Professional Documents
Culture Documents
SMQR5103: Enterprise Risk Management
SMQR5103: Enterprise Risk Management
SMQR5103: Enterprise Risk Management
INTRODUCTION
SMQR5103 Enterprise Risk Management is one of the courses offered at Open
University Malaysia (OUM). This course is worth 3 credit hours and should be
covered over 8 to 15 weeks.
COURSE AUDIENCE
This is a core course for all learners undertaking Master of Quality Management
programme.
STUDY SCHEDULE
It is a standard OUM practice that learners accumulate 40 study hours for every
credit hour. As such, for a three-credit hour course, you are expected to spend
120 study hours. Table 1 gives an estimation of how the 120 study hours could be
accumulated.
Study
Study Activities
Hours
Briefly go through the course content and participate in initial discussions 3
Study the module 60
Attend 3 to 5 tutorial sessions 10
Online participation 12
Revision 15
Assignment(s), test(s) and examination(s) 20
TOTAL STUDY HOURS ACCUMULATED 120
1. Explain the principles, process tools and techniques of risk management and
its relation in corporate governance and business sustainability;
3. Analyse different categories of risks and their application for effective risk
assessment and risk management.
COURSE SYNOPSIS
This course is divided into 10 topics. The synopsis for each topic can be listed as
follows:
Topic 2 explains the requirements of risk management under the Malaysian Code
of Corporate Governance and requirements required under several international
standards such as ISO 9001:2015.
Topic 4 elaborates the process of risk identification by identifying the external and
internal factors that have the potential to mitigate from achieving organisationÊs
objectives through strategic management tools (such as SWOT analysis) and
different types of risk categories and their examples.
Topic 5 further elaborates the process of risk analysis by having a likelihood and
consequences criteria table, risk evaluation by having risk assessment matrix and
action tables as well as risk treatment through terminate, reduce, accept, pass
(TRAP) concept.
Topic 7 discusses the meaning and application of risk appetite, risk tolerance and
the importance of risk culture in an organisation. Risk culture begins at the top.
The success of risk management in an organisation is reflected in the risk attitude
and risk behaviour of every employee. In other words, the risk culture is
embedded in the organisation.
Topic 8 covers the different types of risk assessment techniques available currently.
It elaborates in detail on two very commonly used techniques which are
environmental aspects and impact assessment and also hazard identification, risk
assessment and determining control (HIDARC). Other critical success factors in
risk assessment are also discussed in this topic.
Topic 9 introduces the current global risks all countries in the world may be facing.
These global risks may become enterprise risks. In order for organisations to stay
competitive in the global market, they should be alert and responsive to these risks
through the systematic use of risk management processes. The role of the board of
directors (BOD) and senior management for the success of risk management
initiatives and ensuring business sustainability as well as the barriers in
implementing risk management are also covered in this topic.
Topic 10 analyses three case studies that will enable learners to relate the
knowledge gained in real-life situations.
Learning Outcomes: This section refers to what you should achieve after you have
completely covered a topic. As you go through each topic, you should frequently
refer to these learning outcomes. By doing this, you can continuously gauge your
understanding of the topic.
Summary: You will find this component at the end of each topic. This component
helps you to recap the whole topic. By going through the summary, you should be
able to gauge your knowledge retention level. Should you find points in the
summary that you do not fully understand, it would be a good idea for you to
revisit the details in the module.
Key Terms: This component can be found at the end of each topic. You should go
through this component to remind yourself of important terms or jargon used
throughout the module. Should you find terms here that you are not able to
explain, you should look for the terms in the module.
References: The References section is where a list of relevant and useful textbooks,
journals, articles, electronic contents or sources can be found. The list can appear
in a few locations such as in the Course Guide (at the References section), at the
end of every topic or at the back of the module. You are encouraged to read or
refer to the suggested sources to obtain the additional information needed and to
enhance your overall understanding of the course.
PRIOR KNOWLEDGE
No prior knowledge required.
ASSESSMENT METHOD
Please refer to myINSPIRE.
REFERENCES
Department of Standards Malaysia. (2010). Risk management ă Principles and
guidelines (ISO 31000:2009, IDT). Cyberjaya, Malaysia: Author.
INTRODUCTION
What is risk? Many of us will think of risk as something complicated and technical
that only occurs in the workplace. Actually, without we realising it, we face many
types of risk every day, even when we take a bath at home (see Figure 1.1).
Figure 1.1: Can you identify the potential risk(s) in this picture?
We also make plans and efforts to reduce these risks. Why? This is because we
have an objective and target to achieve. So what is risk? Generally, anything that
prevent us from achieving our objective is a risk.
To further understand, let us imagine this scenario. Every morning, our target is
to arrive at the workplace before 9.00 am. However, there is a risk that we will
reach our office late. What is the possible cause of this risk? In other words, what
is the factor or factors that could contribute to the risk of us not being able to reach
our office before 9.00am? In this scenario, we could tell that traffic congestion could
be one of the factors that contribute to the identified risk.
Therefore, to mitigate this risk we should plan to wake up at a certain time, say
6.00am and be on the road before the traffic becomes heavy. If we do not hit the
road on time, there is a high possibility that we will not arrive at the workplace on
time due to traffic congestion. Let us look at Figure 1.2 that illustrates this situation
and the relationship between risk, source of risk and risk-mitigation plan.
The source of the risk is traffic congestion. The mitigation plan is to wake up at
6am. Do you think the risk is high, moderate or low? In order to answer this, we
need to go through the process of risk assessment.
Based on the scenario, we can understand that the risk management concept
encompasses:
So let us further understand the risk management concept in the next subtopics.
Happy reading!
Let us imagine that our organisation is like a ship on the ocean (see Figure 1.4).
Imagine we are in a ship and is sailing from Port B to Port D. Eventually, there will
be many challenges that we are facing during our voyage to reach Port D.
Therefore, we need to make sure that we are alive and the ship maintains its course
to complete our journey.
The challenges are not only derived from external factors such as the wind, the
weather and the ocean wave but also from internal factors such as the condition of
the ship, the equipment, the crew, the ports and the captain.
Therefore, to stay afloat and reach Port D, the captain, as a leader has to play a
major role to ensure that the ship will reach its destination safely. All staff (as the
follower) must engage with the captain to ensure that we will not sink along our
journey to reach Port D. Hence, the crew must consider all the challenges and make
the right choices to ensure the ship stays on course until it reaches our destination.
Now, let us put the scenario in our organisation. Of course, our organisation has
moved from beginning to reach the ultimate destination. What is the ultimate
destination? It is the vision of our organisation. We further plan to achieve our
vision with missions, strategic goals together with many objectives to achieve.
However along the way, we need to consider the challenges from external and
internal factors that could prevent us from achieving our objectives, which are
known as risks. We could use our past experience and vast knowledge in analysing
those risks and find the best solutions/controls to prevent it from occurring. These
processes are called risk management.
So, why must we manage risks? We must manage the risk because the organisation
are facing external and internal factors that make it uncertain to achieve the
objectives. The effect of these uncertainties in achieving objective is known as
„risk‰ and the process of managing these risks is known as „risk management‰.
SELF-CHECK 1.1
ACTIVITY 1.1
Think of one activity that you went through today. What was the
objective and target of your activity? What was the risk, for example, the
event that prevented you from achieving the objective of your activity?
Discuss your experience in the myINSPIRE forum.
(b) Thinking of ways to take preventive action as part of our routine, because
„prevention is better than cure‰.
(e) Able to integrate risks and opportunities in the overall process of the quality
management system.
Example Description
Titanic Titanic was a British passenger ship that sank in the North Atlantic
Ocean in the early morning of 15 April 1912 after colliding with an
iceberg during her maiden voyage from Southampton, England to New
York City in the US (see Figure 1.6).
The sinking of the Titanic caused the deaths of more than 1,500 people
in one of the deadliest peacetime maritime disaster in modern history.
Challenger A space shuttle named Challenger (see Figure 1.7) broke apart during
its mission to space, killing all seven crew members on 28 January 1986.
The flame leaked through the failed seal called O-ring seals, which were
not designed to handle the unusually cold condition that existed during
the launch.
The faulty seals resulted in the flames reaching the external fuel tank,
causing it to ignite and tear the space shuttle apart.
Ford Pinto In 1972, almost 27 people were determined to have been killed in rear-
end-crash explosions involving Pintos (see Figure 1.8).
It was revealed that many people were burned to death when the car
exploded into flames after collision from behind. In one of the few cases
brought to trial, California juries awarded a boy who had been severely
burned and disfigured a total of USD126 million. The driver of the car
had died from her injuries a few days after the accident.
Mocondo In 20 April 2010, the Mocondo drilling rig exploded on the BP semi-
drilling rig submersible platform (see Figure 1.9).
High pressure methane gas from the well expanded into the drilling
riser and rose into the drilling rig, where it ignited and exploded. There
were 126 crew members on board where 11 died. The explosion had also
caused massive oil spill.
Mary Mary McClinton (see Figure 1.10) checked into Virginia Mason Medical
McClinton Center in Seattle on 4 November, 2004 for her brain aneurysm treatment.
Doctors planned to inject her with a contrast dye to help them guide a
stent into her brain, via a catheter in her leg. Instead, they injected her
with an antiseptic ă a topical cleaning agent ă that had been stored in an
unlabelled container on the same tray as the dye. The antiseptic blocked
the flow of blood in her leg, which swelled to twice its normal size.
Within hours, McClintonÊs blood pressure dropped, her kidneys failed
and she suffered a stroke. As the toxin coursed through her system, her
other organs began to fail as well. Nineteen agonising days later, Mary
McClinton died.
SELF-CHECK 1.2
ACTIVITY 1.2
Based on the examples in Table 1.1, identify the possible causes of the
problems and the impacts on organisations. Discuss your answer in the
myINSPIRE forum.
(b) Improve in identifying the threats and opportunities that could arise from
those external and internal factors.
SELF-CHECK 1.3
Risk in general means anything that prevent you from achieving your
objective. In other words, it is an effect of uncertainty on the achievement of
your objective.
There are potential causes and impacts related to the identified risk.
Other reasons are to allocate resources effectively for risk treatment, protect
our assets and valuable resources, and assure consistency of quality of goods
and services.
Chapman, R. J. (2011). Simple tools and techniques for enterprise risk management
(2nd ed.). Hoboken, NJ: Wiley.
INTRODUCTION
In todayÊs volatile business environment, it is becoming more difficult and
challenging for organisations to stay competitive and to be sustainable. We need
to keep abreast of evolving changes and new developments in all aspects of our
business activities. Not to forget compliance to the statutory, laws and regulations
requirements which are part and parcel of the business activities to comply with.
What awaits you in this topic? In this topic, we will discuss one of the requirements
in the Malaysian business environment, which is the Malaysian Code of Corporate
Governance (MCCG). Later, we will discuss on the international standards and
its requirements. So are you ready to discover more? Let us continue with the
„sailing‰. All aboard!
On 26 April 2017, the SC has issued the fourth version of MCCG 2017 which takes
immediate effect and supersedes the previous issuance. The review has to consider
the following:
MCCG 2017 sets out best practices to strengthen corporate culture based on
accountability and transparency. It has 33 guidelines to facilitate 36 practices
(including four step-ups) with 12 intended outcomes to support three core
principles as shown in Figure 2.1.
MCCG is compulsory for companies listed under Bursa Malaysia. However, other
organisations are encouraged to adopt the principles and recommendations of the
MCCG. This is to ensure those companies achieve their desired target (revenue,
profit, market share) and are sustainable.
Risk management is touched under Principle 2, which is effective audit and risk
management. The following is the direct extraction of the MCCG 2017 particularly
on risk management.
The board of directors is responsible for the companyÊs risk management and
internal control systems. It should set appropriate policies on internal control
and seek assurance that the systems are functioning effectively. The board must
also ensure that the system of internal control manages risks and forms part of
its corporate culture.
