SMQR5103: Enterprise Risk Management

SMQR5103
Enterprise Risk Management
Copyright © Open University Malaysia (OUM)

SMQR5103
ENTERPRISE RISK
MANAGEMENT
Nor’afiza Saim

Project Directors: Prof Dr Widad Othman
Prof Dr Siti Aishah Hashim Ali
Open University Malaysia
Module Writer: Nor’afiza Saim

SIRIM
Moderators: Sharifah Rosfashida Syed Ab Latib

Dr P Rajesh Kumar K Parameswaran Nair
Enhancer: Azhar Dollah

SIRIM
Developed by: Centre for Instructional Design and Technology

First Edition, December 2015

Second Edition, December 2019 (MREP)
Copyright © Open University Malaysia (OUM), December 2019, SMQR5103
All rights reserved. No part of this work may be reproduced in any form or by any means without
the written permission of the President, Open University Malaysia (OUM).

Table of Contents
Course Guide ixăxiv
Topic 1 Introduction of Risk Management 1

1.1 Risk Management Concept 3
1.2 Risk-based Thinking 5
1.3 Risk Management Objectives 10
Summary 11
Key Terms 12
References 12
Topic 2 Requirements of Risk Management 13

2.1 Governance, Risk Management Standards and Compliance 14
2.1.1 Corporate Governance in Malaysia 14
2.2 About International Standard 20
2.2.1 Development of ISO Standards 20
2.2.2 ISO Standards on Risk Management 21
2.2.3 ISO GUIDE 73:2009 Risk Management ă Vocabulary 23
2.2.4 ISO 31000:2018 Risk Management ă Guidelines 24
2.3 Risk Management and Quality Management System 28
Summary 31
Key Terms 32
References 32
Topic 3 Risk Management 33

3.1 ISO 31000:2018 Risk Management ă Guidelines 34
3.2 Risk Management Process 38
3.2.1 Scope, Context and Criteria 39
3.2.2 Risk Assessment 44
3.2.3 Risk Treatment 45
3.2.4 Communication and Consultation 45
3.2.5 Monitoring and Review 46
3.2.6 Recording and Reporting 46
3.3 Risk Management and Risk Assessment 46
Summary 48
Key Terms 49
References 50

iv  TABLE OF CONTENTS
Topic 4 Risk Identification 51

4.1 Risk Category 53
4.2 External Influences 54
4.3 Internal Influences 57
4.3.1 Financial Risk 57
4.3.2 Operational Risk 60
4.3.3 Legal Risk 62
4.3.4 Strategic Risk 63
4.3.5 Reputational Risk 64
4.4 SWOT Analysis 65
Summary 67
Key Terms 68
References 68
Topic 5 Risk Analysis, Risk Evaluation and Risk Treatment 70

5.1 Risk Analysis 71
5.2 Risk Evaluation 75
5.3 Risk Treatment 77
Summary 79
Key Terms 80
References 80
Topic 6 Other Risk Management Process 81

6.1 Communication and Consultation 82
6.2 Monitoring and Review 83
6.3 Recording and Reporting 85
6.3.1 Risk Assessment Procedure 89
6.3.2 Records 89
Summary 91
Key Terms 92
References 92
Topic 7 Risk Appetite, Tolerance and Culture 93

7.1 Risk Appetite 94
7.1.1 Determining an OrganisationÊs Risk Appetite 95
7.1.2 Communicating OrganisationÊs Risk Appetite 99
7.1.3 Monitor and Review OrganisationÊs Risk Appetite 101
7.2 Risk Tolerance 101
7.3 Risk Appetite and Risk Tolerance 103

TABLE OF CONTENTS  v
7.4 Risk Culture 104

7.4.1 Characteristics of a Good Risk Culture 105
7.4.2 Importance of Risk Culture 105
7.4.3 Building a Risk Culture 106
Summary 109
Key Terms 109
References 110
Topic 8 Risk Assessment Techniques 111

8.1 IEC 31010:2019 Risk Management ă Risk Assessment 112
Techniques
8.2 Environmental Aspects and Impact Assessment 115
8.2.1 Identifying Environmental Aspects and Impact 116
8.2.2 Addressing Significant Environmental Impact 118
8.3 Hazard Identification, Risk Assessment and Determining 122
Control (HIRADC)
8.3.1 Risk Identification 123
8.3.2 Risk Analysis 125
8.3.3 Risk Evaluation 127
8.4 Critical Success Factors 130
8.4.1 Commitment and Support from Top Management 130
8.4.2 Competency and Training 131
8.4.3 Efficient and Clear Documentation 131
8.4.4 Consistent Monitoring and Reporting 131
Summary 132
Key Terms 133
References 134
Topic 9 Global Risk Management Scenario 135

9.1 Top Risk Concerns 136
9.1.1 Global Top Risks 136
9.1.2 Top Risk Concerns of Enterprises 140
9.2 Critical Success Factors in Risk Management 144
9.2.1 Effective Risk Oversight 144
9.2.2 Integrating Risk Management, Internal Control 148
and Internal Audit Process
9.2.3 Emphasise on Building a Strong Risk Culture 149
9.3 Barriers in Implementing Risk Management 151
Summary 154
Key Terms 154
References 155

vi  TABLE OF CONTENTS
Topic 10 Case Studies 156

10.1 Case Study 1: A Scenario of the Bhopal Tragedy 157
10.1.1 The Case 157
10.1.2 Conclusion 159
10.2 Case Study 2: Pay and Display (P&D) Parking Meter 159
Project
10.2.1 The Case 160
10.2.2 Defining Work Breakdown Structure (WBS) 161
10.2.3 Work Breakdown Structure (WBS), Responsibility 165
Assignment Matrix (RAM) and Duration
10.2.4 Project Schedule 170
10.3 Case Study 3: Transforming Risk Management 171
10.3.1 The Case 172
10.3.2 The Transformation Process 174
10.3.3 Gaining Senior Management Ownership for 176
Transformation
10.3.4 The Transformation Plan 179
Summary 180
Key Terms 180
References 181

COURSE GUIDE

COURSE GUIDE  ix
COURSE GUIDE DESCRIPTION

You must read this Course Guide carefully from the beginning to the end. It tells
you briefly what the course is about and how you can work your way through the
course material. It also suggests the amount of time you are likely to spend in order
to complete the course successfully. Please keep on referring to the Course Guide
as you go through the course material as it will help you to clarify important study
components or points that you might miss or overlook.
INTRODUCTION
SMQR5103 Enterprise Risk Management is one of the courses offered at Open
University Malaysia (OUM). This course is worth 3 credit hours and should be
covered over 8 to 15 weeks.
COURSE AUDIENCE
This is a core course for all learners undertaking Master of Quality Management
programme.
As an open and distance learner, you should be acquainted with learning

independently and being able to optimise the learning modes and environment
available to you. Before you begin this course, please ensure that you have the right
course material, and understand the course requirements as well as how the course
is conducted.

x  COURSE GUIDE
STUDY SCHEDULE
It is a standard OUM practice that learners accumulate 40 study hours for every
credit hour. As such, for a three-credit hour course, you are expected to spend
120 study hours. Table 1 gives an estimation of how the 120 study hours could be
accumulated.
Table 1: Estimation of Time Accumulation of Study Hours
Study
Study Activities
Hours
Briefly go through the course content and participate in initial discussions 3
Study the module 60
Attend 3 to 5 tutorial sessions 10
Online participation 12
Revision 15
Assignment(s), test(s) and examination(s) 20
TOTAL STUDY HOURS ACCUMULATED 120
COURSE LEARNING OUTCOMES

By the end of this course, you should be able to:
1. Explain the principles, process tools and techniques of risk management and
its relation in corporate governance and business sustainability;
2. Apply risk management programme in both manufacturing and service

industries; and
3. Analyse different categories of risks and their application for effective risk
assessment and risk management.

