Professional Documents
Culture Documents
Risk
Management
its
Assessment and
types
Subject:
Risk Management
Submitted to:
Prof. Itrat Naz
6th Semester
By
Rai Jaffar
MBAP-F13-18
Fezan Akhter
MBAP-F13-19
M. Adnan
MBAP-F13-20
MBAP-F13-23
Introduction:
Risk management is the process of identification, analysis and either acceptance or justification of
uncertainty in investment decision-making. Essentially, risk management occurs anytime an investor or
fund manager analyzes and attempts to quantify the potential for losses in an investment and then takes
the appropriate action (or inaction) given their investment objectives and risk tolerance. Inadequate risk
management can result in severe consequences for companies as well as individuals. For example, the
recession that began in 2008 was largely caused by the loose credit risk management of financial firms.
Definition:
A risk is defined as
An uncertainty that is affiliated with a particular circumstance that could render a business
inoperable or cause financial insecurities for the company.
A business risk assessment is defined as
Is the process of determining whether a particular uncertain circumstance has the potential to
threaten your business operations?
Features:
According to PCMAG.com, a website that provides information on technology, a risk assessment exhibits
a business vulnerabilities, the strategies and costs that the business will need to recover from damages
and losses, and explains what actions the business will take to defend the enterprise so risks can be
avoided or minimized. Risk assessments may also contain useful features, such as risk scoring systems.
Types of Risk:
Risks come in many forms, and its important to know the different types of risks that are out there so you
can properly assess the ones that are applicable to your business. Creating a list of identified threats can
help you organize your risk assessment. If you are assessing your businesss internal environment,
consider
Financial risks
marketing risks
operational risks
strategic risks
External business environments include risks, such as the changing economy, new market competitors
and natural disasters. Some threats are not as easily noticeable, so performing the identification process as
a team can help to make sure nothing gets overlooked.
Definition
Operational risk is defined as a continual cyclic process which includes risk
assessment, risk decision making, and implementation of risk controls, which results in
acceptance, mitigation, or avoidance of risk.
Objective:
Few now doubt the advantages of having a documented operational risk policy. It allows senior
management to communicate to all staff the approach of the firm to operational risk
management. As such, the policy should be approved by the Board of Directors. Alternatively,
in some firms, the Executive or Management Committee may wish to approve the policy
document or at a minimum, review and comment on it prior to Board approval.
a. Performing an assessment
There are a variety of views on how to perform an operational risk assessment. Options include:
A third party review, which uses a central understanding of critical objectives and processes
together with an independent validation of assessments.
Facilitated assessments (conducted by an outside consultancy, risk management and business
managers), which uses the central understanding to identify and agree the business risks with the
business. The effectiveness of internal controls is also documented and action plans are agreed
where necessary.
Self assessment (conducted by the business managers), which uses the detailed knowledge of
people in the business to identify the business risks and to agree on their monitoring. As with
facilitated sessions, control effectiveness is also assessed and action plans put in place to enhance
ineffective controls.
The three methods of operational risk assessment above have an increasing level of business benefit
although these are balanced by an increasing level of process sophistication. In particular, a self
assessment (being conducted by the business itself) gives the best platform for cultural change. (It should
be recognized that most firms will, necessarily, go through a period of cultural change whilst embedding
operational risk management into the structure and decision making of the firm).
Any of the methods above can be used for risk assessment, control assessment or risk and control
assessment. Commonly, firms start with an assessment of risk (initially evaluating the risk after allowing
for the mitigating effect of the controls). Both stand-alone assessment methods give some value although
neither gives the value that can be derived from a combined risk and control assessment.
For example:
There is generally very little shared assessment in control self assessments, even when the business
reviews the process for the assessment of control effectiveness. By contrast, in risk and control
assessments carried out by the business there is usually a natural element of co-assessment in order to
ensure consistency.
b. Possible methodologies:
There are a variety of practices that can be used to carry out any of the three methods of assessments.
These include:
Workshops: This can be very effective and efficient in a firm that is open to discussion and
challenge. However, the drawback is that a first risk and control assessment generally takes a full
working day to complete and it is therefore necessary for all workshop attendees to be absent
from their desks for the day.