Intended Outcome
9.0 Companies make informed decisions about the level of risk they want
to take and implement necessary controls to pursue their objectives.
Practice
9.1 The board should establish an effective risk management and internal
control framework.
9.2 The board should disclose the features of its risk management and
internal control framework, and the adequacy and effectiveness of this
framework.
Step Up
Guidance
9.1 The board should determine the companyÊs level of risk tolerance and
actively identify, assess and monitor key business risks to safeguard
shareholdersÊ investments and the companyÊs assets. Internal controls
are important for risk management and the board should be committed
to articulating, implementing and reviewing the companyÊs internal
control framework.
9.2 The board should, in its disclosure include a discussion on how key risk
areas such as finance, operations, regulatory compliance, reputation,
cyber security and sustainability were evaluated and the controls in
place to mitigate or manage those risks. In addition, it should state if the
risk management framework adopted by the company is based on an
internationally recognised risk management framework.
Intended Outcome
Practice
10.1 The Audit Committee should ensure that the internal audit function is
effective and able to function independently.
10.2 The board should disclose whether internal audit personnel are free
from any relationships or conflicts of interest, which could impair their
objectivity and independence; the number of resources in the internal
audit department; name and qualification of the person responsible for
internal audit; and whether the internal audit function is carried out in
accordance with a recognised framework.
Guidance
(a) Satisfy itself that the person responsible for internal audit has
relevant experience;
It is expected that the role of internal auditors will evolve and expand
to include providing advisory support on strategy. This requires
internal auditors to go beyond the execution of the internal audit plan
and undertake root-cause analysis to provide proactive strategic advice
and suggest meaningful business improvements. As such, internal
auditors should continuously keep abreast with developments in the
profession, relevant industry and regulations.
Figure 2.2: The interrelation between corporate governance and enterprise risk
management (ERM)
Source: Chapman (2011)
ACTIVITY 2.1
Assuming you are one of the board members, discuss in the myINSPIRE
forum on the terms of reference of the Board of Risk Commitee and its
responsibilities.
In addition, it provides the latest tools, techniques, methods and best practices that
can be applied by all types of organisations.
Being the worldÊs largest developer of international standards, ISO has developed
over 18,500 standards with the support of the central secretariat based in Geneva,
Switzerland. Malaysia is a participating member of the ISO through the
Department of Standards Malaysia (DSM).
The simplified stages involved in the development of an ISO standard are shown
in Figure 2.3.
Based on Figure 2.3, after a proposal for the development of a standard (new
proposal) is approved at the relevant subcommittee or technical committee, a
working group (WG) is set up by the relevant subcommittee (SC) or technical
committee (TC) to prepare a working draft. After the working group has reached
to the level of confidence on the stability of the standard, a working draft (WD) is
produced.
When the working draft is stable enough, and the working group is satisfied with
the earlier proposed reason for the development of the standard, the working draft
becomes a committee draft (CD). It is then sent to the participating members
(P-members) of the TC or SC for ballot.
Once the number of positive votes is above the quorum, the CD becomes a final
committee draft (FCD). When consensus is reached on the content, then it is
finalised for submission as a draft international standard (DIS).
The DIS is then submitted to national bodies for voting and comments within a
period of five months. If a two-thirds majority of the P-members of the TC or SC is
in favour of the standard, then it is approved as the final draft of international
standard (FDIS). ISO then holds another ballot with national bodies within a
period of two months and if two-thirds majority of the P-members of the TC or SC
is in favour, it is approved as an international standard (IS).
The ISO central secretariat then publishes the international standard for
dissemination. The process of developing the international standard is a very
systematic and arduous process to ensure its acceptance and applicability by all
countries worldwide.
To date, the TC has managed to develop four international standards in the field
of risk management as follows (see Table 2.1).
Standard Description
ISO GUIDE 73:2009 The use of a uniform risk management terminology in the risk
management process and framework is very important to
eliminate inconsistencies and misunderstandings. This standard
provides the definitions of key terms related to risk
management. It provides a consistent understanding of
terminologies used in all risk management as well as other
management systems standards.
ISO 31000:2018 This standard provides principles and generic guidelines on risk
management. Any organisation, public, private, association,
group or individual can use this standard as a guideline in
establishing and maintaining its risk management. It can be
applied throughout the organisation for a wide range of projects,
processes, operations and activities.
ISO/TR 31004:2013 This ISO/TR 31004:2013 provides guidance for organisations on
managing risk effectively in accordance to ISO 31000:2018. It
explains the underlying concepts of ISO 31000:2018.
IEC 31010:2019 This standard supports the ISO 31000:2018 by providing
guidance on the selection and application of systematic
techniques for risk assessment. It introduced a range of risk
assessment techniques and described in detail its concept and
application.
SELF-CHECK 2.1
ACTIVITY 2.2
Based on ISO GUIDE 73:2009, identify which terms and definitions are
very important in the field of risk management. Discuss your answer in
the myINSPIRE forum.
Figure 2.4: Relationship between the risk management principles, framework and process
proposed by ISO 31000:2018
Source: ISO (2018)
The roles and responsibilities of the board of directors, chief executive, directors
and managers as well as steering committees, internal auditors and other relevant
key personnel with respect to risk management should be clearly defined. In line
with the roles and responsibilities, a risk management organisational structure
should also be developed.
SELF-CHECK 2.2
ACTIVITY 2.3
In the earlier version, risk-based thinking was not implicitly addressed. However,
the new version explicitly addresses risk throughout the management systems.
Clause 4 in ISO 9001:2015 requires the organisation to determine the internal and
external factors that could affect its ability to achieve the objectives of its quality
management systems.
Moreover, the standard also requires the organisation to define who are the
relevant interested parties and their requirements that could possibly affecting the
organisations to consistently providing products and services that meet those
requirements. The standard also requires the organisation to comply to applicable
statutory and regulatory requirements and breaching the law could be considered
as one of the risks.
These factors are then considered in identifying the risks and opportunities as
mentioned in Clause 6.1.1 of the standard. An appropriate action plan needs to be
established after analysing and evaluating the risks and opportunities, as stated in
Clause 6.1.2. Under the same clause, the standard requires organisations to
evaluate the effectiveness of the action taken, meaning it need to be monitored.
The monitoring and review process are explicitly addressed in Clause 9 of the
standard, where it specifically mentioned:
Nevertheless in Clause 5.1.2, the standard further requires the top management to
demonstrate their leadership and commitment towards customer focus by
ensuring the risks and opportunities that can affect the conformity of products and
services and the ability to enhance customer satisfaction are properly determined
and addressed.
Let us look at Table 2.3 which shows you a prominent correspondence between
ISO 9001:2015 and ISO 31000:2018.
Table 2.3: Prominent Correspondence between ISO 9001:2015 and ISO 31000:2018
Apart from ISO 9001:2015, there are also other management systems standards
which adopt the same risk-based thinking concept. A common format that has
been developed for use in management system standards include the following:
ACTIVITY 2.4
Ć The Malaysian Corporate Code of Governance (MCCG) sets out best practices
to strengthen corporate culture pillared on accountability and transparency.
It has 33 guidelines to facilitate 36 practices (including four step-ups) with
12 intended outcomes to support three core principles, where effective audit
and risk management is one of the principles.
Chapman, R. J. (2011). Simple tools and techniques for enterprise risk management
(2nd ed.). Hoboken, NJ: Wiley.
INTRODUCTION
In Topic 2, you have been introduced to the Malaysian Code of Corporate
Governance (MCCG) which states that the board should establish an effective risk
management and internal control framework and establish a risk management
committee to oversee the companyÊs risk management framework and policy.
Proper risk management and internal control are important aspect of a companyÊs
governance, management and operations.
The ISO 31000:2018 standard is being widely used as a guide to establish the risk
management process while the supporting IEC 31010:2019 provides alternatives
for the implementation of risk assessment process.
Keep in mind that the ISO 31000:2018 can also be applied to a wide range of
activities, operations, processes, projects, products and services besides the overall
organisation.
Therefore, in this topic, we will learn in-depth about risk management process and
procedures. Let us continue with the lesson.
Now in this topic, we will further understand the risk management principles and
framework. Firstly, let us explore the risk management principles.
The ISO standard outlines eight principles as the foundation for effective and
efficient of risk management (see Figure 3.1).
Principle Description
Integrated Integral part of all organisation activities.
Structured and Contributes to consistent and comparable results.
comprehensive
Customised Framework and process are customised and proportionate to the
organisationÊs external and internal context related to its objectives.
Inclusive Appropriate and timely involvement of stakeholders enables their
knowledge, views and perceptions to be considered.
Dynamic Risks can be emerging, change or disappear as an organisationÊs
internal and external context changes.
Best available The inputs to risk management are based on historical and current
information information, as well as future expectations.
Human and Human behaviour and culture significantly influence all aspects of
cultural factors risk management at each level and stage.
Continual Continually improved through learning and experience.
improvement
The standard also come out with the risk management framework. What is the
purpose of the framework? The purpose of the framework is to assist the
organisation in integrating risk management into significant activities and
functions. The effectiveness of risk management will depend on its integration into
governance of the organisation, including decision-making. However, this
requires support from stakeholders, particularly from the top management.
(c) Assessing;
(d) Treating;
As stated just now, the involvement of top management and a body to check on
oversights is important. They need to demonstrate the leadershipÊs commitment
towards risk management so that it can be aligned to the company objectives,
strategy and culture.
SELF-CHECK 3.1
1. What is the purpose of risk management?
2. State the eight principles of risk management as proposed by ISO
31000:2018.
3. Name the five processes in the ISO 31000:2018 framework.
Based on Figure 3.3, we can see that it starts from understanding the scope, context
and criteria. Then, the next process is risk assessment which involves the
following:
After that, the subsequent process is called the risk treatment along with other
considerations namely:
Similarly, let us recall Figure 1.2 (see Topic 1). We have identified one of the
external factors that may cause you to be late for work is traffic congestion.
However, we can extend the factors to include:
(b) Poor road conditions such as uneven road, flooded road or road under
construction; and
That is why need to establish the context of risk management. What is establish
context? Establish context means:
(a) Defining the external and internal parameters to be taken into account when
managing risk; and
(b) Setting the scope and risk criteria for the risk management policy.
Similarly, the organisation should define the scope of its risk management
activities. It is important to be clear about the scope under consideration, the
relevant objectives to be considered and their alignment with organisational
objectives.
(b) The key drivers and trends having impact on the objectives of the
organisation; and
(b) Policies, objectives and the strategies that are in place to achieve them;
Aspect Description
Laws and Laws and regulation can have an effect on the capability of an
regulation organisation to achieve the objective and targets. For example, some
laws and regulation may prevent the organisation from doing certain
things that they normally do. On the other hand, some laws and
regulations can benefit the organisation.
Economy This is another important element of risk environment. Some countries
may have very volatile economies which can affect the market while
some other countries may have a matured economic environment.
Corporate In Malaysia, the Securities Commission Malaysia has released the
governance Malaysian Code on Corporate Governance (MCCG) this is to be
requirements implemented by companies listed in the Bursa Malaysia to foster a
strong culture of corporate governance. All organisations listed under
the Bursa Malaysia are required to comply with the MCCG.
StakeholdersÊ Most organisations have a number of interdependencies which
expectations impact the organisationÊs risk management. These interdependencies
are called extended enterprise. Some example of interdependencies
include government bodies, partner organisations, customers,
contractors, suppliers, employees and others.
Once we are familiar with the external factors, we need to assess the internal
factors which involves understanding of the following:
Establishing the context is the first stage of the risk management process. Put
simply, this means that establishing context to put the topic into perspective for
someone who knows nothing about it.
Thus, this stage provides a general understanding of all the contributing factors to
the business. It is done by identifying the internal and external parameters that
affect the likelihood of success in achieving the pre-set objectives (see Table 3.3).