COURSE GUIDE  xi
COURSE SYNOPSIS
This course is divided into 10 topics. The synopsis for each topic can be listed as
follows:
Topic 1 explains the concept of risk on individuals and organisations, risk-based

thinking and the importance of risk management and its objectives.
Topic 2 explains the requirements of risk management under the Malaysian Code
of Corporate Governance and requirements required under several international
standards such as ISO 9001:2015.
Topic 3 explains the process of establishing and applying risk management in

organisation, namely enterprise risk management (ERM) which is based on the
requirements under ISO 31000:2018. Processes involved are establishing context,
risk assessment and risk treatment, communication and consultation, monitoring
and review as well as recording and reporting. It also discusses the differences
between risk management and risk assessment.
Topic 4 elaborates the process of risk identification by identifying the external and
internal factors that have the potential to mitigate from achieving organisationÊs
objectives through strategic management tools (such as SWOT analysis) and
different types of risk categories and their examples.
Topic 5 further elaborates the process of risk analysis by having a likelihood and
consequences criteria table, risk evaluation by having risk assessment matrix and
action tables as well as risk treatment through terminate, reduce, accept, pass
(TRAP) concept.
Topic 6 covers the risk management requirements of establishing plans for

communication and consultation, monitoring and review. In addition to this, the
topic elaborates on the recording and reporting aspects embedded in the risk
management for effective application.
Topic 7 discusses the meaning and application of risk appetite, risk tolerance and
the importance of risk culture in an organisation. Risk culture begins at the top.
The success of risk management in an organisation is reflected in the risk attitude
and risk behaviour of every employee. In other words, the risk culture is
embedded in the organisation.

xii  COURSE GUIDE
Topic 8 covers the different types of risk assessment techniques available currently.
It elaborates in detail on two very commonly used techniques which are
environmental aspects and impact assessment and also hazard identification, risk
assessment and determining control (HIDARC). Other critical success factors in
risk assessment are also discussed in this topic.
Topic 9 introduces the current global risks all countries in the world may be facing.
These global risks may become enterprise risks. In order for organisations to stay
competitive in the global market, they should be alert and responsive to these risks
through the systematic use of risk management processes. The role of the board of
directors (BOD) and senior management for the success of risk management
initiatives and ensuring business sustainability as well as the barriers in
implementing risk management are also covered in this topic.
Topic 10 analyses three case studies that will enable learners to relate the
knowledge gained in real-life situations.
TEXT ARRANGEMENT GUIDE

Before you go through this module, it is important that you note the text
arrangement. Understanding the text arrangement will help you to organise your
study of this course in a more objective and effective way. Generally, the text
arrangement for each topic is as follows:
Learning Outcomes: This section refers to what you should achieve after you have
completely covered a topic. As you go through each topic, you should frequently
refer to these learning outcomes. By doing this, you can continuously gauge your
understanding of the topic.
Self-Check: This component of the module is inserted at strategic locations

throughout the module. It may be inserted after one sub-section or a few sub-
sections. It usually comes in the form of a question. When you come across this
component, try to reflect on what you have already learnt thus far. By attempting
to answer the question, you should be able to gauge how well you have
understood the sub-section(s). Most of the time, the answers to the questions can
be found directly from the module itself.

COURSE GUIDE  xiii
Activity: Like Self-Check, the Activity component is also placed at various

locations or junctures throughout the module. This component may require you to
solve questions, explore short case studies, or conduct an observation or research.
It may even require you to evaluate a given scenario. When you come across an
Activity, you should try to reflect on what you have gathered from the module
and apply it to real situations. You should, at the same time, engage yourself in
higher order thinking where you might be required to analyse, synthesise and
evaluate instead of only having to recall and define.
Summary: You will find this component at the end of each topic. This component
helps you to recap the whole topic. By going through the summary, you should be
able to gauge your knowledge retention level. Should you find points in the
summary that you do not fully understand, it would be a good idea for you to
revisit the details in the module.
Key Terms: This component can be found at the end of each topic. You should go
through this component to remind yourself of important terms or jargon used
throughout the module. Should you find terms here that you are not able to
explain, you should look for the terms in the module.
References: The References section is where a list of relevant and useful textbooks,
journals, articles, electronic contents or sources can be found. The list can appear
in a few locations such as in the Course Guide (at the References section), at the
end of every topic or at the back of the module. You are encouraged to read or
refer to the suggested sources to obtain the additional information needed and to
enhance your overall understanding of the course.
PRIOR KNOWLEDGE
No prior knowledge required.
ASSESSMENT METHOD
Please refer to myINSPIRE.

xiv  COURSE GUIDE
REFERENCES
Department of Standards Malaysia. (2010). Risk management ă Principles and
guidelines (ISO 31000:2009, IDT). Cyberjaya, Malaysia: Author.
Department of Standards Malaysia. (2011). Risk management ă Risk assessment

techniques (IEC/ISO 31010:2009, IDT). Cyberjaya, Malaysia: Author.
Hopkin, P. (2018). Fundamentals of risk management: Understanding, evaluating

and implementing effective risk management (5th ed.). London, England:
Kogan Page Limited.
International Electrotechnical Commission (IEC). (2019). IEC 31010:2019 Risk

management  Risk assessment techniques. Geneva, Switzerland: Author.
International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk

management  Guidelines. Geneva, Switzerland: Author.
TAN SRI DR ABDULLAH SANUSI (TSDAS)

DIGITAL LIBRARY
The TSDAS Digital Library has a wide range of print and online resources for
the use of its learners. This comprehensive digital library, which is accessible
through the OUM portal, provides access to more than 30 online databases
comprising e-journals, e-theses, e-books and more. Examples of databases
available are EBSCOhost, ProQuest, SpringerLink, Books247, InfoSci Books,
Emerald Management Plus and Ebrary Electronic Books. As an OUM learner, you
are encouraged to make full use of the resources available through this library.

Topic  Introduction
of Risk
1 Management
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Describe the concept of risk towards individual and organisation;
2. Explain risk-based thinking; and
3. Identify the objectives and the importance of risk management.
 INTRODUCTION
What is risk? Many of us will think of risk as something complicated and technical
that only occurs in the workplace. Actually, without we realising it, we face many
types of risk every day, even when we take a bath at home (see Figure 1.1).
Figure 1.1: Can you identify the potential risk(s) in this picture?

2  TOPIC 1 INTRODUCTION OF RISK MANAGEMENT
We also make plans and efforts to reduce these risks. Why? This is because we
have an objective and target to achieve. So what is risk? Generally, anything that
prevent us from achieving our objective is a risk.
To further understand, let us imagine this scenario. Every morning, our target is
to arrive at the workplace before 9.00 am. However, there is a risk that we will
reach our office late. What is the possible cause of this risk? In other words, what
is the factor or factors that could contribute to the risk of us not being able to reach
our office before 9.00am? In this scenario, we could tell that traffic congestion could
be one of the factors that contribute to the identified risk.
Therefore, to mitigate this risk we should plan to wake up at a certain time, say
6.00am and be on the road before the traffic becomes heavy. If we do not hit the
road on time, there is a high possibility that we will not arrive at the workplace on
time due to traffic congestion. Let us look at Figure 1.2 that illustrates this situation
and the relationship between risk, source of risk and risk-mitigation plan.
Figure 1.2: Risk, source of risk and risk-mitigation plan relationship
The source of the risk is traffic congestion. The mitigation plan is to wake up at
6am. Do you think the risk is high, moderate or low? In order to answer this, we
need to go through the process of risk assessment.

TOPIC 1 INTRODUCTION OF RISK MANAGEMENT  3
Based on the scenario, we can understand that the risk management concept
encompasses:
(a) Identifying the risk;
(b) Figuring out the causes; and
(c) Planning to mitigate the risk.
So let us further understand the risk management concept in the next subtopics.
Happy reading!
1.1 RISK MANAGEMENT CONCEPT

What is the definition of risk? Based on the international standard of
ISO 31000:2018 Risk Management ă Guidelines, risk is defined as an effect
of uncertainty on objective (ISO, 2018). It is further elaborated in the following
Figure 1.3.
Figure 1.3: Association of risk

Source: ISO (2018)
Now, let us move on to risk management. What is risk management?

