RISK MANAGEMENT STRATEGIES

Risk management process

The risk management cycle

risk management involves three key elements: risk identification, risk analysis and risk
mitigation. ISO 31000 notes that: Organizations manage risk by anticipating, understanding and
trying to control it. Through this process they communicate and consult with stakeholders and
monitor and review the risk and the controls that are modifying the risk.

the ‘risk cycle’ (or ‘risk management cycle’) is an expression of the continuous process of risk
monitoring and management, portrayed as a cycle.

Identify

Source of
risk Assess

Probability and
impact of potential
risk
monitor, report, review

Formulate

risk management
implement strategies

risk management

Allocate

Accountabilities and resources

for managing identified risks
  risk identification-the process of seeking to identify potential problems or areas of
uncertainty
 Risk assessment- the appraisal of the probability and significance of identified potential
risk events i.e. how likely is it and how bad could it be? this is often quantified using
basic formula: Risk=likelihood(probability)X impact(adverse consequence)

Risk Management and Mitigation strategies

Risk mitigation- means lessening the adverse impact of risk events. the objective of risk
mitigations to reduce inherent risk, to a level at which the assessed residual risk is acceptable to
the organization

Identifying and quantifying vulnerability allows an organization to priorities planning and

resources to meet the most severe risks, and to set defined risk thresholds at which management
action on an issue will be triggered.

Risk management strategies are often classified as four Ts

 Tolerate- (accept) the risk: if the assessed likelihood or impact of risk is negligible (or
there) is no viable way to reduce the risk), no further action may, for the moment, be
required, or , justified (on a cost-benefit or business case basis).the risk may simply be
acknowledged and registered or it may be flagged for monitoring and periodic re-
evaluation, in case the likelihood or impact or the risk escalates to the defined threshold
for acceptable exposure. in either case, rationale for risk acceptance should be clearly
documented. Tolerance may be an adequate response for low-level risk, given competing
demands for resources.
 Transfer(or spread) the risk: e.g. by taking an insurance cover, or not putting all supply
eggs in one basket (in other words, avoiding dual or multi-sourcing) – or using
contractual terms to ensure that the costs of risk events will be borne (or shared with )
supply chain partners (e.g by clarifying liability for risks at all stages of the contract,
using liquidated damages clauses, insisting on supplier insurances, or sharing
responsibility for risk monitoring as part of the contract management process. Risk
transfer reduces organization’s exposure but at the cost of insurance , possible loss of
economies of scale(from disaggregation), and possible damage to supply chain
relationship
 Terminate (avoid) the risk- if the risk is associated with a particular projector decision
is too graet and cannot be reduced, the organization may consider not investing or
engaging in the activity or opportunity. so for example, the decision to outsource a core
function or to enter a politically unstable foreign market may be ‘shelved’ as too risky.
Termination avoids unacceptable risk- but is not always possible. in addition, there may
be loss of opportunities and portfolio synergies
 Treat- (Mitigate, minimize or control) the risk : take active steps to manage the risk in
such a way as to reduce or minimize its likelihood or potential impact, or both. in
relation to supply risk, this may involve measures such as: supplier monitoring and
performance management; code of conduct; supplier certification; contingency and
recovery planning etc. risk mitigation is designed to create an acceptable level of residual
risk although it also incurs the cost of mitigation measures, and may raise the possibility
of secondary risk(arising from mitigation measures)

Treating or mitigating risk is often explained in terms of application of controls

 Preventive controls- are designed to limit the possibility of a negative outcome being
realized. Examples could include separation of duties, supervision, the requirement for
approval and authorizations or proactive issues management in the field of reputation
management
 directive controls are designed to endure that the desired outcome is achieved e.g.
health and safety regulations, supplier ethical policies and monitoring, staff training, the
provision of protective equipment, the use of e-procurement procedures
  Detective controls are designed to identify when an undesired risk event has
occurred. they will usually be part of monitoring, project review, audit or reporting
processes, such as vendor rating, project reviews, accident reporting, customer and
supplier attitude surveys etc.
 Corrective controls are designed to mitigate the effect of undesirable outcomes once
they have occurred. examples include legal or contractual remedies for breach of
contract, liquidated damages clauses, insurances, crisis management and disaster
recovery plans etc. insurance and damages are basically designed to restore the
organization to the same financial position it would have been in had the loss not
occurred.