On the contrary, the internal contexts are the internal environmental parameters,
issues and factors faced by the organisation such as its governance, culture, values,
capabilities and expectations from employees.
Who is a stakeholder?
Stakeholders also include those who have the perception that a decision or an
activity can affect them. Thus, it is essential to be able to distinguish between
external and internal stakeholders as their influences vary.
The success in establishing the context depends on the availability of relevant data
and information, and the depth of the evaluation. Since the evaluation provides a
basic foundation to the overall risk management process, it would be helpful to
include the following information:
The output from this process which is the findings, should be recorded and
included in a report. The report should include the appendix where all reference
documents are listed.
SELF-CHECK 3.2
1. Define external and internal contexts. Give three examples for each
of them.
2. Who is a stakeholder?
Process Description
Risk identification We have learnt that risk is the effect of uncertainties on objectives.
When a risk is identified, care should be taken to avoid defining
risk with statements, which are simply the opposite of the
objectives.
A statement of risk should include the cause of the risk and the
impact to the objective (cause and consequence) which might arise.
The process of risk identification includes;
SELF-CHECK 3.3
At the later stage, effective communication and consultation should take place in
order for the stakeholders to understand, agree and be accountable for the actions
and decisions made on the particular risks.
The review also needs to include the effectiveness of control being put in place and
the ability of the organisation to achieve its pre-set objectives.
Now, you can see that the risk management concept covers a very wide area from
establishing context, assessing the risks, evaluate the risk after considering the
existing controls, mitigation plans, communication and consultation, monitoring
and reviewing, and lastly, until recording and reporting the risk.
We have learnt that risk assessment is one of the activities involved in risk
management. This can be simplified as shown in Figure 3.5.
SELF-CHECK 3.4
ACTIVITY 3.1
In your work setting, select an activity or process and apply the risk
assessment and risk treatment concept. Share your answer for discussion
in the myINSPIRE forum.
The ISO 31000:2018 standard is being widely used as a guide to establish the
risk management process.
There are eight principles outlined under the standard for effective and
efficient of risk management.
Integrated;
Customised;
Inclusive;
Dynamic;
Continual improvement.
Establishing the scope, context and criteria (external and internal factors);
Risk treatment;
There are four strategies of risk treatment which are terminating the risk,
reducing the risk, accepting the risk and passing the risk to another party.
Accept Integrate
Best available information Monitoring and review
Communication and consultation Pass
Continual improvement Recording and reporting
Customised Reduce
Design Risk analysis
Dynamic Risk assessment
Evaluate Risk evaluation
External Risk identification
Human and cultural factors Risk management
Implement Risk treatment
Improve Scope, context and criteria
Inclusive Structured and comprehensive
Internal Terminate
INTRODUCTION
In Topic 3, we talked about the overall risk management process. Now, let us
move on to a more detailed aspect of the risk management processes, that is
risk identification.
Take note that the risk management process is initiated by understanding the
background of the business as a whole and identifying the external and internal
factors to be taken into account in managing the risk. Some organisations use the
following tools to facilitate this exercise:
(c) PESTLE (political, economic, social, technological with additional legal and
environment) analysis.
Risk should be identified in relation to its objectives. The objectives can range
from personal objectives to organisational objectives. Appropriate and effective
methodology should be adopted in order to identify risks as risks that are not
identified will not be managed.
Let us learn more on risk identification in the next subtopics. Happy reading!
Both terms mean grouping the issues relating to the risks into its own particular
class. The classes or categories of risks applied in one organisation may differ from
another depending on:
(a) Location;
Apart from these external influences, there are also internal influences that could
give rise to risks in your organisation. Unlike the former, the organisation
leadership has control over the internal factors.
Thus, managing the influences is the key to business success. More often than not,
the organisation provides a formal structure by establishing clear mission and
vision statements to address them. Generally, the category of risks reflect the
category of influences. Let us look at Table 4.1 that shows you the typical category
of risks.
Environmental Financial
Economic Operational
Political Legal
Technological Strategic
Social Reputational
Market
SELF-CHECK 4.1
Chapman (2011) in his book entitled Simple Tools and Techniques for Enterprise
Risk Management has addressed several issues related to political, economic,
social and technological aspects to be considered by organisations as external
influences. These issues are shown in Figure 4.1.
How do these issues affect organisations? The following are examples of how
issues related to political, economic, social and technological risks can negatively
affect an organisation (Philips, 2013):
(a) Negative economic growth impacting the global liquidity markets could
affect the ability of the organisation to raise or refinance debt in the capital
markets or could lead to significant increases in the cost of such borrowing
in the future.
(d) Fluctuations in energy and raw material prices. Commodities such as oil are
subject to volatile market forces and significant price increases from time to
time. If the organisation is not able to compensate for or pass on its increased
costs to customers (such as through price increases), this could have an
adverse impact on its financial condition and operating results.
(e) Interest rate risk particularly in relation to its long-term debt position; this
risk can take the form of either fair value or cash-flow risk. Failure to
effectively hedge this risk can affect an organisationÊs financial condition and
operating results.
(f) Different fiscal and tax uncertainties which could have a significant impact
on local tax results such as double taxation, penalties and interest payments.
These uncertainties may have a significant impact on the local tax, which in
turn could adversely affect the organisationÊs financial condition and
operating results.
(h) Restriction, scrutiny and inspection by the authorities and regulatory bodies.
(i) Changes of regional and local regulatory rules which may affect the
realisation of business opportunities and investments in the countries.
These risks are further explained in the next subtopics. Bear in mind that the
examples given in the subtopics are only a guide to you. In reality, they depend on
the type of business, geographical location and other contributing factors. This is
because the same risks identified in one category by one organisation may be put
in a different category by another.
Financial risk is defined as risks that are associated with the organisationÊs
financial and accounting policies, cash management, rules and regulation as
well as potential losses from business transactions.
Some examples of financial risks adapted from Philips (2013) and the Early
Childhood Learning & Knowledge Center (ECLKC) (2018) are illustrated in
Figure 4.3.
These five common types of financial risks are further explained in Table 4.2.
Types of
Description
Financial Risks
Fraud What is fraud? Fraud is a wrongful or criminal deception intended to
result in financial or personal loss. It is the generic term for the
fraudulent taking of property or any act of stealing or any type of theft
include burglary, swindling, forgery and embezzlement.
Investments Investments need to be controlled and monitored regardless of the
size of the investment funds. As such, poor investment decisions such
as purchase of junk bonds and investing in „politically incorrect‰
companies will result in the organisation losing money, a loan crisis
and ultimately, bankruptcy.
Misuse of Misuse of funds occur when funds are inappropriately expended. As
funds pressures continue to mount for non-profit organisations to meet
social needs, it is often easy to lose sight of the organisationÊs mission.
Physical assets Physical assets such as office furniture, fixture and equipment are also
subject to risk. A fire or flood can damage or destroy an office.
Meanwhile, an employee, volunteer, computer hacker or other people
wanting to harm the organisation can steal or damage its assets.
Market risk Market risk is the probability of loss a business owner faces from
the entire banking industry. Banks who continually engage in risky
lending practices such as buying and selling toxic loans can increase
the market risks relating to business financing.
(a) Diversification
What is diversification?
On a different note, you can manage your financial risk by diversifying your
investment in a specific way such that 25 per cent is in fixed deposit, 55 per
cent in physical assets and 20 per cent in insurance schemes.
Operational risk is the potential for loss due to failures of people, processes
and technology and external dependencies.
Peccia (2001)
Legal risk is generally defined as the risk of an organisation failing to meet its
legal obligations. It is a description of the potential for loss arising from the
uncertainty of legal proceedings, such as bankruptcy.
Non-contractual This is also known as intellectual property risk. It is the risk when
right the business fails to assert its non-contractual rights. For example,
the poor management of trademarks, patents, trade secrets and
channel knowledge.
Non-contractual It is the risk that the business fails to keep to the spirit as well as the
obligation letter of the law. It includes infringement of third party intellectual
property rights and inappropriate use of the social media.
Dispute This relates to the risk that the business makes operational or
strategic errors when it manages disputes. The risk emerges when
the organisation fails to adhere to dispute resolution timelines or
other mismanagement of the disputed process.
Strategic risks are the potential loss arising from a poor strategic business
decision resulting in the organisation failing to achieve its objectives.
In other words, these risks are determined by the board based on the objectives
and direction of the organisation.
Do you have any idea of your organisationÊs strategic risks? Try to do an Internet
search for them and you will find an almost endless list of answers for your
enquiry. The following are some simplified examples of strategic risks listed by
Marr (2013):
(a) Corporate governance risk is the risk that insiders (employees) will not act to
the best interest of the stockholders.
(b) Strategy execution risk occurs when a business strategy execution fails.
(c) Strategy forecast risk emerges when the organisationÊs business strategy is
off-the- mark such as due to an invalid sales forecast.
(f) Intellectual property risk is the risk of intellectual property loss and liability.
(g) Merger and acquisition risk almost always happen in integrating firms.
In fact, reputation problem has the biggest impact on revenue and brand value
that may lead to bankruptcy in extreme cases.
Among the risks typically associated with reputation are (Deloitte Global Survey,
2014):
(b) Security risks including both physical and cyber breaches ă followed closely
by product and service risks, such as those related to safety, health and the
environment; and
ACTIVITY 4.1
Out of the categories of risks stated, identify the risks that may be
associated with your organisation. Then, explain in detail the risks,
source of these risks and the risk treatment. Post your answer for
discussion on the myINSPIRE forum.
SELF-CHECK 4.2
State the meaning of financial risk, operational risk, legal risk, strategic
risk and reputational risk. Give four types of risk related to each of them.
If you still remember, risk has been defined as the effect of uncertainty on
objectives. Therefore, the information in both the weaknesses and threats
quadrants are the influences that could contribute to your organisationÊs risks and
need to be well managed.
ACTIVITY 4.2
Risk categories vary from one organisation to another, depending on the type
of business, geographical location and other contributing factors.
Legal risk is the potential for loss arising from the uncertainty of legal
proceedings, such as bankruptcy and potential legal proceedings.
Strategic risk is the potential loss arising from a poor strategic business
decision resulting in the organisation failing to achieve its objectives.
Chapman, R. J. (2011). Simple tools and techniques for enterprise risk management
(2nd ed.). Hoboken, NJ: Wiley.
Early Childhood Learning & Knowledge Center (ECLKC). (2018). The most
common financial, management risks facing nonprofits. Retrieved from
https://eclkc.ohs.acf.hhs.gov/fiscal-management/article/most-common-
financial-management-risks-facing-nonprofits
Philips. (2013). Philips annual report 2013: Delivering innovations that matters to
you. Retrieved from
http://www.annualreport2013.philips.com/content/en/risk_management
/risk_categories_and_factors.html
INTRODUCTION
You have learnt in Topic 3 that risk identification, risk analysis and risk evaluation
are parts of risk assessment. We have discussed in detail the risk identification
process in Topic 4. Now, let us further understand the next processes namely risk
analysis, risk evaluation and risk treatment.
After the risk analysis, the next step is risk evaluation. Risk evaluation is the
process to determine the significance or level of a particular risk. This process
includes the decision that needs to be made on whether the risk needs treatment,
prioritising for treatment and whether the activity should be undertaken or not.
Based on the result of the risk evaluation, the next process is risk treatment. Risk
treatment is where the organisations has to determine the next course of action for
the prioritised risk or high-impact risk in order to mitigate risk; so that the
organisation can achieve its objectives. Let us learn more on these three processes
in the next subtopics. Happy reading!
As stated just now, this process can be conducted either by using quantitative or
qualitative analysis or carried out simultaneously. Alternatively, it can also be
conducted manually or by using software applications.
What is the main difference between qualitative and quantitative risk analysis?
