realized

How?
– the manner or method in which the risk event or incident could occur.

Causes
– what are the direct and indirect factors that create the source of risk or threat.

Business consequences
– what would be the impact on objectives if the risk was realized.

Business areas/stakeholders affected

– what parts of the organization and what stakeholders might be involved or impacted?
 Existing controls
– a preliminary review of existing controls should be undertaken to identify

What controls currently exist to minimize the likelihood and consequences of each risk?

There are two main ways to identify risk:

Identifying Retrospective Risks

Retrospective risks are those that have previously occurred, such as incidents or
accidents. Retrospective risk identification is often the most common way to identify risk,
and the easiest.It’s easier to believe something if it has happened before. It is also easier
to quantify its impactand to see the damage it has caused

Sources of information about retrospective risk

▪ Hazard or incident logs or registers

▪ Audit reports
▪ Customer complaints
▪ Accreditation documents and reports
▪ Past staff or client surveys
▪ Newspapers or professional media, such as journals or websites.

Identifying Prospective Risks

Prospective risks are often harder to identify. These are things that have not yet happened,
butmight happen sometime in the future.

Identification should include all risks, whether or not they are currently being managed.
The rationale here is to record all significant risks and monitor or review the effectiveness
of their control.

Methods for identifying prospective risks include:

▪ Brainstorming with staff or external stakeholders

▪ Researching the economic, political, legislative and operating environment
▪ Conducting interviews with relevant people and/or organizations
▪ Undertaking surveys of staff or clients to identify anticipated issues or problems
▪ Flow charting a process
▪ Reviewing system design or preparing system analysis techniques.
8 Ways to Identify Risks in Organization by Clear Risk

Break down the big picture

When beginning the risk management process, identifying risks can be overwhelming.
Begin with a high-level analysis. What are the most obvious things that could go wrong in
your company or industry? These can be based on your business strategy and daily
activities.

Risk is multi-faceted. There are many categories: competitive, financial, safety,

operational, technological, legal, political, reputational, and so on. Break down your
organization into eachof these areas, and consider the individual weaknesses of each
department.
Asking yourself insightful questions can reveal weaknesses in your organization that you
maynot have considered. For example, is your manufacturing process fully safe? Are all
your employees properly trained? What would happen if you lost your biggest customer? If
a seriousincident occurred, would you know how to handle it and who was responsible?
If you think ofa question like this that you cannot answer, it represents a risk that needs to
be better managed.

Be pessimistic

What is the worst thing that could happen to your organization? If there was a day where
everything went wrong, what would that sequence of events look like? While being overly
pessimistic may not be the best way to run a business, it’s incredibly helpful when
identifying risks.

At this stage, it’s important to avoid overconfidence and thinking something “can’t” or
“won’t” happen. Challenge all of your assumptions about potential risks, and be prepared
for any or allof them to occur.

Consult an expert

You likely already have relationships with multiple people that could help you identify risks,
such as your insurance broker, accountant, or financial advisor. Insurance brokers know
your claim history, which means they can provide insight on trends. If you experience the
same typeof losses multiple times, it suggests there’s a risk that is improperly managed.
Brokers can alsoplay a role in helping you to assess your business risks and recommending
insurance coverageto help protect you against them in case they occur. If they do not
provide this assessment service, they are probably able to recommend a good consultant
who can. Similarly, accountants and financial advisors will have insight on the types of
payments you are repeatedly making. They can also advise and identify financial risk
throughout the organization.
Conduct internal research

If you manage your own claims and losses or have employees that work closely with them,
you can perform internal research to identify risks across the organization. With simple
observation, you may be able to recognize areas where things are not being done
correctly. Abnormally high costs in one department may also suggest an unmitigated risk.

With data and trend analysis, you can identify the root causes of occurrences. Incidents
and near-misses are key indicators of problem areas that need to be addressed by the
risk management team.

Conduct external research

Every industry has its own unique trends and common occurrences. Unless you are an
organization in a brand-new industry, you can learn a lot about identifying risks from those
whohave gone before you.

Professional organizations may be able to provide expert insight on the risks typically
found in organizations similar to yours. They could access industry research or trend
reports that will highlight common risks.
You can also pay attention to your competitors or companies similar to yours. Any losses,
risk management successes, news releases, or even legal precedents can help you
identify the same types of risks in your organization.

Seek employee feedback regularly

Everyone from the frontline staff to the CEO will have a different perspective of the
organization and the risks they come across while performing their job. As such,
employees are one of the most valuable resources in identifying risks.

All employees, especially key stakeholders, may have some insight on risks that they
encounter in in day-to-day business practices that you would not have otherwise
considered.

You can seek employee feedback anonymously, in one-on-one interviews, or in a group

setting. Allowing anonymous incident reporting may increase the likelihood of response
from employees who are worried about repercussions from speaking up, while group
discussions may increase the amount of brainstorming and lead to a higher number of
identified risks.
Analyze customer complaints

Just as asking employees can be valuable, customers may help in risk identification as
well. What do customers most often complain about or what types of issues do they
report? If thereare multiple people complaining about the same process, it’s likely that
there is an associatedrisk.

This strategy is most useful for organizations where customers visit a physical location,
such as a storefront. However, even solely digital customers may provide valuable
feedback that can help identify and mitigate against reputational risks.

Use models or software

There are many business and technological strategies that help identify and classify risks.
Simulations, scenario role-playing, SWOT analysis, flowcharts, and risk mapping are just
someof them.

▪ including risks which do not impact on objectives

▪ including risks which are simply the converse of the objectives.

To avoid poor expressions of the risk, the risk statement should encompass the uncertain
event(or uncertainty), the cause or event that trigger the risk and its consequence/impact.