ISO 31000:2018 defined risk management as the coordinated activities to direct
and control an organisation with regard to risk (ISO, 2018).

Let us imagine that our organisation is like a ship on the ocean (see Figure 1.4).
Figure 1.4: Illustration of risk management using a ship as an example
Imagine we are in a ship and is sailing from Port B to Port D. Eventually, there will
be many challenges that we are facing during our voyage to reach Port D.
Therefore, we need to make sure that we are alive and the ship maintains its course
to complete our journey.
The challenges are not only derived from external factors such as the wind, the
weather and the ocean wave but also from internal factors such as the condition of
the ship, the equipment, the crew, the ports and the captain.
Therefore, to stay afloat and reach Port D, the captain, as a leader has to play a
major role to ensure that the ship will reach its destination safely. All staff (as the
follower) must engage with the captain to ensure that we will not sink along our
journey to reach Port D. Hence, the crew must consider all the challenges and make
the right choices to ensure the ship stays on course until it reaches our destination.
Now, let us put the scenario in our organisation. Of course, our organisation has
moved from beginning to reach the ultimate destination. What is the ultimate
destination? It is the vision of our organisation. We further plan to achieve our
vision with missions, strategic goals together with many objectives to achieve.
However along the way, we need to consider the challenges from external and
internal factors that could prevent us from achieving our objectives, which are
known as risks. We could use our past experience and vast knowledge in analysing
those risks and find the best solutions/controls to prevent it from occurring. These
processes are called risk management.

So, why must we manage risks? We must manage the risk because the organisation
are facing external and internal factors that make it uncertain to achieve the
objectives. The effect of these uncertainties in achieving objective is known as
„risk‰ and the process of managing these risks is known as „risk management‰.
SELF-CHECK 1.1
Define risk and risk management.
ACTIVITY 1.1
Think of one activity that you went through today. What was the
objective and target of your activity? What was the risk, for example, the
event that prevented you from achieving the objective of your activity?
Discuss your experience in the myINSPIRE forum.
1.2 RISK-BASED THINKING

Often we may hear that one of the ways to manage an organisation is to have risk-
based thinking. What does it mean? In general, risk-based thinking is:
(a) Something we all do automatically and often sub-consciously, always

thinking on the problems and solutions.
(b) Thinking of ways to take preventive action as part of our routine, because
„prevention is better than cure‰.
(c) Part of the process approach, which exists in any process.
(d) Useful to help organisations identify opportunities.
(e) Able to integrate risks and opportunities in the overall process of the quality
management system.

In todayÊs world, organisations cannot afford to be caught „off guard‰ by

unexpected events that can cause the following losses (see Figure 1.5).
Figure 1.5: OrganisationÊs risks

Let us look some examples of well-known unexpected tragedies in Table 1.1.
Table 1.1: Some Examples of Well-Known Unexpected Tragedies of the Century
Example Description
Titanic Titanic was a British passenger ship that sank in the North Atlantic
Ocean in the early morning of 15 April 1912 after colliding with an
iceberg during her maiden voyage from Southampton, England to New
York City in the US (see Figure 1.6).
Figure 1.6: Illustration of the Titanic before being hit by an iceberg

Source: https://www.forbes.com/sites/davidbressan/2019/04/14/a-
geological-study-of-the-titanic-shipwreck-site/#3bfc9d27431a
The sinking of the Titanic caused the deaths of more than 1,500 people
in one of the deadliest peacetime maritime disaster in modern history.

Challenger A space shuttle named Challenger (see Figure 1.7) broke apart during
its mission to space, killing all seven crew members on 28 January 1986.
The flame leaked through the failed seal called O-ring seals, which were
not designed to handle the unusually cold condition that existed during
the launch.
Figure 1.7: Challenger space shuttle

Source: https://www.nationalgeographic.com.au/space/5-myths-of-
challenger-shuttle-disaster-debunked.aspx
The faulty seals resulted in the flames reaching the external fuel tank,
causing it to ignite and tear the space shuttle apart.
Ford Pinto In 1972, almost 27 people were determined to have been killed in rear-
end-crash explosions involving Pintos (see Figure 1.8).
Figure 1.8: Crash testing that ended up with explosions involving

Pintos
Source: http://blog.automedicsafrica.com/?p=339
It was revealed that many people were burned to death when the car
exploded into flames after collision from behind. In one of the few cases
brought to trial, California juries awarded a boy who had been severely
burned and disfigured a total of USD126 million. The driver of the car
had died from her injuries a few days after the accident.

Mocondo In 20 April 2010, the Mocondo drilling rig exploded on the BP semi-
drilling rig submersible platform (see Figure 1.9).
Figure 1.9: Mocondo drilling rig explosion

Source: https://www.offshore-
technology.com/projects/macondoprospect/
High pressure methane gas from the well expanded into the drilling
riser and rose into the drilling rig, where it ignited and exploded. There
were 126 crew members on board where 11 died. The explosion had also
caused massive oil spill.
Mary Mary McClinton (see Figure 1.10) checked into Virginia Mason Medical
McClinton Center in Seattle on 4 November, 2004 for her brain aneurysm treatment.
Figure 1.10: Mary McClinton

Source: https://www.findagrave.com/memorial/143366116/mary-
louise-mcclinton

Doctors planned to inject her with a contrast dye to help them guide a
stent into her brain, via a catheter in her leg. Instead, they injected her
with an antiseptic ă a topical cleaning agent ă that had been stored in an
unlabelled container on the same tray as the dye. The antiseptic blocked
the flow of blood in her leg, which swelled to twice its normal size.
Within hours, McClintonÊs blood pressure dropped, her kidneys failed
and she suffered a stroke. As the toxin coursed through her system, her
other organs began to fail as well. Nineteen agonising days later, Mary
McClinton died.
SELF-CHECK 1.2
1. Define risk-based thinking.
2. What are the unexpected events that can happen to an

organisation?
ACTIVITY 1.2
Based on the examples in Table 1.1, identify the possible causes of the
problems and the impacts on organisations. Discuss your answer in the
myINSPIRE forum.
1.3 RISK MANAGEMENT OBJECTIVES

Based on the discussion of the examples in the previous Table 1.1, we could
imagine how serious or how important proper risk management is to an
organisation. So what are risk management objectives? Take note that the ultimate
objective of having risk management is to ensure sustainability of the organisation
and achievement of objectives. Therefore, we want to provide business continuity
management (BCM) framework in managing incident/crisis in our organisation.
Other objectives of risk management include the following:
(a) Reduce those uncertainties and possibly to increase the likelihood of

achieving our objectives.
(b) Improve in identifying the threats and opportunities that could arise from
those external and internal factors.

(c) Allocate resources effectively for risk treatment.
(d) Protect our assets and valuable resources.
(e) Protect and keep improving our organisationÊs reputation.
(f) Establish processes for identifying, assessing, measuring, monitoring,

controlling and managing risks.
(g) Create a risk management culture in the organisation.
(h) Improve customer confidence and satisfaction.
(i) Assure consistency of quality of goods and services.
(j) Establish a proactive culture of prevention and improvement.
SELF-CHECK 1.3
1. What is the ultimate objective of risk management?
2. State other objectives of risk management.
 Risk in general means anything that prevent you from achieving your
objective. In other words, it is an effect of uncertainty on the achievement of
your objective.
 Risk management refers to the coordinated activities to direct and control an

organisation with regard to risk.
 In an organisation, risk is similar to a ship sailing on the ocean. Our objective

is to reach our destination safely. However, before we could reach our
objective, we need to consider external and internal factors that could affect us
from reaching our destination.
 Risk-based thinking is not something new. In general, it is something we all do

automatically and often sub-consciously; we are always thinking of problems
and solutions. In other words, we think of the factors that may stop us in
achieving our objective.
 There are potential causes and impacts related to the identified risk.