The main difference between qualitative and quantitative risk analysis is that the
former uses a relative or descriptive scale to measure the probability of occurrence,
whereas quantitative analysis uses a numerical scale. Further explanation on these
two methods are given in Table 5.1.
What are the other differences between qualitative and quantitative analysis? In
general, the differences between qualitative and quantitative analysis are shown
in Table 5.2.
Table 5.2: The Differences between Qualitative Analysis and Quantitative Analysis
Qualitative Quantitative
Organisational-level Project-level
Subjective evaluation of probability Probabilistic estimates of time and cost
and impact
Quick and easy to perform Time consuming
No special software or tools required May require specialised tools
(b) The consequences of the risk and the effects on objectives and stakeholders;
and
Likelihood
Likelihood of Occurrence Criteria
Level
Almost Event is expected to occur in Happens most of the time within
certain most circumstances/common or fiscal year at department/centre/
repeated occurrence. other similar activities.
Likely Event will probably occur in Occurred several times before at the
most circumstances/known to department/centre/to other similar
occur, has happened before groups in the past.
several times.
Unlikely Event could occur at some point Never happened among the group
of time/not likely to occur but of companies/other similar groups
could occur. before in the past 10 years.
Rare Event may either occur in Never happened in the industry for
exceptional circumstances or is example, natural disaster.
practically impossible.
Impact
Risk Critical Major Minor Negligible
Category
Stakeholders Loss of Changes in Demand by Comments
confidence stakeholdersÊ stakeholders made by
resulting in policies for more stakeholders
withdrawal of resulting in options cause
financial loss of resulting in organisation
support by opportunities increased to review its
stakeholders competition services
SELF-CHECK 5.1
Risk evaluation involves determining the significance of the level and type of
risk and working decisions about future activities.
Using the RAM and the rating of consequences and likelihood earlier, you can then
find the risk rating by multiplying the scale of likelihood with consequences for
each risk event. After the risk rating had been determined, we need to decide on
the future action. In determining the action, we can establish a risk action table as
shown in Table 5.5. Using the table, the appropriate action can be decided
immediately.
SELF-CHECK 5.2
Residual risk is the risk leftover after you have implemented a risk
treatment option.
In other words, it is the risk that remains after you have reduced the risk,
removed the source of the risk, transferred the risk or retained the risk.
Gross Risk
Control Low Moderate Significant High
Effectiveness
Ineffective Moderate Significant High High
Take note that it is important that the risk treatment applied is able to reduce
the risk or the residual risk to an acceptable level.
SELF-CHECK 5.3
ACTIVITY 5.1
Risk analysis and risk evaluation are parts of the risk assessment.
Risk evaluation involves determining the significance of the level and type of
risk and working decisions about future activities.
Two tools that can be used to evaluate risk are risk assessment matrix (RAM)
and risk action table.
There are four strategies of risk treatment or risk response. It can be simplified
into TRAP which stands for termination of risk, reduction of risk, accepting the
risk and passing the risk.
Project Management Institute, Inc. (2013). A guide to the project management body
of knowledge (PMBOK® guide) (5th ed.). Newtown Square, PA: Author.
INTRODUCTION
Apart from risk identification, risk analysis, risk evaluation and risk treatment,
there are other processes, which are important that make up an effective risk
management. These other processes are as shown in Figure 6.1.
Figure 6.1: Three other processes of risk management based on ISO 31000:2018
Source: ISO (2018)
All the processes should be embedded in the risk management and to be applied
in organisational practices. Let us learn more on these three processes in the next
subtopics. Happy reading!
In other words, the roles and responsibilities of the board of directors, chief
executive, directors, managers, steering committee, task force, internal auditors
and other relevant key personnel who are involved in the risk management
process of the organisation should be clearly defined. As a result, the process of
communication and consultation could be effectively implemented.
SELF-CHECK 6.1
Therefore, these processes are important because the context of the risk may
change, for example, by taking new control, we could create new risks to the
system, existing results might also change, the treatment may not effective, risk
may be lost and so on.
(a) Objective;
What is the purpose of monitoring and review? The purpose of monitoring and
review is to assure and improve the quality and effectiveness of process, design,
implementation and outcomes. Ongoing monitoring and periodic review of the
risk management process and its outcomes should be a planned part of the risk
management process, with responsibilities clearly defined as what we discussed
in communication and consultation processes.
Monitoring and review should take place at all stages of the process. It includes
planning, gathering and analysing information, recording results and providing
feedback. The result of monitoring and review should be incorporated throughout
the organisationÊs performance management, measurement and reporting
activities. Table 6.2 shows you an example of reporting on the performance and
effectiveness of the controls in risk management.
Table 6.2: An Example of Reporting on the Performance and Effectiveness of the Controls
in Risk Management
Rating Description
Very good Management is aware and manages risks well. Mitigations are
strong and sufficiently robust to manage risks adequately.
Compliance is in place.
Good No major issues with controls and compliances. Mitigations are
adequate and sufficiently robust.
Satisfactory Mitigations and compliances are generally in place. Minimum
mitigation issues.
Unsatisfactory Mitigations are inadequate and not sufficiently robust to manage
risks. A large number of mitigation lapses and/or non-compliance
issues.
Poor Absence of mitigations. Non-compliance to policies and procedures.
General lack of compliance culture.
Take note that to monitor means to determine the current status and to assess
whether the expected performance levels are actually being achieved. Reports on
the effectiveness of the risk response implemented and the decisions from the
management on the report is part of the documents that need to be established.
(a) Risks;
(d) Controls;
Output from the monitoring and review process provides an updated risk register.
The updated risk response adapts to the current external factors and internal
factors contributing to the uncertainties in achieving the business objectives.
SELF-CHECK 6.2
The standard says that, „The Risk management process and its outcomes should
be documented and reported through appropriate mechanisms. Recording and
reporting aims to:
(a) Communicate risk management activities and outcomes across the
organisation;
The standard further stated that „Reporting is the integral part of the organisationÊs
governance and should enhance the quality of dialogue with stakeholders and
support top management and oversight bodies in meeting their responsibilities.
Factors to consider for reporting include but are not limited to the following:
(a) Differing stakeholders and their specific information needs and requirements;
(b) Cost frequency and timeliness of reporting;
(c) Method of reporting; and
(d) Relevance of information to meet organisational objective and decision-
making.‰
Level of
Description
Stakeholder
Top management The reporting system allows them to understand and identify
actual and evolving risk that could lead them to make effective
decision-making.
Senior level The reporting system allows them to propose recommendations
for improvement from the analysis and evaluation.
Management level The reporting system allows the management to present the area
of concern, changes, the threats and opportunities as well as the
strengths and weaknesses in the system.
Support level The reporting system allows them to understand the importance
of reporting the risks that they are facing and provide feedback on
the probability and impacts if it is not properly managed.
(d) Key roles and responsibilities in ensuring the effective implementation of the
risk management; and
A typical table of content in a typical risk management manual in line with ISO
31000:2018 is displayed in Figure 6.3.
6.3.2 Records
Records reflect the evidence that an activity or process has been conducted. Thus,
in the process of managing risks, the risk register is a form of record that needs to
be kept for future reference, as it is a document for recording:
Apart from a risk register, a risk profile which records the overall identity or
profile of the risk, management review minutes and risk report for board of
directorsÊ deliberations are also considered as essential records to be retained.
SELF-CHECK 6.3
ACTIVITY 6.1
The purpose of monitoring and review is to assure and improve the quality
and effectiveness of process, design, implementation and outcomes.
Communication Reporting
Consultation Procedure
Monitor Record
Review Risk management manual
Recording
INTRODUCTION
Did you know that risk appetite, risk tolerance and risk culture are three terms
that are commonly used by risk practitioners in establishing and maintaining
the risk management process? Nevertheless, not many of us are able to apply it
appropriately in making the risk management process effective.
In this topic, we will elaborate on the meaning of the three terms at length and the
interrelation between them. Indeed, there is a relationship between risk appetite,
risk tolerance and risk culture.
Risk appetite is the amount and type of risk that an organisation is willing to
pursue or retain.
ISO GUIDE 73:2009
Factors such as external environment, people, business systems and policies can
all influence an organisationÊs risk appetite. Put simply, this means that the
amount of impact from risk that an organisation is prepared to accept will vary
from one organisation to another.
Take note that developing risk appetite is not a one-off process. It has to be
communicated to those involved in the decision-making process. There should be
a process of monitoring and updating risk appetite in responding to external and
internal changes.
Thus, developing risk appetite is a continuous process. What are the steps required
in developing a risk appetite? Let us look at Figure 7.1, which shows you the three
steps involved in developing a risk appetite.
You have seen an example of a risk matrix in the previous Figure 5.1.
As stated before, the risk matrix is based on the likelihood and consequences
criteria. The likelihood and consequence criteria contribute to the level of risks
where the risk appetite is developed.
The board and senior management will decide the appropriate risk appetite for the
organisation. For example, a company may decide that any risk that falls under
the L (lower) and M (moderate) boxes are acceptable, while those labelled as S
(significant) and H (high) are unacceptable (refer back to Figure 5.1).
On the other hand, a real estate agency could adopt a higher appetite on employee
turnover rate, but a low appetite on interest rate fluctuations and financing risk.
A higher or larger risk appetite range contributes to a lower impact in achieving
business objectives because the greater the range, the more allowance or wider the
buffer for the organisation to strategise their plan. For instance, an agency is able
to accept risks as a result of high turnover, most probably because there are plenty
of real estate agents in the market. Therefore, the impact towards achieving
business objective is low or insignificant.
Meanwhile, lower appetite does not provide much room for the organisation to
respond and, thus, it contributes to greater impact on business objectives. Hence,
slight fluctuation of interest rate will impact the organisation tremendously
because the real estate market is influenced by its price and demand. The higher
price will obviously reduce the demand for real estate ultimately achieving the
organisationÊs business objective. Figure 7.2 shows you the relationship between
appetite and impact to business objectives.
Figure 7.2: Relationship between risk appetite and impact to business objectives
However, there are instances where the organisation would take a high appetite
for a high return. Consider the following scenarios:
(a) A Malaysian oil and gas company, PPP has decided to sign a joint venture
agreement with a company in Sudan for an exploration job. Due to the
political instability there, the potential risks identified have exceeded their
tolerance level.
However, the decision was to proceed with the joint venture agreement
considering the organisation can gain high returns if the exploration is
successful. PPP is now in critical stage where their oil reserves will be
depleted in a couple of years.
(b) A chemical testing laboratory has the capacity to conduct tests and produce
reports for 10 cooking oil samples. They are given the target of 360 samples
to be tested per year in order to achieve their income target. After a long
deliberation between the head of the laboratory and the technicians, they
have set an upper and lower range of acceptable number of samples that can
be tested for each month as follows (see Figure 7.3):
The upper level is set after considering the quality and timely delivery
factors, while the lower level is set in consideration of the targeted income. In
this case, the appetite for the acceptance of test samples is between
25 to 40 samples per month.
In this case, the risk of inability to meet the customer satisfaction due to the late
delivery of test report can be avoided or reduced by setting an appropriate risk
appetite. There are instances where testing laboratories have sacrificed their
customersÊ satisfaction (such as low quality test report, late test results) over short-
term returns (income) by accepting as many test samples as possible. They are
actually putting their business at risk.
In real life, what is the acceptable range or is there any rule of thumb that you can
use in setting a risk appetite? The answer can be influenced by the:
Thus, the risk appetite may vary between different subsidiaries within a
conglomerate despite having similar types of risk.
SELF-CHECK 7.1
1. Define risk appetite.
ACTIVITY 7.1
In the myINSPIRE forum, discuss this case study with your coursemates:
(a) Objective;
(b) Risk;
You can add some assumptions in order to present your justification for
your suggestions.
This can be done by creating a general risk appetite statement which provides a
high-level overview on the organisationÊs risk appetite by:
A concise and precise statement contains definition, time line and confidence level
and monitoring segments. The following are two examples of risk appetite
statements to increase your understanding.
