Introduction to Risk Management

ISO 31000:2018 12 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/10/Understanding-Enterprise-Risk-Management_-Concepts-and-Frameworks.wav

We all encounter risks in our daily lives. These can come from personal activities, like travelling or making financial decisions. There are also significant risks at home, such as fire hazards or the financial challenges of owning a house. Beyond that, risks can arise from relationships, work, and business activities. Evaluating these risks and figuring out how to handle them is something we do every day, both at work and in our personal lives. Recent world events, like terrorism, severe weather, and the global financial crisis, have made people more aware of risks. These major risks add to the more common ones we deal with regularly. Evaluating different ways to handle risks and choosing the best option is a key part of risk management. Dealing with risks can bring benefits to both individuals and the organizations they work for. In our personal lives, many risk responses are automatic. For example, avoiding fires or car accidents comes naturally through learned behaviour. These types of risks, like fire and accidents, are seen as purely negative, often called “hazard risks.” legal compliance like adhering to data protection laws like the GDPR is called a “compliance risk”, some can view them as a hazard risk, where failing to comply leads to negative consequences. However, some believe that following regulations can also bring benefits, showing the “upside of risk.” Some risks come with mandatory responses, such as the legal requirement to have car insurance. While house insurance isn’t always required by law, it is still considered smart risk management. Maintaining your car reduces the risk of breaking down, but it doesn’t guarantee you won’t experience a breakdown at all. These kinds of risks, where there’s uncertainty even with precautions, are often called “control risks.” There are also risks people take hoping for a positive outcome, like investing money in the stock market or placing a bet on a sports event. These are examples of “opportunity risks,” where the goal is to gain something, even if it’s not always financial—like pride or respect, as seen in activities like motorsports or other risky hobbies. Organizations face many different types of risks that can affect their operations. These risks can either prevent them from reaching their goals (hazard risks), help them achieve their goals (opportunity risks), or cause uncertainty about the results (control risks). Risk management involves evaluating, controlling, and monitoring all three types of risks in a coordinated way.

Risk management plays a key role in the success of non-profit organizations like charities, clubs, and other membership groups. While the risk management process is widely understood, it is presented differently depending on the organization and its terminology. Risk management cannot work in isolation; it needs to be supported by a framework within the organization. This framework is often explained differently in various standards and guides, but its main components are the communication and reporting structure (architecture), the organization’s risk management plan (strategy), and the guidelines and procedures (protocols) in place. Together, the risk management processes and supporting framework form what is known as a risk management standard. There are several standards available, such as the IRM Standard, the British Standard BS 31100:2021, and the American COSO ERM framework. One of the most well-known international standards is ISO 31000. Organizations engage in risk management for several reasons, which can be grouped into four main categories: mandatory, assurance, decision-making, and improving core processes (MADE2). “Mandatory” refers to risk management actions taken to ensure the organization meets legal and regulatory requirements, as well as the expectations of customers or clients. The board of an organization needs to be confident that major risks have been identified and properly controlled. To make sure the right business decisions are made, the organization should carry out risk management activities that provide clear and structured information to support decision-making. One of the key benefits of risk management is improving the effectiveness and efficiency of the organization’s operations. It also helps ensure that business processes, including any improvements or changes, work smoothly. Lastly, the chosen strategy must also be effective and efficient, delivering exactly what is needed. Risk management is important for making strategic decisions, successfully delivering projects and programs, and ensuring smooth daily operations. The benefits of risk management apply to all three areas: strategy, tactics, and operations. By using risk management, organizations can achieve more effective and efficient results in each of these areas. These processes—strategic, tactical, operational, and compliance (STOC)—cover all of an organization’s core functions. Analyzing these core processes offers a complete approach to risk management. For risk management to be successful, the expected benefits must be clearly identified. Without knowing the intended outcomes, it’s impossible to measure whether the risk management effort has worked. Therefore, effective risk management must have clear goals and desired benefits. It’s also essential to focus on every step of the process, including the design, implementation, and monitoring of the framework that supports risk management activities.

Failure to properly manage an organization’s risks can happen for several reasons: not recognizing risks well enough, not analyzing important risks properly, or failing to identify effective responses. Additionally, if a clear risk management strategy is not established and communicated, it can lead to poor risk management. Sometimes, the procedures themselves may be flawed and unable to achieve the intended results. The impact of not managing risks well can be severe. It can lead to inefficient operations, delayed projects, and ineffective or misguided strategies. Successful risk management needs to be

  • PACED: proportionate, aligned, comprehensive, embedded, and dynamic.
  • Proportionate: The effort in risk management should match the level of risk the organization faces.
  • Aligned: Risk management activities should be in sync with other organizational activities.
  • Comprehensive: It must cover all areas of the organization and all possible risks.
  • Embedded: Risk management should be integrated into the organization’s processes.
  • Dynamic: It should be flexible and adapt to changing environments.