 The ultimate objective of having risk management is to ensure the

sustainability of the organisation and achievement of objectives.
 Other reasons are to allocate resources effectively for risk treatment, protect
our assets and valuable resources, and assure consistency of quality of goods
and services.
External factors Risk objectives

Internal factors Risk-based thinking
Risk Uncertainty
Risk management
Chapman, R. J. (2011). Simple tools and techniques for enterprise risk management
(2nd ed.). Hoboken, NJ: Wiley.


Topic  Requirements
of Risk
2 Management
LEARNING OUTCOMES
1. Explain the compliance to the corporate governance;
2. Apply international standards related to risk management; and
3. Compare the risk management standards with the other
management standards such as ISO 9001:2015.
 INTRODUCTION
In todayÊs volatile business environment, it is becoming more difficult and
challenging for organisations to stay competitive and to be sustainable. We need
to keep abreast of evolving changes and new developments in all aspects of our
business activities. Not to forget compliance to the statutory, laws and regulations
requirements which are part and parcel of the business activities to comply with.
Therefore, we need to have understanding on the legal requirements, laws and

regulations that governed our business activities. Breaching the law means that we
are doing something illegal. In other words, we are sinking our ship in the middle
of our journey.
What awaits you in this topic? In this topic, we will discuss one of the requirements
in the Malaysian business environment, which is the Malaysian Code of Corporate
Governance (MCCG). Later, we will discuss on the international standards and
its requirements. So are you ready to discover more? Let us continue with the
„sailing‰. All aboard!

14  TOPIC 2 REQUIREMENTS OF RISK MANAGEMENT
2.1 GOVERNANCE, RISK MANAGEMENT

STANDARDS AND COMPLIANCE
After understanding the concept of risk management, now we can look into how
this concept is going to be applied in the Malaysian Code of Corporate Governance
(MCCG).
2.1.1 Corporate Governance in Malaysia

The Malaysian Code of Corporate Governance (MCCG) was first issued in March
2000 by the Securities Commission (SC) of Malaysia in order to strengthen the
corporate governance culture among public-listed companies. It was later revised
in 2007 and 2012.
On 26 April 2017, the SC has issued the fourth version of MCCG 2017 which takes
immediate effect and supersedes the previous issuance. The review has to consider
the following:
(a) Input from local and international stakeholders;
(b) Lessons from corporate governance failure; and
(c) Changes in market structure and business needs.
MCCG 2017 sets out best practices to strengthen corporate culture based on
accountability and transparency. It has 33 guidelines to facilitate 36 practices
(including four step-ups) with 12 intended outcomes to support three core
principles as shown in Figure 2.1.
Figure 2.1: Three core principles of corporate culture

TOPIC 2 REQUIREMENTS OF RISK MANAGEMENT  15
MCCG is compulsory for companies listed under Bursa Malaysia. However, other
organisations are encouraged to adopt the principles and recommendations of the
MCCG. This is to ensure those companies achieve their desired target (revenue,
profit, market share) and are sustainable.
Risk management is touched under Principle 2, which is effective audit and risk
management. The following is the direct extraction of the MCCG 2017 particularly
on risk management.
II. Risk Management and Internal Control Framework

Proper risk management and internal control are important aspects of a
companyÊs governance, management and operations. Risk management
focuses on identifying threats and opportunities while internal control helps
counter threats and takes advantage of opportunities. Proper risk management
and internal control assist companies in making informed decisions about the
level of risk that they want to take and implement the necessary controls to
effectively pursue their objectives. Successful companies integrate effective
governance structures and processes with performance-focused risk
management and internal control at every level of the company and across all
operations.
The board of directors is responsible for the companyÊs risk management and
internal control systems. It should set appropriate policies on internal control
and seek assurance that the systems are functioning effectively. The board must
also ensure that the system of internal control manages risks and forms part of
its corporate culture.
Intended Outcome
9.0 Companies make informed decisions about the level of risk they want
to take and implement necessary controls to pursue their objectives.
The board is provided with reasonable assurance that adverse impact

arising from a foreseeable future event or situation on the companyÊs
objectives is mitigated and managed.

Practice
9.1 The board should establish an effective risk management and internal
control framework.
9.2 The board should disclose the features of its risk management and
internal control framework, and the adequacy and effectiveness of this
framework.
Step Up
9.3 The board establishes a Risk Management Committee, which comprises

a majority of independent directors, to oversee the companyÊs risk
management framework and policies.
Guidance
9.1 The board should determine the companyÊs level of risk tolerance and
actively identify, assess and monitor key business risks to safeguard
shareholdersÊ investments and the companyÊs assets. Internal controls
are important for risk management and the board should be committed
to articulating, implementing and reviewing the companyÊs internal
control framework.
9.2 The board should, in its disclosure include a discussion on how key risk
areas such as finance, operations, regulatory compliance, reputation,
cyber security and sustainability were evaluated and the controls in
place to mitigate or manage those risks. In addition, it should state if the
risk management framework adopted by the company is based on an
internationally recognised risk management framework.
The board should also disclose whether it has conducted an annual

review and periodic testing of the companyÊs internal control and risk
management framework. This should include any insights it has gained
from the review and any changes made to its internal control and risk
management framework arising from the review. Where information is
commercially sensitive and may give rise to competitive risk, disclosure
in general terms is acceptable.

Intended Outcome
10.0 Companies have an effective governance, risk management and internal

control framework and stakeholders are able to assess the effectiveness
of such a framework.
Practice
10.1 The Audit Committee should ensure that the internal audit function is
effective and able to function independently.
10.2 The board should disclose whether internal audit personnel are free
from any relationships or conflicts of interest, which could impair their
objectivity and independence; the number of resources in the internal
audit department; name and qualification of the person responsible for
internal audit; and whether the internal audit function is carried out in
accordance with a recognised framework.
Guidance
10.1 An internal audit function helps a company to accomplish its goals by

bringing an objective and disciplined approach to evaluate and improve
the effectiveness of risk management, internal control and governance
processes. This function serves as an important source of advice for the
Audit Committee concerning areas of weaknesses or deficiencies in
internal processes to facilitate appropriate remedial measures by the
company.
Internal audit should be carried out objectively and is independent from

the management of the company and the functions which it audits.
Thus, it is essential that the person responsible for internal audit reports
directly to the Audit Committee.

The Audit Committee should also decide on among others:
(a) The appointment and removal;
(b) Scope of work;
(c) Performance evaluation; and
Budget for the internal audit function.
In developing the scope of the internal audit function, the Audit

Committee should:
(a) Satisfy itself that the person responsible for internal audit has
relevant experience;
(b) Sufficient standing and authority to enable him to discharge his

functions effectively;
(c) Internal audit has sufficient resources and is able to access

information to enable it to carry out its role effectively; and
(d) The personnel assigned to undertake internal audit have the

necessary competency, experience and resources to carry out the
function effectively.
It is expected that the role of internal auditors will evolve and expand
to include providing advisory support on strategy. This requires
internal auditors to go beyond the execution of the internal audit plan
and undertake root-cause analysis to provide proactive strategic advice
and suggest meaningful business improvements. As such, internal
auditors should continuously keep abreast with developments in the
profession, relevant industry and regulations.
(Securities Commission Malaysia, 2017)

In order to achieve excellence in business, organisations must embrace good

corporate governance. In addition, risk management is one of the important
principles addressed in the MCCG. Figure 2.2 illustrates the interrelation between
corporate governance and enterprise risk management (ERM).
Figure 2.2: The interrelation between corporate governance and enterprise risk
management (ERM)
Source: Chapman (2011)
ACTIVITY 2.1
Assuming you are one of the board members, discuss in the myINSPIRE
forum on the terms of reference of the Board of Risk Commitee and its
responsibilities.