(d) Earning/Profitability
The bank will strive to maximise its profitability.
For example, a monthly KPI performance report or internal audit review exercise
can support your organisation to monitor the consistency of risk appetite
application in its day-to-day operations. Any variation or discrepancies detected
will be reported to the board and top management for deliberation and review. As
a result, this permits a timely enterprise-wide view of risk and changes in risk as
well as ultimately contributes to the building of a good risk culture.
ACTIVITY 7.2
Risk appetite and risk tolerance seem similar at a glance as they are used
interchangeably.
However, they are not the same and it depends on the application. Some
organisations prefer to have both, the risk appetite scale as well as the risk
tolerance. Consider the example illustrated in Figure 7.4.
Figure 7.4 shows that after considering their financial forecasting, the companyÊs
risk appetite is between 2,000 to 5,000 customers per month.
However, they can still tolerate at the upper limit up to 6,000 customers. If they
accept more than this limit, they will be facing other emerging risks that could
affect their profitability.
On the other hand, at the lower limit, they can tolerate customer count up to 1,500.
If they go lower than this, the business will not be breaking even and they will be
operating at a loss.
SELF-CHECK 7.2
ACTIVITY 7.3
Table 7.2: Examples of Differences between Risk Appetite and Risk Tolerance
All types of organisations have to take risks in order to make profit, or to meet
stakeholderÊs expectations. The level of risk they are willing to pursue is their risk
appetite. In the first example of Table 7.2, the kindergarten is willing to accept an
additional 10 children in order to meet the demand from the parents.
However, should the demand grow beyond that, they can have an additional 10
children provided all of them are at the age of five and above. They should stop
taking more children beyond this tolerance limit as it will create a risk to their
operation. This shows how the risk appetite and risk tolerances help the
kindergarten in balancing their performance with respect to financial and
operational perspectives.
ACTIVITY 7.4
(a) Direction and action from the top management who recognise it as a core
competency and not merely an academic exercise;
(f) Clear risk policy and process to achieve the desired attitude and behaviour;
(g) Manage, develop and reward employees to encourage the right attitude and
behaviour; and
(h) Encourage and support risk management culture through technical training
or professional qualification.
Thus, the project will not be able to deliver its objectives in terms of quality, cost
and delivery. The backlash from this could result in the company not being able to
get future projects or be blacklisted altogether.
Although risk culture is a relatively new term to some organisations, the impact of
inappropriate risk culture cannot be underestimated. Normally, when an
organisation is in crisis or on the verge of collapse, one of the root causes could be
due to having an inappropriate risk culture.
Building a risk culture should begin from the top, that involves the board and
senior management. As leaders of organisations, they are the drivers of change.
The middle management also plays a vital role in setting the attitude and
influencing the behaviour of their subordinates.
Thus, the board and senior management need to communicate and determine the
risk culture throughout the organisation in order to create the expected employeeÊs
attitudes and behaviour towards risk. Figure 7.5 summarises the correlation
between attitude, behaviour and culture in an organisation.
Figure 7.5 shows the relationship of employeeÊ attitudes towards risk and towards
the creation of the right behaviour in dealing with risks while executing their job.
The establishment of the risk culture throughout the organisation happens once all
employees behave correctly towards risks. Therefore, the employeeÊs attitude
towards risk and their behaviour determines the level of risk culture in an
organisation.
As such, the senior management must ensure that they lead the programmes in
creating awareness to all employees on:
(b) The set objectives and the top 10 risks the organisation is facing;
In addition, management at all levels should also ensure that they apply risk-based
thinking in all decision-making process.
SELF-CHECK 7.3
ACTIVITY 7.5
All types of organisations have to take risks in order to make profit, or to meet
stake holderÊs expectations. The level of risk they are willing to pursue is their
risk appetite.
The risk appetite and risk tolerance help the organisations balance their
performance with respect to financial and operational perspectives.
Risk culture is a term describing the values, beliefs, knowledge, attitudes and
understanding about risk shared by a group of people with a common
purpose. This applies to all organisations, including private companies, public
bodies, governments and not-for-profit organisations.
In developing risk culture, the board and senior management play the most
important role. Their attitude and behaviour towards risk reflects the level of
risk culture in the organisation.
Farrell, J. M., & Hoon, A. (2009). Risk culture of companies. Retrieved from
http://erm.ncsu.edu/library/article/risk-culture-companies
Exim Bank Malaysia. (2017). Annual report 2017 ă Rise to the challenge. Retrieved
from
www.exim.com.my/images/pages/media_centre/annual_report/2017/ex
im_ar_2017.pdf
INTRODUCTION
There are many methodologies or techniques that we may apply in risk
management. Some of the popular techniques used are:
(a) Hazard identification, risk assessment and determining control (HIRADC);
(b) Hazard and operability study (HAZOP);
(c) Hazard analysis critical control points (HACCP);
(d) Aspect and impact ISO 14001:2015 Environmental Management Systems ă
Requirements with Guidance for Use;
(e) Hazard analysis OHSAS 18001:2007 Occupational Health and Safety
Management Certification;
(f) Fault tree analysis (FTA); and
(g) Failure mode and effect analysis (FMEA).
You may have come across many types of risk assessment techniques. They range
from techniques as simple as brainstorming which can be applied broadly to any
type of organisation to very complex and complicated techniques specifically
applied to certain types of processes or services.
But bear in mind, it does not necessarily mean that the more complicated and
complex the technique, the better it is for an organisation. There is no one
technique that can suit all.
Generally, but not always, the more hazardous the industry, the more complex the
risk assessment technique to be applied. For example, if the organisation is
classified as a major hazard installation (those industries that can pose major risk
to the employees, neighbours and the environment such as petrochemical,
chemical as well as oil and gas industries), more complex techniques such as
HAZOP, bowtie, fault tree or event tree analysis are normally applied.
No matter how simple or complex the techniques, the basic elements in a risk
assessment exercise which are identify, analyse and evaluate should not be left out.
The dilemma facing most organisations is always in choosing the most suitable
technique to apply for their risk assessment. A simple but practical technique
should always be the preferred choice but organisations should also take into
consideration the competency and capability of human resources, finances and the
culture of the organisation in the selection process. This is because some
techniques need to rely on costly software and require fully-trained personnel to
administer them. In this topic, you will learn more about risk assessment
techniques. Happy reading!
Do not worry, we do not expect you to master all of these techniques! However,
the more exposure you get to these techniques, the better, as it will help you in the
selection process. As a risk executive, familiarisation with two or three techniques
is adequate as they are all quite similar to one another.
Table 8.1 summarises of the applicability of the three elements of risk assessment
in the risk assessment processes which are risk identification, risk analysis and risk
evaluation.
Risk Analysis
Tool and Technique Risk Risk
Identification Level of Evaluation
Consequence Probability
Risk
Brainstorming SA NA NA NA NA
Structured or semi- SA NA NA NA NA
structured interviews
Delphi SA NA NA NA NA
Checklists SA NA NA NA NA
Primary hazard analysis SA NA NA NA NA
Hazard and operability SA SA A A A
studies (HAZOP)
Hazard analysis and SA SA NA NA SA
critical control points
(HACCP)
Environmental risk SA SA SA SA SA
assessment
Structure < what if? > SA SA SA SA SA
(SWIFT)
Scenario analysis SA SA A A A
Business impact analysis A SA A A A
Root cause analysis NA SA SA SA SA
Failure mode effect SA SA SA SA SA
analysis
Risk indices A SA SA A SA
Consequence/probability SA SA SA SA A
matrix
Cost/benefit analysis A SA A A A
Multi-criteria decision A SA A SA A
analysis (MCDA)
Let us now examine in detail how the risk assessment technique is applied in an
organisation. In doing so, we will be focusing on two commonly used techniques:
These two techniques are commonly used as they are applied to comply with the
requirements stated in the ISO 14001:2015 Environmental Management Systems ă
Requirements with Guidance for Use and ISO 45001:2018 Occupational Health and
Safety Management Systems ă Requirements with Guidance for Use. These two
standards are specifically developed to manage risks related to the environment
and occupational safety and health.
SELF-CHECK 8.1
In order to understand this, we need to study the requirements under the ISO
14001:2015 carefully. Firstly, you must realise that the environmental management
systems is a risk-based standard. This means that the system is based on the
concept of risk management. Secondly, risk management process begins with
establishing the context and then conducting the risk assessment followed by risk
treatment. These processes are explicitly specified in the ISO 14001:2015. Figure 8.1
displays the four basic steps in the assessment of aspect and impact.
The information on each activity being assessed and its corresponding aspects and
impacts need to be recorded as shown in Table 8.3.
SELF-CHECK 8.2
Significance Rating
Frequency (F) Severity (S) Regulatory (R) Controllability (C) Accumulated
12345 12345 12345 12345 Ratings (AR)
How often can To what What kind of To what extent can Total from
the impact degree can regulation is the impact be each column.
occur? the impact required? controlled or
affect the influenced?
environment?
Accumulated ratings:
<11: Not significant
>11: Significant
In this exercise, information such as the maintenance report, permits and licences
from regulatory bodies, specific acts and regulations applicable to the
organisation, environmental monitoring report and the previous incident report
should be made available for reference.
Normally, ratings are given to each criteria and analysed to determine the
significance as shown in the previous Table 8.4. The team has to decide based on a
score of 1 to 5 the rating for each criteria. Table 8.5 is a guide to the assessor in
determining the rating for each criteria.
Then, the rating for each criteria will be added to one sum which will reflect the
accumulated rating for the environmental aspect. The higher the number, the more
significant the aspect.
Once you have determined the overall rating for the environmental aspect, you
need to evaluate the significance and determine what action needs to be taken. In
the evaluation, a risk action table will be used. An example of risk action table is
shown in Table 8.6.
The output from the environmental aspect and impact assessment can be recorded
in a register as shown in Figure 8.2.
ACTIVITY 8.1
The activities of the industry may pose safety and health hazards as well as risks
to the employees and, thus, they must be eliminated or minimised. The HIRADC
is conducted normally to comply with the requirements in the ISO 45001:2018
Occupational Health and Safety Management Systems ă Requirements with
Guidance for Use.
(a) To secure the safety, health and welfare of persons at work against risks to
safety or health arising out of the activities of persons at work; and
(b) To protect persons at a place of work other than persons at work against risks
to safety or health arising out of the activities of persons at work.
As shown in the Figure 8.3, HIRADC assessment starts with identifying the
activity, then conducting the risk assessment and determining the control. It is
worth noting that, in conducting HIRADC, the participation from all employees is
critical. This is specifically addressed in the ISO 450001:2018 standard.
As you can see in Table 8.7, these hazards can be classified into several groups
such as physical, chemical, biological and psychosocial.
After the hazards have been identified, the associated risks should be determined.
Let us refer to Table 8.8 for an example of the relationship between activity, hazard
and risks.
Table 8.8: Example of the Relationship between Activity, Hazards and Risks
(c) Resources.
Let us look at Table 8.9 which shows you a general comparison between
quantitative and qualitative risk analysis.
As for qualitative risk analysis, it can be conducted using the likelihood and
consequence tables as shown in Table 8.10 and Table 8.11.
Practically impossible 1
Description Rating
Negligible injuries or ill health without medical leave (MC) (for example,
1
slight cuts, bruised skin, dizziness due to fume inhalation)
(a) Injuries (for example, open wounds, sprains or strains) or
(b) Ill health (for example, headaches due to fume inhalation) or 2
(c) Injuries or ill health with medical leave (MC) four days.
(a) Serious injuries (for example, tears of muscles, fractures, amputations) or
(b) Serious ill health (for example, poisoning, fainting due to fume
3
inhalation) or
(c) Serious injuries or ill health with medical leave (MC) five days.
Fatality, permanent disability, occupational illnesses or other severe life
4
shortening diseases.