Interviews: which work very well in a firm that is used to one-to-one discussion of issues.
Interviews are relatively inefficient as a certain amount of iteration is necessary in order to obtain
agreement on the risks and controls. They are nevertheless effective when an entire cadre of staff
cannot be spared or is not available for a full day workshop.
Questionnaires: which can be easy and quick although these generally need strong management
and significant communication skills in order to achieve cohesiveness to the wide ranging results
that can be a consequence? Good design of the questions is fundamental to obtaining an outcome
that has business benefits. This is often harder than it may appear as risks, control failures and
indicators can easily become confused in the mind of the person answering the questionnaire.
1. Cultural Issues
The lack of support from senior management for the risk and control assessment process. This is often
characterized by a lack of attendance by senior management at risk and control assessment workshops or
by sudden departures after 30 minutes or 1 hour. Alternatively, the firms appraisal or review mechanisms
may not take into account good (or bad) risk management by the employee being evaluated.
Another typical cultural issue is the use of operational risk management to reduce risk rather than
managing it appropriately to the organization. Some firms aim for a perceived level of best practice,
whereas operational risk management should be focused on managing risk at a level suitable to the firms
size and substance.
2. Administrative Hurdles
Risk and control assessments are often unnecessarily paper intensive. The implementation of this type of
assessment is very difficult across regions of the world and particularly across different cultures. It is also
burdensome to maintain and can be orientated towards a policing role, looking for a fault and assigning
blame rather than forward looking and proactive.
3. Value Perception
Sufficient thought must be given to the reporting of risks and controls so that they can be monitored. This
will be addressed further in later articles although it should be clear that inadequate reporting provides
limited business value. Additionally, if the results from the risk and control assessment are not linked to
other users of the information there will be limited leverage possible. There is also a much greater
perception of the value from a risk and control assessment when the action plans generated (either to
enhance controls or add new controls) can be seen to be followed up and implemented. The greatest value
to be obtained from operational risk and control assessments is from linking them to losses, key indicators
and mathematical models. These links will be addressed in later articles.
Risk and control assessments can be carried out at using two different assessment approaches which can
also be combined. The most common starting point is to assess the risk after the controls (i.e. after taking
into account the mitigating effect of the controls). This is known as net or residual risk assessment.
However, losses generally occur after controls have failed and therefore net risk assessment by definition
does not give any values for the likely loss that the firm will suffer when the risk event occurs.
3. Enhanced Approaches
As a firm progress along the risk and control assessment path, it sometimes combines the above two
approaches by assessing risks at a gross and net level as well as assessing the mitigating controls. Often
an assessment of the risk at a target level (i.e. after any remedial action) is also made. In any of the
approaches, the action plans for enhancing the perceived defective controls are also identified.
4. Scoring
Following the identification of the risks and their owners, the risks are usually scored. Five years ago, a
risk would have been scored for its severity a one dimensional value. Today, almost all firms use two
dimensions likelihood and impact. Controls are also today often scored in two dimensions (typically,
design and performance) rather than simply the effectiveness of the control. The scores of the risks and
of the controls are usually arranged on a scale. Some firms use 1, 2 and 3 or low, medium and high.
Others use up to ten levels. It is useful to use an even number of levels so that there can be no sitting on
the fence by using the middle level for most risks and controls. Probably the most common number of
levels is four or six with four levels being high, medium high, medium low and low.
5. Cause, event and effect
Another consideration when carrying out a risk and control assessment is to isolate the risk events (i.e.
what you want to capture) from the risk causes, the risk effects and the control failures. Most
methodologies for risk assessment (see the previous article) will produce a combination of all four risk
types unless some guidance is given. It is the risk event that is required in a risk and control assessment
as the risk event is immutable whereas risk causes and effects change over time. If controls are applied to
changing circumstances, the controls may become less effective because of the shifting conditions rather
than the efficiency of the control itself.
6. Control assessment
The assessment of the controls can be carried out either on the cluster of controls that mitigate a risk or on
each control within the cluster. The greatest business benefit is derived from assessing each control as a
control may operate on several risks and its varying effects can therefore be judged. Additionally, controls
are often identified as either preventative or detective controls to aid the design of action plans over the
further mitigation of a risk.
