Professional Documents
Culture Documents
Risk Management Strategies Risk Management Process The Risk Management Cycle
Risk Management Strategies Risk Management Process The Risk Management Cycle
risk management involves three key elements: risk identification, risk analysis and risk
mitigation. ISO 31000 notes that: Organizations manage risk by anticipating, understanding and
trying to control it. Through this process they communicate and consult with stakeholders and
monitor and review the risk and the controls that are modifying the risk.
the ‘risk cycle’ (or ‘risk management cycle’) is an expression of the continuous process of risk
monitoring and management, portrayed as a cycle.
Identify
Source of
risk Assess
Probability and
impact of potential
risk
monitor, report, review
Formulate
risk management
implement strategies
risk management
Allocate
Risk mitigation- means lessening the adverse impact of risk events. the objective of risk
mitigations to reduce inherent risk, to a level at which the assessed residual risk is acceptable to
the organization
Tolerate- (accept) the risk: if the assessed likelihood or impact of risk is negligible (or
there) is no viable way to reduce the risk), no further action may, for the moment, be
required, or , justified (on a cost-benefit or business case basis).the risk may simply be
acknowledged and registered or it may be flagged for monitoring and periodic re-
evaluation, in case the likelihood or impact or the risk escalates to the defined threshold
for acceptable exposure. in either case, rationale for risk acceptance should be clearly
documented. Tolerance may be an adequate response for low-level risk, given competing
demands for resources.
Transfer(or spread) the risk: e.g. by taking an insurance cover, or not putting all supply
eggs in one basket (in other words, avoiding dual or multi-sourcing) – or using
contractual terms to ensure that the costs of risk events will be borne (or shared with )
supply chain partners (e.g by clarifying liability for risks at all stages of the contract,
using liquidated damages clauses, insisting on supplier insurances, or sharing
responsibility for risk monitoring as part of the contract management process. Risk
transfer reduces organization’s exposure but at the cost of insurance , possible loss of
economies of scale(from disaggregation), and possible damage to supply chain
relationship
Terminate (avoid) the risk- if the risk is associated with a particular projector decision
is too graet and cannot be reduced, the organization may consider not investing or
engaging in the activity or opportunity. so for example, the decision to outsource a core
function or to enter a politically unstable foreign market may be ‘shelved’ as too risky.
Termination avoids unacceptable risk- but is not always possible. in addition, there may
be loss of opportunities and portfolio synergies
Treat- (Mitigate, minimize or control) the risk : take active steps to manage the risk in
such a way as to reduce or minimize its likelihood or potential impact, or both. in
relation to supply risk, this may involve measures such as: supplier monitoring and
performance management; code of conduct; supplier certification; contingency and
recovery planning etc. risk mitigation is designed to create an acceptable level of residual
risk although it also incurs the cost of mitigation measures, and may raise the possibility
of secondary risk(arising from mitigation measures)
Preventive controls- are designed to limit the possibility of a negative outcome being
realized. Examples could include separation of duties, supervision, the requirement for
approval and authorizations or proactive issues management in the field of reputation
management
directive controls are designed to endure that the desired outcome is achieved e.g.
health and safety regulations, supplier ethical policies and monitoring, staff training, the
provision of protective equipment, the use of e-procurement procedures
Detective controls are designed to identify when an undesired risk event has
occurred. they will usually be part of monitoring, project review, audit or reporting
processes, such as vendor rating, project reviews, accident reporting, customer and
supplier attitude surveys etc.
Corrective controls are designed to mitigate the effect of undesirable outcomes once
they have occurred. examples include legal or contractual remedies for breach of
contract, liquidated damages clauses, insurances, crisis management and disaster
recovery plans etc. insurance and damages are basically designed to restore the
organization to the same financial position it would have been in had the loss not
occurred.
Risk owner should be appointed for each identified risk, with the view to monitoring the risk
situation, updating the risk register, and briefing the risk management team on a regular basis.
Monitoring, reporting and review is an important part of risk management, in order to;
ascertain whether the organization’s risk profile or exposure is changing, and identify
newly emerging or escalating contractual or relationship-related risks
give assurance that organization’s risk management processes are effective, by
demonstrating effective avoidance or mitigation of risks
indicate where contract risk management process need improvement, or where lessons
can be learned from critical incidents and contract problems.
ensure that all aspects of risk management process are reviewed at least once a year
ensure that the risks themselves are subjected to review with appropriate frequency ( with
appropriate provision for management’s own review of risks and for independent review
or audit)
Make provisions for alerting the appropriate level of management to new risks or to
changes in already identified risks, so that the change can be appropriately addressed.
the role of individual, works groups and project team s should include self-assessment on
an ongoing basis and via regular reviews, audits and reports, including SWOT analysis,
supplier appraisals, staff performance appraisals, quality assurance systems etc
Risk self-assessment (RSA) or control and risk-assessment (CRSA) are internal controls
through which each area of the organization reviews its own activities using a
documented framework or structured workshop approach. RSA allows risk owners to
demonstrate and develop their involvement in the risk process, and their understanding of
risk management issues
departmental reporting or stewardship reporting requires that managers’ report upwards
on the current status of risk in their areas and on the work they have done in keeping risk
and control procedures up to date in their respective areas
the internal audit function provides an important, quasi-independent and objective report
about adequacy of risk management
The phrase risk management strategy may be used in two different ways to refer to;
The formulation of a chosen approach or plan to deal with identified risks. in this sense,
risk managers and teams at all levels will formulate risk management strategies, using the
risk management cycle and selecting the most appropriate of the various risk mitigation
options (4 Ts)
the formulation of a corporate( organization-wide), long- term , proactive strategic
framework to manage risk in the organizations and its supply chain, including
accountabilities and governance structures; risk policies and tolerance; risk management
processes and procedures and plans to reinforce these arrangements through the creation
of a risk-aware culture, in line with organizational risk appetite
Integrated strategic-level approach to risk management involves the following elements
The risk management strategy comprises the process that will be put in place to identify, assess,
manage, review and report on organizational risk. However, the strategy should go further than
the mechanics of risk management: it should aim to embed the principles and values of risk
awareness and risk management throughout the organization and organizational culture.