Please bear in mind that different organisations may have different descriptions
on the likelihood and consequence levels. The risk level is obtained by multiplying
the likelihood with consequence. The risk level can be determined by using the
risk rating matrix as shown in Table 8.12.
Likelihood
Consequence
L4 4 L3 3 L2 2 L1 1
C4 4 High 16 High 12 High 8 Medium 4
C3 3 High 12 High 9 Medium 6 Medium 3
C2 2 High 8 Medium 6 Medium 4 Low 2
C1 1 Medium 4 Medium 3 Low 2 Low 1
We have just completed the risk analysis process. The next stage is risk evaluation.
Risk
Risk Level Control Measure and Timeline
Ranking
LOW 12 Maintain existing control.
Maintain existing control. Consideration may be given to a
MEDIUM
34 cost-effective solution or improvement. Monitoring is
(tolerable)
required to ensure that the controls are maintained.
Efforts should be made to reduce the risk. Recommended
MEDIUM control measures shall be implemented as low as
6
(moderate) reasonably practicable and preventive measures shall be
planned for the future.
Recommended corrective action shall need to be
HIGH implemented immediately until the risk ranking is reduced
812
(substantial) to six and preventive actions need to be identified for the
future.
HIGH Work shall not be continued until the risk ranking is
16
(intolerable) reduced to six.
In determining the necessary control measures, you can refer to the hierarchy of
control as a basis. The determination of controls should always begin with
identifying the highest hierarchy which is eliminate, followed by substitute,
engineer controls, administrative controls and lastly, personal protective
equipment (PPE) (see Figure 8.4 and Table 8.14).
Source: The National Institute for Occupational Safety and Health (NIOSH) (2015)
Now, that we have completed the HIRADC process, the information gathered
from the HIRADC assessment will be recorded in a HIRADC register. A sample of
a HIRADC register is shown in Table 8.15.
Wear long
sleeved shirt
SELF-CHECK 8.3
ACTIVITY 8.2
(a) Experience;
(c) Training.
In order to control it, specific reporting methods need to be established and a focal
point (person) need to be appointed.
The focal point must be clear on what reporting template is to be used for and also
what other related documentation need to be supplied for the assessment. This
would ensure the risk assessment process can be conducted smoothly.
ACTIVITY 8.3
Can you think of other critical success factors that can contribute to the
success in implementing risk assessment? Discuss the answer in the
myINSPIRE forum.
There are a number of risk assessment techniques available and the IEC
31010:2019 has explained a total of 31 techniques for reference.
Some of the popular techniques used are hazard identification, risk assessment
and determining control (HIRADC), and hazard analysis critical control points
(HACCP).
There are four basic steps in the assessment of aspect and impact:
After the risk rating has been determined, the level of significance of the risk
and the action to be taken can be identified using risk action table.
The National Institute for Occupational Safety and Health (NIOSH). (2015).
Hierarchy of control. Retrieved from
https://www.cdc.gov/niosh/topics/hierarchy/default.html
INTRODUCTION
Businesses must compete, innovate, enter new markets and launch new products
in order to stay competitive. By doing so, they are exposed to higher risks. Those
who succeed seem to have better risk management capabilities. Unfortunately, for
some organisations, good governance, risk management and internal controls exist
only in name, not in spirit nor in practice.
Besides, their risk management processes and internal control have become static
and obsolete. As these organisations continue to evolve, they will face more and
more issues and problems until „the fire becomes out of control‰ and all they can
do is to be in a constant „fire-fighting‰ stage.
Global risks and its relationship with enterprise risks, and the current scenario on
risk management are the focus of this topic. These aspects are important in order
for us to be more alert of the emerging risks that may be faced by an organisation
and how to respond to these risks effectively. Happy reading!
Based on this definition, a total of 30 global risks were identified. These risks were
then grouped into five categories:
Type of
Example Description
Global Risk
Economic Asset bubbles in a Unsustainably overpriced assets such as
vulnerability major economy commodities, housing, shares in a major
economy or region.
Deflation in a major Prolonged near-zero inflation or deflation
economy in a major economy or region.
Failure of a major Collapse of a financial institution and/or
financial mechanism or malfunctioning of a financial system that
institution impacts the global economy.
Failure/shortfall of Failure to adequately invest in, upgrade
critical infrastructure and/or secure infrastructure networks
(such as energy, transportation and
communications), leading to pressure or a
breakdown with system-wide
implications.
Fiscal crises in key Excessive debt burdens that generate
economies sovereign debt crises and/or liquidity
crises.
High structural A sustained high level of unemployment
unemployment or or underutilisation of the productive
underemployment capacity of the employed population.
Illicit trade (such as Large-scale activities outside the legal
illicit financial flows, framework such as illicit financial flows,
tax evasion, human tax evasion, human trafficking,
trafficking, organised counterfeiting and/ or organised crime
crime) that undermine social interactions,
regional or international collaboration, and
global growth.
Severe energy price Significant energy price increases or
shock (increase or decreases that place further economic
decrease) pressures on highly energy-dependent
industries and consumers.
Unmanageable Unmanageable increases in the general
inflation price levels of goods and services in key
economies.
Consequently, more urgent and drastic effort and initiatives should be put in place
to reduce these global risks.
Being alert and updated on these issues and integrating them in the risk
management, strategic planning and internal control activities are the key factors
for businesses to grow and be sustainable. They have to determine the factors that
can affect their business and identify the risks and manage them in a systematic
and effective manner.
Risk Description
Existing operations This risk is a composite of several significant uncertainties the
and legacy IT systems companyÊs digital readiness, its lack of resiliency and agility in
may not be able to staying ahead of or keeping pace with changing market
meet performance realities, the restrictive burden of significant technical debt, the
expectations related lack of out-of-the-box thinking about the business model,
to quality, time to fundamental assumptions underlying the strategy and the
market, cost and existence or threat of more nimble competitors. With the
innovation, as well as reduction of entry barriers, established incumbents are leery of
competitors, new competitors that can grow quickly by leveraging hyper
especially „born scalable digital capabilities that enable them to operate more
digital‰ and/or low- efficiently, digitise new products and services, enhance the
cost-base competitors customer experience and/or transform the business model.
or established
competitors with
superior operations.
Succession challenges Labour markets continue to tighten as unemployment declines
and the ability to to levels at which economists debate the theoretical point where
attract and retain top full employment is reached. Vital specialised knowledge and
talent in a tightening subject matter expertise are becoming harder to acquire and
talent market may retain on a cost-effective basis. What is at stake is sustaining the
limit ability to workforce with the requisite talent and skills needed to think
achieve operational out of the box in a rapidly changing digital marketplace,
targets. execute high-performance business models and implement
increasingly demanding growth strategies.
Regulatory changes For the past years, regulatory risk has been a top five risk. The
and scrutiny may increment in comparison to last year is likely due to increased
heighten, noticeably scrutiny at federal, state and local levels on a variety of
affecting the way regulatory fronts, particularly in Europe. For example,
products or services uncertainty over the results of the forthcoming US midterm
will be produced or elections may have also weighed on the minds of respondents
delivered. from the US (survey conducted in September-October 2018).
Lack of preparedness This risk is no surprise. There are two categories of companies
to manage those that have been breached and know it, and those that
cyberthreats that have been breached but do not know it yet. Cybersecurity is a
have the potential to moving target, as innovative digital transformation initiatives,
significantly disrupt cloud computing adoption, mobile device usage, machine
core operations learning and other applications delivering exponential
and/or damage the increases in computing power continue to outpace the security
brand. protections companies have in place. Increasingly sophisticated
attacks on the human perimeter by perpetrators of cybercrime
add to the uncertainty. As advanced persistent threats (APTs)
spread, public disclosure requirements tighten and reputation
hits from significant breaches increase in severity, the stakes for
effective cybersecurity spiral upward.
Resistance to change Enabling change continues to be a significant priority for just
may restrict ability to about every organisation on the planet, for change is becoming
make necessary a way of life for most companies. Whether covert or overt,
adjustments to the resistance to necessary change spawned by disruptive
business model and innovations that alter business fundamentals can be lethal.
core operations. Strategic error in the digital economy can result in the ultimate
price if a company continues to play a losing hand in the
marketplace, ultimately suffering what a well-known CEO
refers to as „stasis, followed by irrelevance, followed by
excruciating, painful decline, followed by death.‰ Board
members and C-suite executives recognise the importance of
positioning their organisation as early movers in exploiting
market opportunities and responding to emerging risks.
Rapid speed of The top risk in 2018, this strategic risk remains important. With
disruptive the onslaught of advances in digital technologies and rapidly
innovations and/or changing business models, organisations must be agile and
new technologies resilient in elevating their customersÊ experiences, digitising
within the industry new products and services, increasing the velocity of quality
may outpace ability decision-making and sustaining operational excellence. The big
to compete and/or challenge with disruptive change is that even when executives
manage the risk are aware of emerging technologies that obviously have
appropriately, disruptive potential; it is not easy deciding how to respond.
without making This risk is especially a concern for board members and CEOs,
significant changes to with both groups of respondents rating it as a top five risks
the business model. concern.
Privacy/identity This risk is likely to remain a top 10 risk for a long time. The
management and proliferation of legislation to protect privacy of personal
information security information has created enormous complexities for businesses,
risks may not be with potential fines, penalties and reputation loss that
addressed with cannot be ignored. As the expanding digital economy enables
enough resources. businesses and third-party organisations to house sensitive
information obtained in many ways, fresh exposures to
sensitive customer and personal information and identity theft
present themselves.
Inability to utilise Respondents continue to be concerned with their ability to
data analytics and harness the power of data and advanced analytics to achieve
„big data‰ to achieve competitive advantage and manage operations more
market intelligence effectively. The prevailing view is that knowledge
and increase differentiates in the digital marketplace, as the winners will be
productivity and those companies that capture and analyse the insightful,
efficiency may clarifying intelligence that positions them to be nimbler and
significantly affect more responsive to market shifts and changing customer
core operations and preferences than competitors.
strategic plans.
The organisationÊs The effectiveness of formal and ad hoc upward communication
culture may not processes is of vital importance to keeping an organisationÊs
sufficiently encourage leaders in touch with business realities. Coupled with concerns
timely identification over resistance to change, the presence of this risk reflects on
and escalation of the strength of the organisationÊs culture, including its tone at
significant risk issues the top, mood in the middle and buzz at the bottom.
that have the
potential to
significantly affect
core operations and
achievement of
strategic objectives.
Sustaining customer Companies with high churn rates incur significant costs in
loyalty and retention replacing lost customers. Sustaining customer loyalty and
may be increasingly retention is about increasing profitability through superior
difficult due to top-line performance and reduced marketing costs and other
evolving customer costs associated with educating new customers. Customer
preferences and/or preferences can shift rapidly in the digital age, but companies
demographic shifts in must keep pace with such shifts and retain customers in an
the existing customer environment where growth rates are modest in certain sectors.
base.
SELF-CHECK 9.1
ACTIVITY 9.1
For each of the risks identified in Table 9.2, apply the risks to the activities
or projects undertaken in your organisation. Decide on the appropriate
mitigation plan. Share your answer for discussion on the myINSPIRE
forum.
However, many approaches to risk oversight fail to link risks to strategic business
objectives. Figure 9.1 shows an example of an effective risk oversight structure.
The elements that contribute to effective BODÊs oversight with regard to enterprise
risk management are:
(a) Understanding the risk philosophy of the organisation and concurring with
its risk appetite (the amount of risk ă on a broad level ă an organisation is
willing to accept in pursuit of stakeholder value). Constant discussion
between the management and the BOD is needed to establish the
understanding of the organisationÊs overall appetite for risks;
(c) Reviewing the overall portfolio of risk and considering it against the entityÊs
risk appetite. Effective BODÊs oversight of risks is dependent on the ability
of the board to understand and assess an organisationÊs strategies with risk
exposures; and
(d) Assessing the most significant risks and deciding whether management is
responding appropriately. Management needs to regularly update the BOD
on the key risk indicators.