MONITORING, REPORTING AND REVIEW OF RISK.

Risk owner should be appointed for each identified risk, with the view to monitoring the risk
situation, updating the risk register, and briefing the risk management team on a regular basis.

Monitoring, reporting and review is an important part of risk management, in order to;

 ascertain whether the organization’s risk profile or exposure is changing, and identify
newly emerging or escalating contractual or relationship-related risks
 give assurance that organization’s risk management processes are effective, by
demonstrating effective avoidance or mitigation of risks
 indicate where contract risk management process need improvement, or where lessons
can be learned from critical incidents and contract problems.

Review process should;

 ensure that all aspects of risk management process are reviewed at least once a year
 ensure that the risks themselves are subjected to review with appropriate frequency ( with
appropriate provision for management’s own review of risks and for independent review
or audit)
  Make provisions for alerting the appropriate level of management to new risks or to
changes in already identified risks, so that the change can be appropriately addressed.

Review can use a number of tools and techniques

 the role of individual, works groups and project team s should include self-assessment on
an ongoing basis and via regular reviews, audits and reports, including SWOT analysis,
supplier appraisals, staff performance appraisals, quality assurance systems etc
 Risk self-assessment (RSA) or control and risk-assessment (CRSA) are internal controls
through which each area of the organization reviews its own activities using a
documented framework or structured workshop approach. RSA allows risk owners to
demonstrate and develop their involvement in the risk process, and their understanding of
risk management issues
 departmental reporting or stewardship reporting requires that managers’ report upwards
on the current status of risk in their areas and on the work they have done in keeping risk
and control procedures up to date in their respective areas
 the internal audit function provides an important, quasi-independent and objective report
about adequacy of risk management

RISK MANAGEMENT STRATEGY

The phrase risk management strategy may be used in two different ways to refer to;

 The formulation of a chosen approach or plan to deal with identified risks. in this sense,
risk managers and teams at all levels will formulate risk management strategies, using the
risk management cycle and selecting the most appropriate of the various risk mitigation
options (4 Ts)
 the formulation of a corporate( organization-wide), long- term , proactive strategic
framework to manage risk in the organizations and its supply chain, including
accountabilities and governance structures; risk policies and tolerance; risk management
processes and procedures and plans to reinforce these arrangements through the creation
of a risk-aware culture, in line with organizational risk appetite
Integrated strategic-level approach to risk management involves the following elements

 integrated management of an organization’s full spectrum of risk

 dealing with risk as a strategic issue, from a high-level corporate perspective
 recognizing that strategic success usually depends upon taking risks
 engaging all functions and line management levels in the process
 bridging the traditional ‘silos’ or risk disciplines( e.g financials, strategic, supply, health
and safety, technology, information and reputational risk)

The risk management strategy comprises the process that will be put in place to identify, assess,
manage, review and report on organizational risk. However, the strategy should go further than
the mechanics of risk management: it should aim to embed the principles and values of risk
awareness and risk management throughout the organization and organizational culture.
Generic risk strategy process

1. risk apetitite

2. strategic intent

3. risk policy

4. risk management strategy

5. organizational framework
 1. risk appetite- it involves shareholders and stakeholders expectations culture (
entrepreneurial ? safety seeking? past experience( successful, damaging?), industry (
competition, innovation, opportunities)
2. Strategic intent- vision or mission. Key values and principles( innovation?
accountability, key stakeholders
3. risk policy- identifying how potential threats can be reduced to a level compatible with;
organization’s risk appetite; market demands and strategic objectives and relevant
guidance and legal requirement
4. risk management strategy- risk management mix 4 (ts) i.e. terminate, transfer, tolerate
and treat
5. organizational framework- accountabilities (risk ownership, championing) ; forums for
discussion, information sharing; risk documentation; risk event reporting, review and
learning; monitoring and review of risk management systems

Governance structure for Risk Management

Strategic leadership is crucial to effective risk management. in particular, there clear allocation
of responsibility for risk management (expressed in a governance structure), in order to avoid
exposure to the further risk of risks unmanaged causing damage or loss that could otherwise be
avoided, anticipated or mitigated.