Like other management activities, risk management needs to fit with the organization’s core processes and culture. First, it must meet any legal and regulatory requirements. After that, the best approach is whatever works for the organization and delivers the needed results and benefits.

Risk management is evolving quickly, both in the tools and techniques used and in the governance structures that ensure risks are managed successfully. Organizations are becoming more focused on reducing costs, which has led to approaches like Governance, Risk, and Compliance (GRC). GRC aims to be both effective and cost-efficient in managing risks. With many organizations facing cost-cutting measures and tough market conditions, emerging risks are more critical than ever. It’s a challenge for organizations to keep their risk exposure within acceptable limits. Unexpected events can have severe consequences, so it’s essential to analyze what could trigger significant risks and have plans in place to handle potential crises. The organizations should take several steps:

  1. Use common processes, terminology, and practices for managing all types of risks.
  2. Clearly understand, communicate, and monitor risk tolerance levels throughout the organization.
  3. Integrate risk management into all important business processes and decisions.
  4. Make risk-related decisions using high-quality, specific risk information.

Risk defination

  • The Oxford English dictionary definition of risk is as follows: ‘a chance or possibility of danger, loss, injury or other adverse consequences, and the definition of at risk is ‘exposed to danger’.
  • The Institute of Risk Management (IRM) defines risk as the combination of the probability of an event and its consequences. Consequences can range from positive to negative.
  • ISO Guide 73, defines risk as the ‘effect of uncertainty on objectives’. It also notes that an effect may be positive, negative, or a deviation from the expected. The guide notes that risk is often described by an event, a change in circumstances, a consequence, or a combination of these and how they may affect the achievement of objectives.
  • The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event occurring that could have an impact on the achievement of objectives. The IIA adds that risk is measured in terms of consequences and likelihood.
  • The definition used by health and safety professionals is that risk is a combination of likelihood and magnitude
From fundamental of Risk management by Paul Hopkin

Risk is generally understood as an event, as explained in definitions like ISO 31000 and by the Institute of Internal Auditors. For a risk to happen, an event must take place, so risks can be thought of as “an unplanned event with unexpected results.” Focusing on events helps clarify the risk management process. Since there are many ways to define risk, each organization should choose a definition that best fits its needs, whether it’s broad or specific.

Types of risks

Risk can have positive or negative outcomes, or simply cause uncertainty. Risks can be linked to opportunities, potential losses, or unpredictability for an organization. Risks are generally categorized into four types:

  • Compliance (mandatory) risks
  • Hazard (pure) risks
  • Control (uncertainty) risks
  • Opportunity (speculative) risks

Organizations typically aim to reduce compliance risks, minimize hazard risks, manage control risks, and embrace opportunity risks. However, there is no single “correct” way to classify risks. Some texts might use different categories, such as dividing risks into pure or speculative. What’s important is that the organization adopts a system that fits its needs.

Hazard risks, also known as pure risks, usually lead to negative outcomes. These are operational or insurable risks, like theft, which organizations manage within acceptable limits. Control risks are linked to uncertainty, especially in project management. Organizations often avoid control risks because they can create uncertainty around project outcomes, timelines, and budgets. The goal is to keep actual results as close as possible to expected outcomes.

Opportunity risks, on the other hand, are risks organizations take to gain a positive return. These involve making decisions that carry risk but offer the chance for rewards, such as investments. Managing hazard risks is one of the oldest forms of risk management, and this text focuses on that. Hazard risks are linked to potential harm, and managing them involves reducing negative impacts, such as in health and safety programs.

Control risks involve unpredictable events and are common in project management. These risks are known to occur, but their outcomes are hard to predict, so the focus is on managing the uncertainty around them.

Opportunity risks come with both the risk of taking action and the risk of missing out on potential gains. These risks are often financial and might not be obvious, but they offer a chance for positive outcomes, though they aren’t guaranteed. For small businesses, opportunity risks can include moving to a new location, acquiring property, expanding, or launching new products.

Risk Description

To fully understand a risk, it’s important to describe it in detail. This ensures that everyone has a shared understanding and knows who is responsible for managing the risk. To gather the right information about each risk, it’s important to clearly differentiate between compliance, hazard, control, and opportunity risks. A risk description might include the following details:

  • Name or title of the risk
  • A statement explaining the risk, its scope, possible events, and dependencies
  • Type of risk, including its classification and when it might have an impact
  • The people or groups affected by the risk, both inside and outside the organization
  • Attitude towards the risk, including the organization’s risk appetite, tolerance, and limits
  • The likelihood of the risk happening, and the size of the impact if it does
  • The standard of control needed and the target level of risk
  • History of incidents or losses related to the risk
  • Existing control measures in place
  • Who is responsible for developing the risk strategy and policy
  • Potential for improving how the risk is managed and confidence in current controls
  • Recommendations for improving risk management and deadlines for action
  • Who is responsible for putting improvements into effect
  • Who is responsible for checking that risk compliance is being followed?