(a) Most executives perceive that uncertainties in the business environment are
leading to more complex risks. Most respondents (59 per cent) believe the
volume and complexity of risks is increasing extensively over time. They are
particularly concerned about risks related to talent, innovation, the economy,
and their reputation and brand. In addition, 68 per cent of organisations
indicate they have recently experienced an operational surprise due to a risk
they did not adequately anticipate.
(b) Despite concerns about a number of potential risk issues on the horizon,
few executives describe their organisationÊs approach to risk management
as mature. Twenty-three per cent of respondents describe their risk
management as „mature‰ or „robust‰ with the perceived level of maturity
declining over the past two years. Thirty-one percent of organisations (54 per
cent of the largest organisations) report that they have complete ERM
processes in place.
(d) Boards are focused on risk oversight, but they tend to delegate
responsibilities to a committee rather than retain that for the full board. Just
under two-thirds (61 per cent) of boards of the full sample (83 per cent of
public companies) have delegated risk oversight to a board committee, with
most delegating to an audit committee unless they are a financial services
organisation with a board-level risk committee.
(g) About half of the organisations engage in formal risk identification and risk
assessment processes. About one-half (46 per cent) of the organisations have
a risk management policy statement, with 49 per cent maintaining risk
inventories at an enterprise level. Just over 40 per cent have guidelines for
assessing risk probabilities and impact. Most (77 per cent), update risk
inventories at least annually.
(h) While boards receive written reports about top risk exposures, there is some
question as to whether the process used to generate the reports is systematic
or robust. Most boards of large organisations (84 per cent) or public
companies (87 per cent) discuss formal reports about top risks at least
annually; however, less than 60 per cent of those describe the underlying risk
management process as systematic or repeatable. Forty-one percent of the
respondents admit they are „not at all‰ or only „minimally‰ satisfied with
the nature and extent of internal reporting of key risk indicators.
(i) Organisations are not building in explicit accountabilities for risk management
with few organisations embedding risk oversight responsibilities as
components of compensation plans. The lack of risk management maturity
may be tied to the challenges of providing sufficient incentives for them to
engage in risk management activities. Most (64 per cent), have not included
explicit components of risk management activities in compensation plans.
The internal audit function is important. It carries out the task of monitoring, both
on an ongoing basis and in relation to specific needs, the operation and the
adequacy of the internal control and risk management process, through an audit
plan approved by the BOD, based on a structured analysis and prioritisation of
key risks. Detailed roles of internal audit are shown in Figure 9.2.
SELF-CHECK 9.2
Element Description
Governance Clear communication approach on risk and understood by all levels
of staff in the organisation.
Tone from the Employee is shaped through directions from the top. Communication
top on decision-making is important to avoid misleading the employees.
Accountability Level of authority and accountability need to be clear and enforced.
Incidents and Open discussion should be on digging what actually went wrong,
escalation what can be learned and whether changes to processes or controls are
required.
Incentives and To link remuneration to the operation of the risk management
remunerations framework. Setting goals around key performance indicators will
influence the culture.
Training, These elements should support and enforce the desired culture and
succession behaviour. If the desired culture differs from the existing one, then
planning and talent management carries significant influence on the cultureÊs
talent ability to change.
management
Most organisations focus more on legal compliance and other forms of risk rather
than embedding risk culture within organisation. A strong risk culture is
important and it can be seen through a sound understanding about risk by
employees, where emerging risks are being addressed effectively and businesses
are conducted both legally and ethically. Figure 9.3 illustrates the relationship
between risk culture and the behaviour of employees.
Figure 9.3: Relationship between risk culture and the behaviour of employees
Source: ISACA (2009)
Based on Figure 9.3, the risk awareness culture begins at the top, with board and
business executives who set the direction, communicate risk-aware decision-
making and reward effective risk management behaviours. Risk awareness also
implies that all levels within an enterprise are aware of how and why to respond
to adverse information technology (IT) events.
(a) Behaviour towards taking risk How much risk does the enterprise feel it
can absorb and which risks is it willing to take?
(b) Behaviour towards following policy To what extent will people embrace
and/or comply with the policy?
(c) Behaviour towards negative outcomes How does the enterprise deal with
negative outcomes, i.e., loss events or missed opportunities? Will it learn
from them and try to adjust, or will blame be assigned without treating the
root cause?
Barrier Description
Unsupportive A risk management initiative cannot be successful unless the
culture BOD and senior management lead in the creation of a risk
culture in the organisation. Their involvement in risk overview,
risk communication, decision-making, setting strategic objectives,
project risk assessment and risk-based decision-making is essential.
Without their support, the level of risk maturity in the organisation
will be low. Thus, the organisation will be unaware of the need for
the management of risk and will not attempt to prepare for any
threat or uncertainties.
Lack of risk- By integrating enterprise risk management in strategy development
strategy and strategy execution capabilities, the organisation will be best
integration positioned to create and enhance sustainable value. However, there
has been a poor acceptance in the risk-strategy integration processes.
Why is that so? BOD and senior management are unaware of the
organisationÊs enterprise risks because of a lack of knowledge, and
sometimes due to ignorance. They rely heavily on the executives
responsible for the operations or the strategic planning department
when it comes to risk management.
Lack of practical It is common to all organisations at the initial stage of
experience implementation to have a lack of practical experience. This barrier
can be overcome by conducting a visit to an organisation which has
established a matured risk management process, participating in the
development of risk management standards in the country and
having close communication with risk management practitioners.
Lack of policy Although there are numerous standards and guidelines on risk
and procedures management, organisations seem to have difficulties in establishing
of managing the relevant policy and procedures. This may be due to several
risk reasons such as lack of understanding, lack of priority and lack of
commitment and interest from the designated personnel.
Lack of expertise A formal training curriculum to develop risk management
to lead a risk awareness and competencies needs to be established. An
management organisation has to evaluate the level of competencies for key
team personnel that are involved in risk management. An organisation
should formally roll out a training plan and training curriculum to
develop a competent team for risk management in the company. The
lack of competencies and expertise is a recipe for disaster in
implementing risk management.
As for Beasley, Branson, Hancock and ERM Initiative (2015), they identified three
barriers in implementing risk management as explained in Figure 9.4.
SELF-CHECK 9.3
ACTIVITY 9.2
Ć Global risks have an impact on enterprise risk. Businesses need to keep abreast
and be alert with these external factors that may have a potential to impact
their business.
Ć The risk oversight undertaken by the BOD and senior management is crucial
in the achievement of an organisationÊs strategic objectives.
Building the right risk culture requires leadership from the BOD and senior
management.
Beasley, M. S., Branson, B. C., Hancock, B. V., & ERM Initiative. (2015). CGMA
report: Global state of enterprise risk oversight 2nd edition: Analysis
of the challenges and opportunities for improvement. Retrieved from
https://erm.ncsu.edu/az/erm/i/chan/library/Global-State-of-Enterprise-
Risk-Oversight-Report-2nd-Edition-June-2015-ERM-NCState-CGMA.pdf
Beasley, M. S., Branson, B. C., & Hancock, B. V. (2019). 2019 The state of
risk oversight An overview of enterprise risk management practices
10th anniversary editionSpring 2019. Retrieved from
https://erm.ncsu.edu/az/erm/i/chan/library/2019_Current_Report_on_
State_of_Risk_Oversight.pdf
Deloach, J. (2019). 10 top risks for 2019 Annual survey reveals growing threats.
Retrieved from https://www.corporatecomplianceinsights.com/10-top-
risks-for-2019/
Mosheh, R., Niemann, W., & Kotze, T. (2018). Enterpise risk management
implementation challenges: A case study in a petrochemical supply chain.
South African Journal of Industrial Engineering, 29 (4), 230244.
Smiths Group PLC. (2018). Smiths Group PLC annual report 2018 Creating the
future. Retrieved from https://www.smiths.com/-/media/files/smiths-
group-annual-report-fy2018.pdf
World Economic Forum. (2019). The global risks report 2019 14th edition.
Retrieved from
http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
INTRODUCTION
The evolution of risk management over the past two decades has been from simple
concepts and visions on how risks should be addressed to a complete management
process with detailed techniques expected by those in oversight roles such as
governing bodies and senior management.
It was somewhere in the 1990s that the concept of managing risks was viewed in a
holistic manner across the many management systems and the term „enterprise
risk management‰ became well known. In earlier days, the term „enterprise risk
management‰ was used to describe risk management at the lower levels of the
organisation and did not necessarily capture the concepts of enterprise-level
approaches to risk.
The leading and most commonly used guideline to holistic risk management is
ISO 31000:2018. However, it should be mentioned that in the US, the Committee
of Sponsoring Organisations of the Treadway Commission 2004 (COSO)
Enterprise Risk Management Integrated Framework has been the dominant
framework used to date. Many organisations are currently adopting one or the
other of these frameworks and then customising them to their own context.
In this last topic, case studies are chosen based on real-life situations in order to
expose the fundamentals of risk management to be understood by risk
management learners and practitioners. Each case study provides opportunities to
explore of what went well, what could have been done differently and what
lessons are to be learned.
The case studies also demonstrate that risk management takes time to evolve. At
times, organisations have to go through a painful experience before they can
seriously embark into risk management successfully. The ultimate goal of risk
management is to have it embedded into the risk culture of the organisation and
drive the decision-making process so that the management make more sound
business decisions. Are you ready to wrap up this course? Let us investigate the
case!
In the early morning hours of 3 December 1984, a large amount of toxic methyl
isocyanate (MIC) gas was released from a Union Carbide India Limited (UCIL)
pesticide plant, which swept over a large, densely populated area south of the
plant. Thousands of people were killed including some at the railway station
2km away.
But there is a social story that is just as important. Four social drivers form the
backdrop to the tragedy:
(c) General national poverty with abject localised poverty near the plant; and
All of these made it difficult to operate a plant of this sort in India at that time.
Financial factors were important as well; the plant was not making money.
UCIL had decided to permanently shut it down, thereby significantly affecting
operator morale and exacerbating maintenance deficiencies. The plant was in
its last production run at the time of the accident, working off the last batch of
MIC.
I am frequently struck by how little people know about this accident. I think it
is important to not only remember those killed and injured in the accident but
also to resolve that nothing like it will ever happen again.
You can go to the following link for more details on the Bhopal tragedy at
https://bit.ly/32raKvs.
10.1.2 Conclusion
How can this tragedy be prevented? The tragedy could have been prevented if the
company managed their risks appropriately, right from the beginning. The
political, social and legal factors contributing to the companyÊs risks seemed to be
overlooked. The decisions made were mainly based on cutting costs in order to
make profit and not based on risk assessment reports. Safety risk was not
considered as a main category of risk, as such they have caused thousands of lives
to vanish in just a few days.
ACTIVITY 10.1
(e) It you are the owner of the company, would you agree with the
decision to set up the company in Bhopal, India?
PDP Technology Sdn Bhd is a small company dealing with pay and display
(P&D) parking meters. They are facing a problem with their existing product
that has been supplied and would like to analyse the real issues on the product.
At the same time, they are interested to develop their own locally made
product.
In order to realise their objectives, they approached ST Research Sdn Bhd and
explained their issues and requirements. ST Research Sdn Bhd is an established
research organisation well-known in developing a research contract for small
and medium industries. They have embedded a risk culture in their
organisation. As such, they have a good risk culture in their organisation
because their enterprise risk management has reached the level of inculcating
before coming to a decision. The project manager in ST Research together with
their own team members conducted a detailed risk assessment on the project.