Generic risk strategy process
1. risk apetitite
2. strategic intent
3. risk policy
5. organizational framework
1. risk appetite- it involves shareholders and stakeholders expectations culture (
entrepreneurial ? safety seeking? past experience( successful, damaging?), industry (
competition, innovation, opportunities)
2. Strategic intent- vision or mission. Key values and principles( innovation?
accountability, key stakeholders
3. risk policy- identifying how potential threats can be reduced to a level compatible with;
organization’s risk appetite; market demands and strategic objectives and relevant
guidance and legal requirement
4. risk management strategy- risk management mix 4 (ts) i.e. terminate, transfer, tolerate
and treat
5. organizational framework- accountabilities (risk ownership, championing) ; forums for
discussion, information sharing; risk documentation; risk event reporting, review and
learning; monitoring and review of risk management systems
Strategic leadership is crucial to effective risk management. in particular, there clear allocation
of responsibility for risk management (expressed in a governance structure), in order to avoid
exposure to the further risk of risks unmanaged causing damage or loss that could otherwise be
avoided, anticipated or mitigated.
The development of a coherent risk management strategy, with the board of directors taking
ultimate responsibility for governance structure and internal controls, ensures that strategic
support will be maintained. the board has fundamentals role in the management of risk,
including:
receipt of annual opinion from the external auditors and /or internal audit committee,
including a review of the process of risk management and internal control
Consideration of risk issues as they affect strategy planning, policy making and board –
level decisions.
periodically reviewing risks as part of the monitoring of annual operating plans
An accounting officer may be appointed by the board as the person ultimately responsible for the
management of risk.
developing up-to date awareness and understanding of risks which could prevent the
delivery of corporate objectives
ensuring that the organization has effective risk management processes and controls in
place
seeking assurance that risk processes and controls are being effectively managed and
implemented
AS/NZS 4360 defines risk management as the culture, processes and structures that are directed
towards realizing potential opportunities whilst managing adverse consequences. This definition
embeds risk awareness and appropriate risk appetite, throughout an organization not just in
terms of policies and procedures, but at the level of core values, attitudes and behavioral norms
cransfied school of management identifies 4 key variables that foster success in supplu chain
vulnerability management, continuity management and resilience
Cultures which are dysfunctional risk-averse (perhaps because the culture has failed to adapt to
the changing risk profile of the organization) can be changed. The key tools of cultural change
include the following
consistent expression and modeling of new values by senior management leaders and
influencers
changing underlying values and beliefs, through communication, education and
involvement of employees in discussing the need for new ideas and behaviors: spreading
new values and beliefs and encouraging employees to own them ( t and reinforcing the
change through rewards and recognition
embedding desired attitudes and behaviors in policies, procedures, rules, systems,
employee communications, management styles etc. so that they become business as usual
and are supported by all necessary information, resources and controls
using human resource management mechanisms to reinforce the changes: making the
new values and behaviors criteria for recruitment and selection, employee appraisal and
rewards
The resources allocated for risk management will reflect the business sector the organization
operates in, the nature of its vulnerabilities, and the extent of its exposure. Operations such as
airlines, manufacturing, extraction and health care may have a high risk management budget, for
example of the need to comply with health and safety regulations. Organizations which have
invested time and money in establishing high profile corporate brands will similarly allocate
resources to the management of reputational risk. Organizations which are highly dependent on
ICT and knowledge systems will recognize the need to invest in information assurance etc
Resources
information resources- risk judgment must be based on sound information and this
require a robust internal and external management information systems (MIS) that can
supply appropriate and timely data in appropriate formats .environmental scanning,
supply chain and industry networking and benchmarking may need to be set-up. Risk
database and register may need to be developed to start building a robust accessible risk
information and knowledge sharing. Information resources include; internal records and
databases; MIS;DSS etc.
Human resources- the implementation of risk management requires the allocation of
managerial and staff time to risk identification, assessment and mitigation activities. This
may simply be embedded in day-to-day workloads (e.g. team briefings) but day-to-day
workloads but it may also require additional responsibilities, additional risk-focused
activities or added layers of management. people resources for risk management include:
managerial input, trained and aware staff and risk committee and audit teams
infrastructure development- may be required for new risk management initiatives,
including the development of management and risk information systems, templates,
committee and governance structures
technology resources- to support risk management may include: risk management
information systems, automated risk monitoring and reporting systems and technology-
based risk mitigation measures
time resources- include the adequate allowance of managerial and staff time for risk
management activities and also effective scheduling and time management
physical resources-includes safe and well-maintained a premises, plant, machinery and
vehicles, protective and safety equipment; safe and secures storage facilities for
hazardous substances and general inventory demand-managed inventory levels, etc.
financial resources-for risk management include adequate budgetary provision for costs
of information, managerial and staff time, mitigation measures and costs of pursuing
opportunities investments, innovation, product development etc