An uncertain event or condition that has a positive or negative effect on a projects objectives.
Basically, risk is any unexpected event that can affect your project for better or for worse. Risk can affect
anything: people, processes, technology, and resources.
Most important is that, risks are not the same as issues. Issues are things you know youll have to deal
with. You may even have an idea of when theyll pop up. Conversely, risks are events that might happen,
and you may not be able to tell when. Like A key product component is on backorder and will arrive a
week late. Theyre slippery, and it takes some serious preparation to manage them.
Step 1
Identify events:
That could happen throughout the life of the project that would adversely impact it. An adverse effect is
one that would cause the project to come in over budget, miss the deadlines or fail altogether. These
project risks can come from a broad range of factors, including human, operational, reputational,
procedural, natural, financial, technical, political and others. An operational risk, for example, could be
how a disruption in supplies would impact the project, while a natural risk could stem from a natural
disaster.
Step 2
Transfer risks to external stakeholders:
Where possible. If you have identified supply chain issues as a potential risk, you might consider
transferring that to a company procurement or operations specialist.
Step 3
Prioritize the risks:
That you have identified. Rank each risk in terms of impact, how likely or unlikely it is that it will
actually happen and how well you can control the event if it does happen. When assessing a risk's impact,
consider how it could affect the project's scope, budget and timeline. Where appropriate, determine how
much each risk would cost the company if it did occur.
Step 4
Calculate risk exposure:
Based on impact, probability and controllability. Rate each on a scale that you determine, such as
insignificant to critical or high to low. While it is human nature to put more emphasis on risks that could
cause more damage to the project, if it is an insignificant risk with a small probability of actually
occurring, you should focus on other risks instead.
Step 5
Put risk avoidance and mitigation strategies:
Into place. Start by reviewing your project's scope and eliminating any pieces that are not essential to a
successful completion. As you narrow the scope, you may find that many of the identified risks are no
longer relevant. For risks that have a high level of controllability, make plans for how you can reduce the
risk of them occurring and minimize their impact if they do occur.
Step 6
Create contingency strategies:
Sometimes called "Plan B." Assign each risk to one team member who will watch for indicators or
symptoms of the risk throughout the project. This will help you to recognize developing risks early on,
giving you the opportunity to put contingencies in place before they become critical. Identify what those
contingencies are, or how you will counteract the risk's impact as it happens.
The initial step in the assessment process is to gain a deep understanding of the key business strategies
and objectives of the organization. Some organizations have well developed strategic plans and
objectives, while others may be much more informal in their articulation and documentation of strategy.
The next step is to gather information and views on the organizations strategic risks. This can be
accomplished through interviews of key executives and directors, surveys, and the analysis of information
(e.g., financial reports and investor presentations). This data gathering should also include both internal
and external auditors and other personnel who would have views on risks, such as compliance or safety
personnel. Information gathered in Step 1 may be helpful to frame discussions or surveys and relate them
back to core strategies. This is also an opportunity to ask what these key individuals view as potential
emerging risks that should also be considered.
and directors. It is critical, however, to gain sufficient validation to prevent major disagreements on the
final risk profile.
6. Communicate the strategic risk profile and strategic risk management action plan:
Building or enhancing the organizations risk culture is a communications effort with two primary
focuses. The first focus is the communication of the organizations top risks and the strategic risk
management action plan to help build an understanding of the risks and how they are being managed.
This helps focus personnel on what those key risks are and potentially how significant they might be.
Conclusion:
Risk is about uncertainty. If you put a framework around that uncertainty, then you effectively de-risk
your project. And that means you can move much more confidently to achieve your project goals. By
identifying and managing a comprehensive list of project risks, unpleasant surprises and barriers can be
reduced and golden opportunities discovered. The risk management process also helps to resolve
problems when they occur, because those problems have been envisaged, and plans to treat them have
already been developed and agreed. You avoid impulsive reactions and going into fire-fighting mode to
rectify problems that could have been anticipated. This makes for happier, less stressed project teams and
stakeholders. The end result is that you minimize the impacts of project threats and capture the
opportunities that occur.