The objective of the project is to design and develop a working set of P&D
parking meters for a local council within a year. The productÊs key features are
as follows:
(a) High strength stainless steel keeps it secure and rust free;
(e) Flexible, modular design that is easy to upgrade, service and maintain;
(h) Features a colour VGA liquid crystal display (LCD) with backlight,
capable of displaying graphics;
(i) The multi-language capability allows users to select the language of their
choice to carry out transactions; and
Normally, after the objective and all the product requirements have been specified
by the customer, the project team will review it against the project team capabilities
and capacities. This can be done by detailing all the tasks according to project work
breakdown structure (WBS) and also analysing the risk for each task to see the
impact on the project based on the quality, cost and delivery (QCD).
In other words, a work breakdown structure organises the teamÊs work into
manageable sections.
The P&D parking meter (as shown in Figure 10.1), comprises two main
components ă electronic and mechanical.
Figure 10.2: Work breakdown structure (WBS) of pay and display (P&D) parking meter
As for Figure 10.3, it shows you the relationship between all the components for
the product which relate to the WBS.
Figure 10.3: Pay and display (P&D) parking meter electronic block diagram
Based on the WBS, we can start analysing the project teamÊs strengths and
weaknesses before we can see the impact on the project QCD. This analyses all the
issues that the project team will face and also the opportunity that we can grab as
part of the risk assessment process. The WBS also enables the project leader to
determine the duration of each work item.
SELF-CHECK 10.1
Table 10.1: WBS, Responsibility and Duration for P&D Parking Meter
5 Firmware
Flowcharting 2
Source code study 2
Source code
4
design
Integration 6
6 Middleware
Architecture
4
overview
Modelling 6
Runtime 12
Experiment 6
7 Application Software
System analysis 2
System design 4
System
4
implementation
System roll-out 4
Post
6
implementation
Maintenance
6
contract
8 Mechanical
9 Main Casing
Front slot casing 6
High impact
6
plastic window
10 Solar Panel
Bracket
High impact
6
plastic window
Keypad 4
P&D meter stand 6
Risk Rating
No Task Risk Risk Source Action Plan
L C R
1 Power Management Unit
To engage with the
Unable to get a Limited suppliers
right supplier with
suitable that can supply the
Solar panel L Ma S good technical
customised solar right customised
knowledge of solar
panel on time solar panel
panels
To attend a
Unable to design Lack of expertise in
Battery training or engage
a low power power management L Ma S
charger an expert with the
battery charger design
right knowledge
Off-the-shelf To contact the right
Higher capacity of
Sealed lead battery is not supplier on the
battery needed for UL Ma S
acid battery suitable for the battery
the product
product requirements
Lack of To engage with the
One of the team
experience in power supply
Power members is not
designing a L Ma S expert or to buy
supply from an electrical
power supply power supply off-
power background
module the-shelf
2 Main Processing Unit
Central
Unable to deliver Lack of knowledge To attend an ARM-
monitoring
the design of ARM-based based processor
board using L Ma S
according to processor design, training
ARM
milestone needs longer time programme
processor
Unable to get the High capacity To buy memory
right memory module with low off-the-shelf with
Memory UL Mi M
module for the current might be the right
project difficult to get specifications
3 Display Unit
Unable to meet
Customised design To accommodate
Liquid design
will be costly and the time of the
crystal requirements L Ma S
takes a longer time delivery in the
display with a limited
to be delivered schedule
project cost
4 Module Unit
Unable to deliver To work closely
Lack of knowledge
GSM the design with the supplier
of GSM module L Ma S
module according to the and their technical
interface design
milestone expertise
To buy module off-
Unable to deliver
Lack of knowledge the-shelf and work
WiFi the design
of WiFi module L Ma S closely with the
module according to the
interface design supplier and their
milestone
technical expertise
To buy module off-
Unable to deliver
Ticket Lack of knowledge the-shelf and work
the design
printer of GSM module L Ma S closely with the
according to the
module interface design supplier and their
milestone
technical expertise
To buy module off-
Unable to deliver
Lack of knowledge the-shelf and work
Coin the design
of coin detection L Ma S closely with the
validator according to the
design supplier and their
milestone
technical expertise
To buy module off-
Unable to deliver
Lack of knowledge the-shelf and work
the design
Note reader of note detection L Ma S closely with the
according to the
design supplier and their
milestone
technical expertise
To attend
Unable to deliver
training/engage
the design No expertise in this
5 Middleware AC C H external expert/
according to the competency
outsource the task
milestone
to external expert
Unable to deliver
No knowledge of To attend training
Application the design
6 Linux system L M S on Linux system
Software according to the
design design
milestone
7 Mechanical
Unable to deliver Customised design To design
Main the design may affect the according to
UL Mi M
casing according to the project schedule specific
milestone and cost requirements
Unable to deliver Lack of expertise in To design
Solar panel the design designing a high according to
UL Mi M
bracket according to the impact plastic specific
milestone window requirements
Unable to deliver Customised design
To buy keypad off-
the design may affect the
Keypad L Mi S the-shelf that suits
according to the project schedule
the requirement
milestone and cost
Unable to deliver Customised design To design
P&D meter the design may affect the according to
UL Mi M
stand according to the project schedule specific
milestone and cost requirements
10.2.5 Conclusion
There are two major issues based on the risk profile listed just now:
In order to proceed with the project, they need to send their staff for training or
engage external experts or outsource the job to other companies to solve the skill
and knowledge issues. This will have an impact on the overall price of the project.
In terms of project duration, they are not able to deliver the product within one
year. Lack of experience and full-time workforce will prolong the project duration.
Therefore, based on the risk assessment, the project is a „no go‰.
ACTIVITY 10.2
Assuming that the managing director still insists that the project
manager proceed with the proposal of P&D parking meter, what action
would he or she propose in order to further mitigate the identified risks?
Discuss this matter in the myINSPIRE forum.
During due diligence prior to the acquisition, the risk management team for
United Minerals reviewed the current approach to risk management at
Akawini and from a cursory examination of documents was unable to
determine that the approach was very limited and was unlikely to yield much
real value. The team found, for example, that:
(a) A process for formal risk assessment was applied only to what was
described as „business risks‰. This occurred only once a year as part of a
risk review that updated the current risk register so that it could be
reported to an Audit Committee;
(b) There was a different process applied for safety risks that actually did not
consider risk as such but generated a risk rating using matrix system only
for hazards;
(c) No systematic process for assessing and treating risks was used in
support of major decisions. In particular, project management did not
include any form of explicit risk management process;
(d) The Akawini risk manager mostly dealt with insurance matters and asked
the companyÊs external audit provider to offer a facilitator for the annual
risk review;
(e) The annual internal audit plan did not seem to be based on the outcomes
of the risk assessment and did not focus on assuring many of the critical
controls;
(f) The risk criteria systems used for both „business risks‰ and „safety risks‰
covered only detrimental consequences and seemed to be based on five
levels of consequences and consequence types that were not associated in
any meaningful way with the companyÊs objectives;
(g) Both systems used the term probability to estimate likelihood and did not
consider the frequency or return period for consequences;
(i) Once risk registers were created on spreadsheets, they were kept on
separate personal computers and were rarely considered until the next
yearly review. Any risk treatment actions decided on were not followed
up or closed out;
(j) Critical controls were not identified and were not assigned to individuals
for ongoing monitoring and periodic review; and
(k) There was no coherent process that defined and captured learning from
successes and failures.
The risk management team signalled its concerns to the acquisition team and
the need for improvement of Akawini CopperÊs approach to risk management
to bring it into line with ISO 31000. Then, the United Minerals framework was
placed on the transformation plan and given a high priority.
The second activity was important because from the experience of the United
Mineral risk management team it was vital to observe and review how risk
management takes place in practice.
This was particularly true if there might be any discontinuity of practice across
Akawini or inconsistent processes and systems. It was also important to test out
Akawini managementÊs perceptions of the current approach to risk management
to see if it was currently viewed as effective and if managers perceived it as likely
to satisfy their future needs. The risk management team conducted a series of
structured interviews with senior management from Akawini so that the team
could draw an objective conclusion on:
(a) The suitability of the current approach to manage risk associated with an
organisation of the size and complexity of Akawini, its risk profile and its
risk attitude;
(b) The drivers of that attitude, based on what were organised as the key success
factors and growth objectives for the organisation;
(c) The perceived usefulness of the current risk management process and its
degree of integration into key decision-making processes;
(d) The strengths and limitations of the other risk-type specific approaches to
risk management that coexisted in the company ă specifically, whether the
tools and methods currently being used were capable of providing Akawini
with a current, correct and comprehensive understanding of its risks and
informing it whether the risks were within its risks criteria;
(e) The level of understanding of senior management about aspects of the risk
management culture; and
(f) An outline of the perceived risk profile of Akawini and whether this varied
from that reported to the board in the past.
The risk management team members consolidated their findings and compared
them with the elements of the existing United Minerals risk management
framework and the requirements of ISO 31000. They particularly mapped what
they found by comparing it with the principles for effective risk management in
Clause 3 and the attributes in Annex A of the Standard.
The risk management team elicited feedback and acceptance of the conditions it
found and prompted a discussion on the desired situation. In this way, the team
helped managers identify what needed to change. The diagram of the desired
framework architecture given in Figure 10.7 was used to demonstrate the strengths
and weaknesses of the current approach.
To demonstrate the desired outcomes, the risk management team explained that
the primary purpose of risk management in United Minerals was to act in a
dynamic way to support decisions and that the company framework had been
designed to ensure that:
(b) Appropriate actions were then taken to reduce the uncertainty that objectives
would be achieve;
(c) Early warnings were provided if key controls were not in place or were not
fully effective, so that pre-emptive action could be taken; and
(d) The organisation learned in a systematic way from its successes and failures,
at a fundamental level so that learnings would lead to lasting changes.
To help the organisation as a whole improve its ability to manage risk, the
company had adopted 10 performance requirements that it called its „standards.‰
These were, in outline:
(a) The risk management process will be integrated into all key decision-making
processes;
(b) The risk management process will be integrated into strategic, business and
project planning processes;
(c) Key controls will be identified and allocated to owners for monitoring;
(d) After every major decision, event or change or at the conclusion of all plans,
the organisation will learn lessons from the successes and failures using a
root cause analysis;
(e) The same consistent methodology will be used for analysing risks and for
evaluating control effectiveness;
(f) The significance of risks will be evaluated using one set of risk criteria;
(g) Viable options for treating risks will always be considered, and those options
will be implemented where there is a net benefit to the business;
(h) Accountability for managing risk will be allocated in a manner that is fully
consistent with the management of the business and with the delegations of
authority system;
(i) Only one database system will be used to hold and manage all forms of risk
management information; and
(j) Sites will plan how they will implement these standards and will report on
the progress with this implementation and the effectiveness of risk
management as part of the companyÊs governance processes.
10.3.5 Conclusion
The transformation process that has been introduced in this case study has
managed to address all the gaps identified in AkawiniÊs risk management. The
transformation plan, provided that it is executed accordingly, should enable
Akawini to meet its stakeholderÊs expectations, which is United Minerals in
particular.
ACTIVITY 10.3
(b) What would you set as key performance indicators for the risk
manager and operations manager in relation to risk management?
(c) What report do you expect to be produced (by the risk manager or
other managers) to monitor and review the execution of the
transformation plan?
Ć Risk cannot be addressed in silo. Some risks are integrated and thus, the risk
treatment has to be addressed in such a way that one will not cause a negative
impact to another.
Duhon, H. (2014). Bhopal: A root cause analysis of the deadliest industrial accident
in history. Retrieved from https://pubs.spe.org/en/ogf/ogf-article-
detail/?art=141
Fraser, J., Simkins, B., & Narvaez, K. (2015). Implementing enterprise risk
management: Case studies and best practices. Hoboken, NJ: John Wiley &
Sons.
Project Management Institute, Inc. (2013). A guide to the project management body
of knowledge (PMBOK®guide) (5th ed.). Newtown Square, PA: Author.
OR
Thank you.