2.2 ABOUT INTERNATIONAL STANDARD

What are international standards? International standards are high quality
voluntary standards, which are intended to:
(a) Facilitate international exchange of goods and services;
(b) Support sustainability;
(c) Promote innovation; and
(d) Protect health, safety and the environment.
International standards provide a positive contribution to the world through:
(a) The spreading of knowledge;
(b) The dissemination of innovative advances in technology; and
(c) The sharing of good management and conformity assessment practices.
In addition, it provides the latest tools, techniques, methods and best practices that
can be applied by all types of organisations.
The international standards are developed by the International Organization for

Standardization (ISO). ISO is an independent, non-governmental organisation and
has a membership of over 160 member countries worldwide. The member
countries are represented by their national standards bodies.
Being the worldÊs largest developer of international standards, ISO has developed
over 18,500 standards with the support of the central secretariat based in Geneva,
Switzerland. Malaysia is a participating member of the ISO through the
Department of Standards Malaysia (DSM).
2.2.1 Development of ISO Standards

The development of ISO standards is done through a consensus process initiated
by any member country through a systematic proposal procedure. If the proposal
is accepted through a voting process, experts from all over the world will be
gathered to develop the standards under the relevant sectors already established.

The simplified stages involved in the development of an ISO standard are shown
in Figure 2.3.
Figure 2.3: Simplified stages of the development of international standards (ISO)
Based on Figure 2.3, after a proposal for the development of a standard (new
proposal) is approved at the relevant subcommittee or technical committee, a
working group (WG) is set up by the relevant subcommittee (SC) or technical
committee (TC) to prepare a working draft. After the working group has reached
to the level of confidence on the stability of the standard, a working draft (WD) is
produced.
When the working draft is stable enough, and the working group is satisfied with
the earlier proposed reason for the development of the standard, the working draft
becomes a committee draft (CD). It is then sent to the participating members
(P-members) of the TC or SC for ballot.
Once the number of positive votes is above the quorum, the CD becomes a final
committee draft (FCD). When consensus is reached on the content, then it is
finalised for submission as a draft international standard (DIS).
The DIS is then submitted to national bodies for voting and comments within a
period of five months. If a two-thirds majority of the P-members of the TC or SC is
in favour of the standard, then it is approved as the final draft of international
standard (FDIS). ISO then holds another ballot with national bodies within a
period of two months and if two-thirds majority of the P-members of the TC or SC
is in favour, it is approved as an international standard (IS).
The ISO central secretariat then publishes the international standard for
dissemination. The process of developing the international standard is a very
systematic and arduous process to ensure its acceptance and applicability by all
countries worldwide.
2.2.2 ISO Standards on Risk Management

At the ISO, standards related to risk management are developed by the Technical
Committee 262 (ISO/TC 262). The TC scope of work is standardisation in the field
of risk management. This TC currently has 45 participating members (P-members)
and Malaysia is one of them.

To date, the TC has managed to develop four international standards in the field
of risk management as follows (see Table 2.1).
Table 2.1: Four International Standards in the Field of Risk Management
Standard Description
ISO GUIDE 73:2009 The use of a uniform risk management terminology in the risk
management process and framework is very important to
eliminate inconsistencies and misunderstandings. This standard
provides the definitions of key terms related to risk
management. It provides a consistent understanding of
terminologies used in all risk management as well as other
management systems standards.
ISO 31000:2018 This standard provides principles and generic guidelines on risk
management. Any organisation, public, private, association,
group or individual can use this standard as a guideline in
establishing and maintaining its risk management. It can be
applied throughout the organisation for a wide range of projects,
processes, operations and activities.
ISO/TR 31004:2013 This ISO/TR 31004:2013 provides guidance for organisations on
managing risk effectively in accordance to ISO 31000:2018. It
explains the underlying concepts of ISO 31000:2018.
IEC 31010:2019 This standard supports the ISO 31000:2018 by providing
guidance on the selection and application of systematic
techniques for risk assessment. It introduced a range of risk
assessment techniques and described in detail its concept and
application.
SELF-CHECK 2.1
1. What is international standard?
2. Describe the five stages of ISO standards development.
3. Briefly explain the four international standards in the field of risk

management.

2.2.3 ISO GUIDE 73:2009 Risk Management 

Vocabulary
As mentioned earlier, it is important that the term used in risk management is
consistently applied throughout all organisations.
Therefore, the establishment of ISO GUIDE 73:2009 is very crucial in standardising

the terms and its definitions. Table 2.2 shows you the commonly used terms that
must be understood by all risk managers and practitioners in executing risk
management-related tasks.
Table 2.2: Terms and Definitions Used in Risk Management
No. Term Definition

1 Risk Effect of uncertainty on objectives.
2 Risk Coordinated activities to direct and control an organisation
management with regard to risk.
3 Risk Set of components that provide the foundations and
management organisational arrangements for designing, implementing,
framework monitoring, reviewing and continually improving risk
management throughout the organisation.
4 Risk Systematic application of management policies, procedures
management and practices to the activities of communicating, consulting,
process establishing the context, identifying, analysing, evaluating,
treating, monitoring and reviewing risk.
5 Risk assessment Overall process of risk identification, risk analysis and risk
evaluation.
6 Risk Process of finding, recognising and describing risks.
identification
7 Risk source Element which alone or in combination has the intrinsic
potential to give rise to risk.
8 Risk owner Person or entity with the accountability and authority to
manage a risk.
9 Risk analysis Process to comprehend the nature of risk and to determine the
level of risk.
10 Likelihood Chance of something happening.

11 Consequence Outcome of an event affecting objectives.

12 Level of risk Magnitude of a risk or combination of risks, expressed in terms
of the combination of consequences and their likelihood.
13 Risk evaluation Process of comparing the results of risk analysis with risk
criteria to determine whether the risk and/or its magnitude is
acceptable or tolerable.
14 Risk appetite Amount and type of risk that an organisation is willing to
pursue or retain.
15 Risk tolerance OrganisationÊs or stakeholderÊs readiness to bear the risk after
risk treatment in order to achieve its objectives.
16 Risk treatment Process to modify risk.
17 Risk retention Acceptance of the potential benefit of gain or burden of loss
from a particular risk.
18 Residual risk Risk remaining after risk treatment.
19 Risk profile Description of any set of risk.
20 Risk register Record of information about identified risks.
Source: ISO (2009)
ACTIVITY 2.2
Based on ISO GUIDE 73:2009, identify which terms and definitions are
very important in the field of risk management. Discuss your answer in
the myINSPIRE forum.
2.2.4 ISO 31000:2018 Risk Management  Guidelines

ISO 31000:2018 Risk Management ă Guidelines is the main standard to refer to in
order to establish and implement risk management in any organisation. The
standard contains the principles, framework and the process of risk management.
This standard is supported by ISO/TR 31004:2013 Risk Management  Guidance
for the Implementation of ISO 31000 that explains the underlying concepts of ISO
31000:2018 by providing advice and examples.

The relationship between the principles, framework and process of risk

management is depicted in Figure 2.4.
Figure 2.4: Relationship between the risk management principles, framework and process
proposed by ISO 31000:2018
Source: ISO (2018)
When the management of risk is implemented and maintained in accordance to

ISO 31000:2018, it should enable the organisation to achieve the principles of risk
management as indicated in the diagram.
What is the purpose of the framework? The purpose of the framework is to

integrate the process for managing risk into the overall organisation governance,
strategy and planning, management, reporting processes, policies, values and
culture. Risk management in this standard refers to the architecture for managing
risks (principles, framework and process).
Most organisations worldwide are already using this international standard as a

reference in establishing risk management. This risk management also facilitates
organisations in complying with the code of corporate governance.

How do we implement risk management? To implement risk management in an

organisation, a risk management plan should first be established. The purpose of
the plan is to develop and implement a structure, systems and processes for risk
management incorporating the principles and practices of ISO 31000:2018.
This plan includes:
(a) Developing a risk management policy;
(b) Appropriate training programmes;
(c) Risk assessment methodology;
(d) Documentation such as manuals and procedures;
(e) Reporting structure, roles and responsibilities of key personnel;
(f) Defining risk owners and their level of accountability; and
(g) Risk management auditing methodology.
The roles and responsibilities of the board of directors, chief executive, directors
and managers as well as steering committees, internal auditors and other relevant
key personnel with respect to risk management should be clearly defined. In line
with the roles and responsibilities, a risk management organisational structure
should also be developed.
A practical risk assessment methodology and its related procedures should be

established to identify, analyse and evaluate risks covering all aspects of the
organisation. The methodology adopted should be practical to the organisation
and based on the internal and external factors affecting the organisation as
explained in Topic 1. The procedure should include, among others:
(a) The appropriate responsibilities to conduct risk assessment;
(b) Likelihood criteria;
(c) Consequences criteria;
(d) Risk-ranking matrix;
(e) Risk register; and
(f) Communication and reporting mechanisms.

The success of the implementation of risk management also depends on

identifying appropriate competency required for key personnel. Who are these key
personnel? Let us find out the answer in Figure 2.5.
Figure 2.5: Eight key personnel of risk management team
Therefore, it is important for organisations to ensure that they are competent to

perform their roles and responsibilities. Where necessary, training must be
provided to fill the competency gap.
SELF-CHECK 2.2
1. What is the purpose of the risk management framework of ISO

31000:2018?
2. State the eight key personnel of risk management team.
ACTIVITY 2.3
In your own words, explain the relationship between the principles,

framework and process of risk management. Post your answer for
discussion on the myINSPIRE forum.

2.3 RISK MANAGEMENT AND QUALITY

MANAGEMENT SYSTEM
Many of us are familiar with the ISO 9001 standard on quality management
systems. However in 2015, the standard was revised and the new version of ISO
9001:2015 Quality Management Systems ă Requirements, has incorporated a new
concept of risk-based thinking.
In the earlier version, risk-based thinking was not implicitly addressed. However,
the new version explicitly addresses risk throughout the management systems.
The risk-based thinking in ISO 9001:2015 is supposed to increase the effectiveness

of the quality management systems, thus improving the achievement of the
ultimate quality objective, which is producing service or product consistently,
meeting and satisfying the customer requirements. Please remember that we have
discussed the significance of having risk-based thinking in Topic 1. Can you still
recall?
Clause 4 in ISO 9001:2015 requires the organisation to determine the internal and
external factors that could affect its ability to achieve the objectives of its quality
management systems.
Moreover, the standard also requires the organisation to define who are the
relevant interested parties and their requirements that could possibly affecting the
organisations to consistently providing products and services that meet those
requirements. The standard also requires the organisation to comply to applicable
statutory and regulatory requirements and breaching the law could be considered
as one of the risks.
These factors are then considered in identifying the risks and opportunities as
mentioned in Clause 6.1.1 of the standard. An appropriate action plan needs to be
established after analysing and evaluating the risks and opportunities, as stated in
Clause 6.1.2. Under the same clause, the standard requires organisations to
evaluate the effectiveness of the action taken, meaning it need to be monitored.

The monitoring and review process are explicitly addressed in Clause 9 of the
standard, where it specifically mentioned:
(a) The performance of the quality objective (achievement); and
(b) Internal audit and management review processes.
In Clause 5, the standard mentioned about leadership and commitment towards

its quality management system by promoting risk-based thinking, ensuring the
system:
(a) Achieves its intended results;
(b) Provides adequate resources;
(c) Promotes contribution to the effectiveness of the quality management

system; and
(d) Promotes improvement.
Nevertheless in Clause 5.1.2, the standard further requires the top management to
demonstrate their leadership and commitment towards customer focus by
ensuring the risks and opportunities that can affect the conformity of products and
services and the ability to enhance customer satisfaction are properly determined
and addressed.
Let us look at Table 2.3 which shows you a prominent correspondence between
ISO 9001:2015 and ISO 31000:2018.
Table 2.3: Prominent Correspondence between ISO 9001:2015 and ISO 31000:2018
ISO 9001:2015 ISO 31000: 2018
Clause Title Clause Title

4.1 Understanding the 6.3 Establishing the context.
organisation and its context.
4.2 Understanding the needs and 6.3 Establishing the context.
expectations of interested
parties as well as applicable
statutory and regulatory
requirements.

5.1 Leadership and commitment. 5.2 Leadership and commitment.

6.1 Actions to address risks and 6.4 Risk assessment.
opportunities.
7.4 Communication. 6.2 Communication and
consultation.
7.5 Documented information. 6.7 Record and reporting.
9.1 Monitoring, measurement, 6.6 Monitoring and review.
analysis and evaluation.
9.3 Management review. 6.6 Monitoring and review.
Apart from ISO 9001:2015, there are also other management systems standards
which adopt the same risk-based thinking concept. A common format that has
been developed for use in management system standards include the following:
(a) ISO 22301:2019 Security and Resilience ă Business Continuity Management

Systems ă Requirements;
(b) ISO 39001:2012 Road Traffic Safety (RTS) Management Systems ă

Requirements with Guidance for Use;
(c) ISO 27001:2013 Information Technology ă Security Techniques ă Information

Security Management Systems ă Requirements;
(d) ISO 55001:2014 Asset Management ă Management Systems ă Requirements;
(e) ISO 14001:2015 Environmental Management Systems ă Requirements with

Guidance for Use;
(f) ISO 37001:2016 Anti-Bribery Management Systems; and
(g) ISO 45001:2018 Occupational Health and Safety Management Systems ă

Requirements with Guidance for Use.
ACTIVITY 2.4
In your opinion, should an organisation establish a separate system for

risk management with other management systems? Discuss this in the
myINSPIRE forum and justify your answer.

Ć The Malaysian Corporate Code of Governance (MCCG) sets out best practices
to strengthen corporate culture pillared on accountability and transparency.
It has 33 guidelines to facilitate 36 practices (including four step-ups) with
12 intended outcomes to support three core principles, where effective audit
and risk management is one of the principles.
Ć ISO is an organisation that develops international standards. Most

organisations worldwide use international standards as much as possible in
order to facilitate trade and be competitive. The ISO under the Technical
Committee TC262 is responsible to develop standards related to risk
management.
Ć To embark on risk management, the organisation needs to establish a risk

management plan that covers, among others, the development of risk
management policy, risk management process and procedures, assigning
roles and responsibilities, developing competent key personnel and risk
management organisation structure.
Ć The four applicable international standards on risk management are ISO

GUIDE 73:2009, ISO 31000:2018, ISO/TR 31004:2013 and IEC 31010:2019.
Ć ISO GUIDE 73:2009 Risk Management  Vocabulary is very crucial in

standardising the terms and its definitions.
Ć ISO 31000:2018 Risk Management ă Guidelines is the main standard to refer to

in order to establish and implement risk management in any organisation. The
standard contains the principles, framework and the process of risk
management.
Ć ISO 9001:2015 Quality Management Systems ă Requirements is one of the

example of risk-based quality management system which applies the risk
management concept throughout the system. It is also applies to other
management systems as well.

ISO 9001:2015 Risk evaluation

ISO 31000:2018 Risk management plan
ISO GUIDE 73:2009 Risk management process
Malaysian Corporate Code of Risk management policy
Governance (MCCG)
Risk treatment
Risk analysis
Sustainability
Risk identification


management  Guidance for the implementation of ISO 31000. Geneva,
Switzerland: Author.
International Organization for Standardization (ISO). (2015). ISO 9001:2015

Quality management systems  Requirements. Geneva, Switzerland:
Author.
International Organization for Standardization (ISO). (2009). ISO GUIDE 73:2009

Risk management  Vocabulary. Geneva, Switzerland: Author.

Securities Commission Malaysia. (2017). Malaysian code on corporate governance.