The development of a coherent risk management strategy, with the board of directors taking
ultimate responsibility for governance structure and internal controls, ensures that strategic
support will be maintained. the board has fundamentals role in the management of risk,
including:

 receipt of annual opinion from the external auditors and /or internal audit committee,
including a review of the process of risk management and internal control
 Consideration of risk issues as they affect strategy planning, policy making and board –
level decisions.
 periodically reviewing risks as part of the monitoring of annual operating plans
An accounting officer may be appointed by the board as the person ultimately responsible for the
management of risk.

 developing up-to date awareness and understanding of risks which could prevent the
delivery of corporate objectives
 ensuring that the organization has effective risk management processes and controls in
place
 seeking assurance that risk processes and controls are being effectively managed and
implemented

RISK MANAGEMENT CULTURE

AS/NZS 4360 defines risk management as the culture, processes and structures that are directed
towards realizing potential opportunities whilst managing adverse consequences. This definition
embeds risk awareness and appropriate risk appetite, throughout an organization not just in
terms of policies and procedures, but at the level of core values, attitudes and behavioral norms

cransfied school of management identifies 4 key variables that foster success in supplu chain
vulnerability management, continuity management and resilience

 risk awareness among top management

 risk awareness as an integral part of supply chain management
 an understanding by each employee of his or her role in risk awareness
 an understanding that changes in business strategies change supply chain profiles

Creating the desired risk culture

Cultures which are dysfunctional risk-averse (perhaps because the culture has failed to adapt to
the changing risk profile of the organization) can be changed. The key tools of cultural change
include the following

 consistent expression and modeling of new values by senior management leaders and
influencers
  changing underlying values and beliefs, through communication, education and
involvement of employees in discussing the need for new ideas and behaviors: spreading
new values and beliefs and encouraging employees to own them ( t and reinforcing the
change through rewards and recognition
 embedding desired attitudes and behaviors in policies, procedures, rules, systems,
employee communications, management styles etc. so that they become business as usual
and are supported by all necessary information, resources and controls
 using human resource management mechanisms to reinforce the changes: making the
new values and behaviors criteria for recruitment and selection, employee appraisal and
rewards

Resource for Risk management

The resources allocated for risk management will reflect the business sector the organization
operates in, the nature of its vulnerabilities, and the extent of its exposure. Operations such as
airlines, manufacturing, extraction and health care may have a high risk management budget, for
example of the need to comply with health and safety regulations. Organizations which have
invested time and money in establishing high profile corporate brands will similarly allocate
resources to the management of reputational risk. Organizations which are highly dependent on
ICT and knowledge systems will recognize the need to invest in information assurance etc

Resources

 information resources- risk judgment must be based on sound information and this
require a robust internal and external management information systems (MIS) that can
supply appropriate and timely data in appropriate formats .environmental scanning,
supply chain and industry networking and benchmarking may need to be set-up. Risk
database and register may need to be developed to start building a robust accessible risk
information and knowledge sharing. Information resources include; internal records and
databases; MIS;DSS etc.
 Human resources- the implementation of risk management requires the allocation of
managerial and staff time to risk identification, assessment and mitigation activities. This
may simply be embedded in day-to-day workloads (e.g. team briefings) but day-to-day
 workloads but it may also require additional responsibilities, additional risk-focused
activities or added layers of management. people resources for risk management include:
managerial input, trained and aware staff and risk committee and audit teams
 infrastructure development- may be required for new risk management initiatives,
including the development of management and risk information systems, templates,
committee and governance structures
 technology resources- to support risk management may include: risk management
information systems, automated risk monitoring and reporting systems and technology-
based risk mitigation measures
 time resources- include the adequate allowance of managerial and staff time for risk
management activities and also effective scheduling and time management
 physical resources-includes safe and well-maintained a premises, plant, machinery and
vehicles, protective and safety equipment; safe and secures storage facilities for
hazardous substances and general inventory demand-managed inventory levels, etc.
 financial resources-for risk management include adequate budgetary provision for costs
of information, managerial and staff time, mitigation measures and costs of pursuing
opportunities investments, innovation, product development etc