Inherent level of risk

It’s important to understand the original level of all identified risks before any actions are taken to reduce them. This is known as the inherent level of risk, which shows how risky something is without any controls in place. Knowing this helps highlight how important the control measures are. According to the Institute of Internal Auditors (IIA), risk assessment looks at the inherent risks first, before considering any controls. Although there’s some debate about whether to assess risks at the inherent level or the current level, the goal is always the same: to figure out the current risk level and identify the key controls in place to achieve that level. A risk matrix is often used to show the inherent risk in terms of how likely it is and how big the impact might be. After controls are applied, the reduced or current level of risk can then be identified. The effort to bring the risk down from its inherent level to the current level can be clearly shown on the matrix. Different terms are sometimes used: the inherent level of risk can also be called the absolute or gross risk, while the current level can be referred to as the residual, net, or managed risk level.

Example

Scenario: Data Breach in a Company

Inherent Risk (Before any controls are in place):

Let’s say a company stores sensitive customer data (personal information, credit card details) online.

  • Risk event: A potential data breach where hackers could steal customer information.
  • Likelihood: High (because cyberattacks are common).
  • Impact/Magnitude: Very high (since a breach would harm the company’s reputation, result in legal penalties, and lead to financial losses).

Inherent Risk Level: High likelihood + high impact = Severe Risk (This is the risk before any protective measures like firewalls, encryption, or employee training are put in place).

Current Risk (After controls are in place):

Now, the company implements several controls:

  • Strong firewalls and encryption for the data.
  • Multi-factor authentication for accessing sensitive data.
  • Regular staff training on cybersecurity practices.
  • A dedicated team that monitors and responds to any suspicious activity.
  • Likelihood: Reduced to Medium (because controls reduce the chance of a breach but don’t eliminate it entirely).
  • Impact/Magnitude: Still high (a breach would be very damaging, but the chance is lower).

Current Risk Level (Residual Risk): Medium likelihood + high impact = Moderate Risk (This is the remaining risk after controls are applied).

Risk likelihood and impact

A risk matrix is a great way to show the likelihood and impact of risks. It can come in different formats, but no matter the style, it’s a helpful tool for those managing risks. A basic risk matrix compares the chance of an event happening with how big the impact would be if it does happen. This makes it easier for organizations to see if a risk is acceptable and if it fits within their ability to handle it or their comfort level with taking risks.

  • The top-right quadrant (High Likelihood, High Magnitude) is marked as very high risk (red).
  • The bottom-right quadrant (High Likelihood, Low Magnitude) is high risk (dark red).
  • The top-left quadrant (Low Likelihood, High Magnitude) is medium risk (yellow-orange).
  • The bottom-left quadrant (Low Likelihood, Low Magnitude) is low risk (green).

This visualization helps easily identify and prioritize risks based on their likelihood and potential impact. The figure above shows a basic risk matrix, sometimes called a risk map or heat map. It’s a common way to display the likelihood of a risk happening and the size or seriousness of the event if it does occur. A risk matrix helps organizations visualize individual risks to decide if they are acceptable and within their risk tolerance or capacity. In this figure, the vertical axis represents the magnitude of the risk. The term “magnitude” is used instead of “severity” so the matrix can be applied to different types of risks, like compliance, hazard, control, and opportunity risks. “Severity” often suggests a negative event, which applies more to compliance and hazard risks, while “magnitude” can refer to the inherent risk before any controls are applied. This risk matrix plots the likelihood of an event against its magnitude. However, risk managers are usually more concerned with the event’s impact and the resulting consequences. For example, a large fire may destroy a warehouse, but if the company has good insurance and backup plans, the financial impact could be minimal. The magnitude of an event can be seen as the inherent risk level, while the impact can be considered the managed or controlled risk level. The matrix can also indicate potential control measures for different risks, showing inherent, current (or residual), and target levels of risk. Colour-coding is often used to visually represent the importance of each risk. As risks move toward the top-right corner of the matrix, they become more likely and have a larger impact, meaning they require immediate and strong control measures.

Risk classification

Risks can be grouped based on different characteristics, like how quickly they will have an impact, the type of impact they cause, or how big the risk might be. They can also be classified by how long it takes for the effects to be felt after the event happens. Risks can be categorized by their source, such as credit risk or risks from a counterparty. Another way to classify risks is by looking at the type of impact they have. Some risks may affect a company’s finances, while others could disrupt operations or infrastructure. There are also risks that could harm the organization’s reputation or its public image. Risks can also be grouped based on which part of the business they affect, like people, buildings, processes, or products. When deciding how to classify risks, organizations need to think about whether to base the system on the source of the risk, the area affected, or the consequences of the risk. Each organization will choose a risk classification system that works best for its specific activities. Many risk management standards provide a classification system, and if an organization follows one of these standards, it will likely use the recommended system. There’s no single classification system that works for all organizations, so the system chosen should be relevant to the specific needs of the organization. It’s also common for a risk to be classified in multiple ways to fully understand its potential impact.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply