TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard

Analysis and Critical Control Point (HACCP)

UNIT 1 - INTRODUCTION TO RISK

MANAGEMENT

Learning Outcomes

At the end of the unit, the student will be able to:

1. explain the basic concepts of risk management;

2. identify and explain risk management, its classifications, and principles;
3. enumerate and explain the steps of risk assessment as the core of risk management; and
4. develop good reasoning ability in answering and delivering a case study.

In life, we all face risks. These risks could be physical, mental, social, psychological,
spiritual, and emotional which have an impact on our lives. So as with any organization, risks
are also common. The point is these risks should be properly managed for the organization to
survive and succeed. Risk management has become a popular strategy for an organization.

To do these, an organization must include effective risk management strategies in the

preparation of their risk management plans and later on their operational management systems.
Thus, a basic understanding of risk management is a vital foundation for the manager as he
performs his duties and responsibilities towards the realization of the company’s goals and
objectives.

Lesson 1 – Risk and Management Definitions

Before getting into details of risk management, we will first define risk. The word “risk” in
English derives from its Latin root word risicare, which means “to dare”, which implies the
possibility to choose a course of action (Bernstein, 1998). Literature defined the word “risk” with
many different meanings. Risk is the chance or possibility of danger/threat, loss, and injury
(Oxford English Dictionary); the probability, consequences /impacts of the actual outcome, or
likelihood of the event (Agosto, 2014).
TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

DEFINITIONS PERSPECTIVE SOURCE

Effect of uncertainty objectives Enterprise Risk (ISO, 2009)
Management
The frequency and magnitude of loss Information Security (The Open Group 2009)
that arises from a threat.
Risk is a combination of the likelihood of Occupational Health & ( OHSAS, 2007)
an occurrence of hazardous event or Safety Assessment
exposure(s) and the severity of an injury
or ill health that can be caused by the
event or exposure(s)
The exposure to uncertainty Financial ( Lhabitant&Tinguely, 2001)
Variance of return. Financial (Markowitz, 1952)
Project risk is an uncertain event or Project Management (PMI, 2000)
condition that, if it occurs, has a positive
or a negative effect on a project
objective.
The possibility that an event will occur Enterprise Risk (COSO, 2004)
and adversely affect the achievement of Management
objectives.
Possibility of process objective not being Business Process (Cope et al., 2010)
met. Management
The potential variation of outcomes that Supply Chain Management Bogataj&Bogataj, 2007
influence the decrease of value-added
at any activity cell in a chain, in which
the outcome is described by the volume
and quality of goods in any location and
time in the supply chain flow .
An adverse event which is uncertain, William, (1995)
either randomly or epistemologically Project Management
Table 1. Risk definitions

The International Organization for Standardization (ISO) defines risk as to the “effect of
uncertainty on objectives”. Other definitions of risks are presented in Table 1. It should be noted
that risks affecting organizations can have consequences in terms of economic performance
and professional reputation, as well as environmental, safety, and societal outcomes. Therefore,
managing risk effectively helps organizations to perform well in an environment full of
uncertainty.

We’ve already defined the word risk, now it’s time for us to have a basic understanding
of the definition of management. Many kinds of literature defined management as the act of
getting people to work together to accomplish an organization’s goals and objectives using
available resources efficiently and effectively. If we look at the organization as a system, the
term management can be defined as human action as it requires to design and it facilitates the
production of useful outcomes within that or from a system. With this view, it encourages the
opens the opportunity to manage oneself, a pre-requisite to attempting to manage others.

As mentioned above, the attainment of the organization’s goals and objectives also lies
in the efficient and effective deployment and manipulation of several different resource types
TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

available with management. These resources include natural, human, financial, and technical
resources.

Type of Management Styles Literature tells us the different types of management styles
that are of practical use to any organization. However, in recent years, the management
process has changed. Work teams and servant leadership came into the context of
management, which changed what is expected from managers, and at the same time what
managers expect from their employees.

1. Traditional Management.
This type of management is restricted to the hierarchy of employees. Managers deals
with low level, mid-level management, and senior management. Managers expect their
employees to meet the organization's goals, but the manager receives the recognition/
reward of meeting those goals. For the details of traditional management styles, please
refer to this link https://www.managementstudyguide.com/management-style.htm.
2. Team Management.
The manager guides its team members in solving the organization’s problems but
doesn’t dictate policy. The entire team receives the reward of meeting the organization’s
goals.
3. Servant Management.
The manager helps employees in supplying resources needed to the realization of
organizational goals. The good thing about servant leadership is that the organization
recognizes employees as experts in their respective fields of specialization and that the
organization is supporting employees to work efficiently.

Note that no matter which type of management style is used by an organization, let us
not forget that the main objective of managers is to help employees reach company goals and
maintain company standards and policies.

On the other hand, management has six functions namely planning, organizing, staffing,
leading or directing, and controlling an organization (a group of one or more people or entities)
or effort to accomplish a goal. Planning means defining performance goals for the organization
and determining what actions and resources are needed to achieve the goals. The organizing
function involves deciding how the organization will be structured (by departments, matrix
teams, job responsibilities, etc.). Staffing is the management function devoted to acquiring,
training, appraising, and compensating employees. Leading as a management function is a
practice by communicating goals throughout the organization, by building commitment to a
common vision, by creating shared values and culture, and by encouraging high performance.
Controlling is the process of monitoring activities, measuring performance, comparing results to
objectives, and making modifications and corrections when needed. For an indepth discussion
of these functions, please refer to this link
https://courses.lumenlearning.com/sunyprinciplesmanagement/chapter/primaryfunctions-of-
management

Lesson 2 – Risk Management

TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

Agosto (2014) defines risk management as the culture, processes, and structures by
which an organization conducts effective management of risk. Risk management is also defined
by Food and Agriculture Organization (FAO) within Codex as the process of weighing policy
alternatives in the light of the results of risk assessment and, if required, selecting and
implementing appropriate control options, including regulatory measures.

Classifications of Risk Management

1. Financial Risk Management.

Financial risk management is the "optimization of risk exposure by becoming aware of the
risks, measuring the risks, using accounting information, future cash flow projections, and
levels of a contingent or economical exposure, and adjusting the risk" (Lhabitant&Tinguely,
2001).
The classification of risks are as follows:
• Market Risk: risks that potentiate loss due to adverse changes in some financial market
variables;
• Credit Risk: risks that potentiate loss due to a counterpart failing to make payment;
• Operational Risk: risks that potentiate loss originated by human errors, system failures or
inadequate procedures or controls;
• Liquidity risk: risks related to the ease with which a corporation can convert an asset into
a cash amount equal to its current market value.

Through the use of financial instruments, financial risk management deals with the time and
form of hedging risk exposures. As a financial instrument, derivates play an important role in
financial risk management. The main types of derivates are forward contracts, futures
contracts, options, and swaps.

Business process risk management Karduck et al. (2007) refer to risk management as a
support process for process management. Risk management of business processes
focuses on the integration of risk management within business process management.
Types of business process risks are as follows.
 Build time risks: related to the design phase of a business process;
 Goal risks: the risk that threatens the possibility of the business process achieving the
expected objectives;
 Structural risks: related to the design phase of a business process structure;
 Run time risks: related to process disruption, these risks threaten internal components of
the business process structure preventing them from performing as designed.
TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

Enterprise risk management

According to the ISO 31000 standards, risk management refers to the "coordinated
activities to direct and control an organization with regards to risk". The enterprise risk
management intends to give an enterprise-wide approach to risk to have risk management
integrated within the practices and policies of the organization, becoming an effective support
tool for management (ISO, 2009). There are two main types of enterprise risks: core and non-
core business risks (Grey and Shi (2005):

1. Core business risks: risks that impact the company's core business activities;
 Operational risk - related to the way a company operates the business. It
includes factors as human error, fraud or technical failures
 Value chain risk - related to the goods and services delivered to the costumers. It
is caused by key business drivers like fluctuations in the price of goods or quantity
changes

2. Non-core business risks: risks that affect the support activities of the company,
depending on the frequency of the risk event. Can be divided into:
 Event risks -include legal risk, natural hazard, political risk, regulatory risk,
economic and reputational risk;
 Market risk -originated by market prices fluctuation;
 Credit risk - uncertainty caused by debtors failing to fulfill their obligations;
 Tax risk: Is originated from the tax position of a company.

Supply Chain Risk Management.

Supply chain risk management can be defined as "the process of risk mitigation
achieved through the collaboration, coordination, and application of risk management tools
among the partners to ensure continuity, coupled with long term profitability of the supply chain"
(Faisal, Banwet, & Shankar, 2007).

There are two types of uncertainty sources (Cucchiella and Gastaldi (2006):

1. Internal sources or available capacity - relates to the networks financial, productive and
structural availability for a project;
 Customs regulations - reflects the risk of exposure to regulations;
TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

 Information delays - reflects the risk of not having the information available at the
moment in time that it is needed;
 Internal organization - the risk of non-cooperation in the supply chain or inability
to adopt new technology.
2. External sources
 Competitor action - risks that derive from the loss of competitive advantage;
 Political environment - the risk that results from contextual change and
unforeseeable regulatory action;
 Price fluctuations - the risk of not being able to cover the costs of the network
due to price fluctuations;
 Stochastic cost - the risk that results from the product becoming obsolete;
 Supplier quality - the risk of inability to supply specific skills.

Project Management Risk

According to the Project Management Institute (PMI), risk management is "the

systematic process of identifying, analyzing, and responding to project risk. Project
management risks can be divided into four categories;

 Technical, Quality or Performance Risk - risk related to the choice of technology, the
technological reliance and the setting of unrealistic performance goals;
 Project Management Risk - the risk that results from poor use of project management
tools and variables;
 Organizational Risk - related to the allocation of the project by the organization, with
the necessary conditions to succeed;
 External Risk - risks that have external origins to the project in which are included
natural hazards, regulatory changes, or labor issues.

Information Systems Risk Management

According to Elky (2006), information systems risk management is "the process of

understanding and responding to factors that may lead to a failure in the confidentiality, integrity
or availability of an information system". The Symantec Group (2008) classifies the risks as:

 Security risks: risks that result from internal or external unauthorized access to
information;
 Availability risks: risks that information might not be accessible due to unplanned system
failures;
 Performance risks: risks related to inaccessible information as a result of scalability
limitations or throughput bottlenecks;
 Compliance risks: risks of failure to meet regulatory requirements or failure to meet
internal policy requirements.
TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

Information systems risk management is not just a technical issue. Enterprises must
understand the growing number of IT risks in an environment that results from the combination
of users, new technologies, and the spread of sensitive data.

Insurance Risk management

The Insurance Risk Management Institute (IRMI) defines insurance risk management as
"the practice of identifying and analyzing loss exposure and taking steps to minimize the
financial impact of the risk they impose". Insurance risk management focuses primarily on pure
risks, i.e., those risks that only involve potential loss. Types of insurance risk management
(Rejda, 2006).

 Property risks: related to the damage of physical property, loss or theft resulting from
various hazards;
 Liability risks: risk of hurting the third party and being held liable for bodily injury or other
damages;
 Loss of potential income risk: potential income loss by a company whose operations
have been interrupted;
 Other risks: Additional risks include crime exposure, human resources exposure, foreign
loss exposure, intangible property exposure, and government exposure Insurance risk
management focused on protecting companies from natural disasters and exposures,
such as fire, theft, or employee injuries.

Lesson 3 Risk Assessment

Risk assessment is an art that requires skill and imagination. It is the heart of the risk
management process, and a critical component of an operational risk management system.

Business companies are fortunate because of the availability of numerous established

tools helpful in identifying hazards and assessing risk. Selecting the method best suited to the
situation may require modification of existing tools or multiple methods to best assess and
control risks.

Assessing risk is art. Risk assessment requires certain skills, knowledge, and
experience that are rooted in system safety. But the authors believe that it also requires
imagination and creativity to successfully anticipate, recognize, assess, and treat potential risks.
Merriam-Webster’s dictionary defines art as “something that is created with imagination and skill
and that is beautiful or that expresses important ideas or feelings; a skill acquired by
experience, study or observation.” The art of risk assessment lies partially in the ability to modify
appropriate methods to the application and express the information in a way that effectively
communicates risk. The ultimate purpose of assessing risk is to gain an understanding of a
TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

risk’s nature, its causes, potential impacts and likelihood, and to determine whether additional
controls are necessary so that it is acceptable to the organization and society.

The risk assessment process is used by safety professionals to systematically assess an

organization’s operational risks. It is considered the foundation of risk management and the
basis for safety practice. Literature tells us that organizations that incorporate effective risk
assessment strategies within their risk management plans and operational risk management
systems tend to be highly successful.

The process of risk assessment includes identifying, analyzing, and evaluating risks.
Understanding these processes and its result provides a valuable reference in making business
decisions, whether the identified risk is acceptable, and what control measures are most
appropriate.

Ultimately, the output of risk assessment is an input to the decisionmaking processes.

The cyclical risk assessment process steps are: establish risk criteria; establish context;
assemble team; identify hazards; analyze risks; evaluate risks; treat risks; document;
monitor/review.

As a general rule, when selecting a risk assessment method, the simplest tool or tools
that provide sufficient information to make an appropriate risk management decision is advised.

Hazard/Risk Identification Methods

Risk identification deals with finding, recognizing, and recording hazards. Usually, almost
all risk assessment efforts begin with some form of brainstorming or checklist method to identify
potential hazards. Such efforts can incorporate structured interviews, document reviews, formal
brainstorming sessions, or simply a quick review of an application checklist. The options are
many, however, the Occupational Safety and Health (OSH) professional should strive to select
the most effective and efficient methods for the circumstances.

Risk Analysis

Once hazards and risks are identified, methods for analyzing consequences, their
causes, severity levels, probability or likelihood of occurrence, and existing controls are needed.
For example, an Failure Mode and Effects Analysis (FMEA) method allow each hazard (failure)
to be analyzed in terms of the aforementioned aspects resulting in risk levels or scores. PHA
provides a pre-control and post-control view of the risk, however, it may not be as detailed in the
information. Bow tie analysis has advantages of displaying risk pathways and barriers or
controls if risk communication is of high importance to senior management. Again, many options
exist and should be leveraged to increase the understanding of the risk.

Risk Evaluation

Upon analyses of the risks and their controls, and evaluation of the existing risk levels is
performed to determine the acceptability of risks and where certain risks require further
treatment. A risk assessment matrix is generally used based on the organization’s defined risk
TMHM 2 – Risk Management as Applied to Safety, Security, Hygiene and Sanitation with Seminar on Hazard
Analysis and Critical Control Point (HACCP)

criteria. A cost/benefit analysis or business impact analysis can be useful in providing financial
and non-financial benefits of proposed control measures, or in highlighting the need for further
study.