Other considerations:

Risks relating to multiple objectives

▪ A risk may be related to more than one of the department’s objectives and/or its
potential impact may vary in relation to different objectives, and the best way of
addressing the risk may be different in relation to different objectives. Risk
identification may therefore requiredifferent levels of analysis.

Risk statements
▪ It is important to express the identified risks as specifically as possible in relation to
the objective. Otherwise, the ability to assess and manage the risk will be less than
effective.

In stating risks, avoid:

▪ stating impacts which may arise as being the risks themselves

▪ including risks which do not impact on objectives
▪ including risks which are simply the converse of the objectives.

To avoid poor expressions of the risk, the risk statement should encompass the uncertain
event(or uncertainty), the cause or event that trigger the risk and its consequence/impact.
 Risk Ownership
▪ Once risks are identified, they should be assigned a risk owner who has
responsibility forensuring that the risk is being managed and monitored.

Risk Categories
▪ Risks during this initial phase of the process should also be allocated a risk category.

It’s important to remember that the risk environment is always changing, so this step should
berevisited regularly.

You and your team uncover, recognize and describe risks that might affect your project or
its outcomes. During this step you start to prepare your Risk Register.

Risk Analysis

▪ involves a detailed consideration of uncertainties, risk sources, consequences,

likelihood,events, scenarios, controls and their effectiveness

The purpose of risk analysis is to comprehend the nature of risk and its characteristics
including, where appropriate, the level of risk. An event can have multiple causes and
consequences and can affect multiple objectives.

Risk analysis can be undertaken with varying degrees of detail and complexity, depending
on the purpose of the analysis, the availability and reliability of information, and the
resources available. Analysis techniques can be qualitative, quantitative or a combination
of these, depending on the circumstances and intended use.

The risk analysis may be influenced by any divergence of opinions, biases, perceptions of
risk and judgements. Additional influences are the quality of the information used, the
assumptionsand exclusions made, any limitations of the techniques and how they are
executed. These influences should be considered, documented and communicated to
decision makers.

Highly uncertain events can be difficult to quantify. This can be an issue when analyzing
events with severe consequences. In such cases, using a combination of techniques
generally provides greater insight.

Tools such as SWOT Analysis and Failure Mode and Effects Analysis can also help uncover threats, while
Scenario Analysis helps explore possible future threats.

The risk analysis should answer the following questions:

• What is the likelihood of these risks occurring?

 • What will be the consequences of these risks to the organization?

One way of doing this is to make your best estimate of the probability of the event
occurring, and then to multiply this by the amount it will cost you to set things right if it
happens. This givesyou a value for the risk:

Risk Value = Probability of Event x Cost of Event

As a simple example, imagine that you've identified a risk that your rent may increase
substantially. You think that there's an 80 percent chance of this happening within the
nextyear, because your landlord has recently increased rents for other businesses. If this
happens,it will cost your business an extra P500,000 over the next year.

So, the risk value of the rent increase is:

0.80 (Probability of Event) x P500,000 (Cost of Event) =P400,000 (Risk Value)

You can also use a Risk Impact/Probability Chart to assess risk. This will help you to identify
which risks you need to focus on.

The Risk Impact/Probability Chart is based on the principle that a risk has two primary
dimensions:

Probability – A risk is an event that "may" occur. The probability of it occurring can
rangeanywhere from just above 0 percent to just below 100 percent. (Note: It can't
be exactly100 percent, because then it would be a certainty, not a risk. And it can't
be exactly 0 percent, or it wouldn't be a risk.)

Impact – A risk, by its very nature, always has a negative impact. However, the
size ofthe impact varies in terms of cost and impact on health, human life, or some
other critical factor.

Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to
be treated and how, and on the most appropriate risk treatment strategy and methods. The
results provide insight for decisions, where choices are being made, and the options
involve different types and levels of risk.

Risk Evaluation

▪ is the process used to compare the estimated risk against the given risk criteria so
as todetermine the significance of the risk

The result of a risk evaluation is a prioritized list of risks that require further

action.This step is about deciding whether risks are acceptable or need

treatment
A risk may be accepted for the following reasons:

▪ The cost of treatment far exceeds the benefit, so that acceptance is the only
option(applies particularly to lower ranked risks)
▪ The level of the risk is so low that specific treatment is not appropriate with
availableresource
▪ The opportunities presented outweigh the threats to such a degree that the
risksjustified
▪ The risk is such that there is no treatment available, for example the risk
that thebusiness may suffer storm damage.

You evaluate or rank the risk by determining the risk magnitude, which is the combination
of likelihood and consequence. You make decisions about whether the risk is acceptable
or whether it is serious enough to warrant treatment. These risk rankings are also added
to the Risk Register.

Evaluation of risks can be done in various ways, using all sorts of tools and methods. One
of the most efficient ways is to sort the risks by scoring and prioritizing them.

Scoring the Risks

Scoring (or ranking) is usually mapped with parameters on impact (or consequence) and
probability of each risk.

Impact
Every risk is assessed on the impact it has in case of materializing and what kind of
consequence does it present in a company. Low impact risks don’t have any significant
impacton business processes or organization at large. High impact can alter the course
of business, they have impact on company success or even failure.

Probability/Likelihood
In this scoring processes risks also get an assessment form low to high. Low probability
risks are the ones who are considered (almost) never to happen. High probability means
they are likely to happen and must be considered in any case in the future.

Prioritizing Risks
After scoring all the risks, it’s time to cross-match impact and probability. Not every very
probable risk has a big impact on the company, and not every risk rarely occurring poses
just a small impact. That’s why it’s useful to develop a grid map with impact level on one
axis and probability level on the other (Risk grid map).