Retrieved from
https://www.sc.com.my/api/documentms/download.ashx?id=70a5568b-
1937-4d2b-8cbf-3aefed112c0a

Topic  Risk
Management
3
LEARNING OUTCOMES
1. Identify the principles (Clause 4) and the framework (Clause 5) of
ISO 31000:2018;
2. Explain the process (Clause 6) of ISO 31000:2018; and
3. Differentiate between risk management and risk assessment.
 INTRODUCTION
In Topic 2, you have been introduced to the Malaysian Code of Corporate
Governance (MCCG) which states that the board should establish an effective risk
management and internal control framework and establish a risk management
committee to oversee the companyÊs risk management framework and policy.
Proper risk management and internal control are important aspect of a companyÊs
governance, management and operations.

34  TOPIC 3 RISK MANAGEMENT
In fulfilling this, most organisations embark on establishing an enterprise risk

management (ERM). What is ERM?
Enterprise risk management (ERM) describes what happens when

organisations put in place a structured, continuous process to identify,
manage and respond to risk.
(Chartered Institute of Internal Auditors, 2019)
The ISO 31000:2018 standard is being widely used as a guide to establish the risk
management process while the supporting IEC 31010:2019 provides alternatives
for the implementation of risk assessment process.
Keep in mind that the ISO 31000:2018 can also be applied to a wide range of
activities, operations, processes, projects, products and services besides the overall
organisation.
Therefore, in this topic, we will learn in-depth about risk management process and
procedures. Let us continue with the lesson.
3.1 ISO 31000:2018 RISK MANAGEMENT –

GUIDELINES
We have discussed ISO 31000:2018 Risk Management ă Guidelines in general in
Topic 2. No doubt this is the main standard to be referred to in order to establish
and implement risk management in any organisation. The standard contains the
principles, framework and the process of risk management.
The relationship between the principles, framework and process of risk

management has been shown in the previous topic (Figure 2.4). Can you still
remember?
Now in this topic, we will further understand the risk management principles and
framework. Firstly, let us explore the risk management principles.

TOPIC 3 RISK MANAGEMENT  35
Risk management creates and protects value. In addition, it:
(a) Improves performance;
(b) Encourage innovation; and
(c) Supports the achievement of objectives.
The ISO standard outlines eight principles as the foundation for effective and
efficient of risk management (see Figure 3.1).
Figure 3.1: Principles of risk management according to ISO 31000:2018

Source: IS0 (2018)

These eight principles are further explained in Table 3.1.
Table 3.1: Eight Principles of Risk Management
Principle Description
Integrated Integral part of all organisation activities.
Structured and Contributes to consistent and comparable results.
comprehensive
Customised Framework and process are customised and proportionate to the
organisationÊs external and internal context related to its objectives.
Inclusive Appropriate and timely involvement of stakeholders enables their
knowledge, views and perceptions to be considered.
Dynamic Risks can be emerging, change or disappear as an organisationÊs
internal and external context changes.
Best available The inputs to risk management are based on historical and current
information information, as well as future expectations.
Human and Human behaviour and culture significantly influence all aspects of
cultural factors risk management at each level and stage.
Continual Continually improved through learning and experience.
improvement
The standard also come out with the risk management framework. What is the
purpose of the framework? The purpose of the framework is to assist the
organisation in integrating risk management into significant activities and
functions. The effectiveness of risk management will depend on its integration into
governance of the organisation, including decision-making. However, this
requires support from stakeholders, particularly from the top management.

Framework development encompasses of integrating, designing, implementing,

evaluating and improving risk management across the organisation, as shown in
Figure 3.2.
Figure 3.2: Framework of risk management according to ISO 31000:2018

Source: IS0 (2018)
The risk management process involves the systematic application of policies,

procedures and practices to the activities of:
(a) Communication and consulting;
(b) Establishing the context;
(c) Assessing;
(d) Treating;
(e) Monitoring and reviewing; and
(f) Recording and reporting risk.

As stated just now, the involvement of top management and a body to check on
oversights is important. They need to demonstrate the leadershipÊs commitment
towards risk management so that it can be aligned to the company objectives,
strategy and culture.
SELF-CHECK 3.1
1. What is the purpose of risk management?
2. State the eight principles of risk management as proposed by ISO
31000:2018.
3. Name the five processes in the ISO 31000:2018 framework.
3.2 RISK MANAGEMENT PROCESS

Now, let us move on to the risk management process according to ISO 31000:2018
(see Figure 3.3).
Figure 3.3: Risk management process according to ISO 31000:2018

Source: IS0 (2018)
Based on Figure 3.3, we can see that it starts from understanding the scope, context
and criteria. Then, the next process is risk assessment which involves the
following:
(a) Risk identification;
(b) Risk analysis; and
(c) Risk evaluation.
After that, the subsequent process is called the risk treatment along with other
considerations namely:
(a) Communication and consultation;
(b) Monitoring and review; and
(c) Recording and reporting.
3.2.1 Scope, Context and Criteria

Do you know that the first step in managing risk is to scan all factors contributing
to the environment in which the risk has to be managed? The factors can be divided
into two categories, which are external factors and internal factors. Can you recall
Figure 1.4 in Topic 1 where we illustrated risk management by using a ship as an
example? We mentioned several risk factors like the weather, the wave, the wind,
the condition of the ship, the equipment, the crew, the ports and the captain. All
these represent the external and internal factors that need to be considered in
achieving our objectives.
Similarly, let us recall Figure 1.2 (see Topic 1). We have identified one of the
external factors that may cause you to be late for work is traffic congestion.
However, we can extend the factors to include:
(a) Poor weather conditions such as fog or heavy rain;
(b) Poor road conditions such as uneven road, flooded road or road under
construction; and
(c) The vehicle condition such as breakdown or punctured tyre.

That is why need to establish the context of risk management. What is establish
context? Establish context means:
(a) Defining the external and internal parameters to be taken into account when
managing risk; and
(b) Setting the scope and risk criteria for the risk management policy.
Similarly, the organisation should define the scope of its risk management
activities. It is important to be clear about the scope under consideration, the
relevant objectives to be considered and their alignment with organisational
objectives.
An organisationÊs external context includes all of the external environmental

parameters and factors that influence how it manages risk and tries to achieve its
objectives. These include:
(a) The cultural, social, political, legal, regulatory, financial, technological,

economic, natural and competitive environment, whether international,
national, regional or local;
(b) The key drivers and trends having impact on the objectives of the
organisation; and
(c) Relationships with, and perceptions and values of external stakeholders.
As for an organisationÊs internal context, it includes all of the internal

environmental parameters and factors that influence how it manages risk and tries
to achieve its objectives such as:
(a) Governance, organisational structure, roles and accountabilities;
(b) Policies, objectives and the strategies that are in place to achieve them;
(c) Relationships with, and perceptions and values of internal stakeholders;
(d) The capabilities, understood in terms of resources and knowledge (such as

capital, time, people, processes, systems and technologies); and
(e) Standards, guidelines and models adopted by the organisation.

Establishing the external factors involves familiarisation with the following

aspects (see Table 3.2).
Table 3.2: The Familiarisation Aspects in Establishing the External Factors
Aspect Description
Laws and Laws and regulation can have an effect on the capability of an
regulation organisation to achieve the objective and targets. For example, some
laws and regulation may prevent the organisation from doing certain
things that they normally do. On the other hand, some laws and
regulations can benefit the organisation.
Economy This is another important element of risk environment. Some countries
may have very volatile economies which can affect the market while
some other countries may have a matured economic environment.
Corporate In Malaysia, the Securities Commission Malaysia has released the
governance Malaysian Code on Corporate Governance (MCCG)  this is to be
requirements implemented by companies listed in the Bursa Malaysia to foster a
strong culture of corporate governance. All organisations listed under
the Bursa Malaysia are required to comply with the MCCG.
StakeholdersÊ Most organisations have a number of interdependencies which
expectations impact the organisationÊs risk management. These interdependencies
are called extended enterprise. Some example of interdependencies
include government bodies, partner organisations, customers,
contractors, suppliers, employees and others.
StakeholdersÊ expectations may affect the way we normally deal with

specific risks. They may be unwilling to accept the risk management
actions which appear effective for the organisation. It is quite common
for organisations to overlook stakeholdersÊ expectations when
managing risks.
Government Many organisations have relationships with government bodies such as
ministries, which they are dependent on in terms of policies, financing
and operations.
Once we are familiar with the external factors, we need to assess the internal
factors which involves understanding of the following:
(a) OrganisationÊs capabilities in terms of resources and knowledge;
(b) Internal stakeholders;
(c) Objectives and the organisationÊs strategies to achieve them;

(d) Values and cultures;
(e) Policies and processes; and
(f) Governance structure, business structure, roles and accountabilities.
Establishing the context is the first stage of the risk management process. Put
simply, this means that establishing context to put the topic into perspective for
someone who knows nothing about it.
Thus, this stage provides a general understanding of all the contributing factors to
the business. It is done by identifying the internal and external parameters that
affect the likelihood of success in achieving the pre-set objectives (see Table 3.3).
Table 3.3: Examples of External and Internal Parameters
External Context Internal Context

Law and regulation Governance
Economic environment Culture
External stakeholder values Capabilities
Technology and innovation Values
Perceptions and relationships Internal stakeholdersÊ expectation
Competitive environment Standards
An organisationÊs external context includes all of the external environmental

parameters and factors that influence how to manage risks and increase the
likelihood in achieving its objectives.
On the contrary, the internal contexts are the internal environmental parameters,
issues and factors faced by the organisation such as its governance, culture, values,
capabilities and expectations from employees.
The structure of the organisation, policies, objectives, roles, accountabilities and

decision-making process are elements of an organisational governance.
Meanwhile, knowledge and human, technological, capital and systemic resources
constitute an organisationÊs capabilities.
Who is a stakeholder?
A stakeholder is a person or an organisation that can affect or be affected by a

decision or an activity.

Stakeholders also include those who have the perception that a decision or an
activity can affect them. Thus, it is essential to be able to distinguish between
external and internal stakeholders as their influences vary.
The success in establishing the context depends on the availability of relevant data
and information, and the depth of the evaluation. Since the evaluation provides a
basic foundation to the overall risk management process, it would be helpful to
include the following information:
(a) Business objectives and goals;
(b) Business plan;
(c) Business process map;
(d) Organisation chart;
(e) Assessment on expectation of stakeholders;
(f) Marketing plan;
(g) Ratios analysis providing a picture of the organisationÊs performance;
(h) Liquidity, profitability, efficiency and vulnerability; and
(i) Legal requirements.
According to the IEC 31010:2019, in establishing the context, organisations should

also be able to define the:
(a) Risk assessment methodology;
(b) Risk criteria; and
(c) Risk appetite.
The output from this process which is the findings, should be recorded and
included in a report. The report should include the appendix where all reference
documents are listed.
SELF-CHECK 3.2
1. Define external and internal contexts. Give three examples for each
of them.
2. Who is a stakeholder?

3.2.2 Risk Assessment

Assessed risk involved a step-by-step process. There are three important processes
in risk assessment as described in Table 3.4.
Table 3.4: Three Important Processes in Risk Assessment
Process Description
Risk identification We have learnt that risk is the effect of uncertainties on objectives.
When a risk is identified, care should be taken to avoid defining
risk with statements, which are simply the opposite of the
objectives.
A statement of risk should include the cause of the risk and the
impact to the objective (cause and consequence) which might arise.
The process of risk identification includes;
(a) Finding the risk;
(b) Recognising the risk; and
(c) Recording the risk.
This process can be done through brainstorming sessions,

workshops or filling-in questionnaires.
Risk analysis The process of risk analysis includes determining the probability
and severity or consequences of the identified risk to occur. This
process involves determining the source of the risk. We also
need to take into account the existing risk control and their
effectiveness. The analysis can be performed either quantitatively
or qualitatively.
Risk evaluation The process of risk evaluation is to determine the significance or
level of risk. This process includes the decision that needs to be
made on:
(a) Whether the risk needs treatment;
(b) Prioritising for treatment; and
(c) Whether the activity should be undertaken.

3.2.3 Risk Treatment

After the risk has been assessed, we need to decide the next course of action to be
taken. Do you know that there are four strategies of risk treatment? What are they?
Let us look at the answer in Figure 3.4.
Figure 3.4: Four strategies of risk treatment
These four strategies will be explained further in Topic 5.
SELF-CHECK 3.3
1. Explain the three important processes in risk assessment.

2. Name the four strategies of risk treatment.
3.2.4 Communication and Consultation

Communication and consultation should take place during all stages of the risk
management process. This communication and consultation process with the
relevant external and internal stakeholders will give a more transparent picture of
the issues relating to the risks.
At the later stage, effective communication and consultation should take place in
order for the stakeholders to understand, agree and be accountable for the actions
and decisions made on the particular risks.

3.2.5 Monitoring and Review

Why do we need to review risk? What are the reasons? We need to put in place a
process to determine:
(a) Whether the risk still exists or not;
(b) Whether the risk has been reduced or eliminated; and
(c) Whether a new risk has arisen or not.
The review also needs to include the effectiveness of control being put in place and
the ability of the organisation to achieve its pre-set objectives.
3.2.6 Recording and Reporting

Another important process of risk management is recording and reporting
throughout all stages of the risk management process. Proper procedures and
records should be established, maintained and retained in conducting risk
management.
Adequate reports should be prepared and disseminated according to the

communication plan established earlier in the communication and consultation
stage. However, reports could differ according to the stakeholderÊs needs.
Now, you can see that the risk management concept covers a very wide area from
establishing context, assessing the risks, evaluate the risk after considering the
existing controls, mitigation plans, communication and consultation, monitoring
and reviewing, and lastly, until recording and reporting the risk.
3.3 RISK MANAGEMENT AND RISK

ASSESSMENT
Hopefully by now you have learned a lot about risk management. Let us move on
to risk assessment and its relationship to risk management. Risk assessment is
another concept in risk management. We must be clear about the meanings of these
two terms. In general, risk management means managing risks, while risk
assessment refers to assessing the risk.

We have learnt that risk assessment is one of the activities involved in risk
management. This can be simplified as shown in Figure 3.5.
Figure 3.5: Relationship between risk management and risk assessment
SELF-CHECK 3.4
State the difference between risk management and risk assessment.
ACTIVITY 3.1
In your work setting, select an activity or process and apply the risk
assessment and risk treatment concept. Share your answer for discussion
in the myINSPIRE forum.

 The ISO 31000:2018 standard is being widely used as a guide to establish the
risk management process.
 There are eight principles outlined under the standard for effective and
efficient of risk management.
 Integrated;
 Structured and comprehensive;
 Customised;
 Inclusive;
 Dynamic;
 Best available information;
 Human and cultural factors; and
 Continual improvement.
 Framework development encompasses integrating, designing, implementing,

evaluating and improving risk management across the organisation.
 Risk management process involves several stages:
 Establishing the scope, context and criteria (external and internal factors);
 Risk assessment (risk identification, risk analysis and risk evaluation);
 Risk treatment;
 Communication and consultation;
 Monitoring and review; and
 Recording and reporting.

 Risk assessment is a process of identifying, analysing and evaluating risk.
 There are four strategies of risk treatment which are terminating the risk,
reducing the risk, accepting the risk and passing the risk to another party.
 In general, risk management means managing risks, while risk assessment

refers to assessing the risk.
Accept Integrate
Best available information Monitoring and review
Communication and consultation Pass
Continual improvement Recording and reporting
Customised Reduce
Design Risk analysis
Dynamic Risk assessment
Evaluate Risk evaluation
External Risk identification
Human and cultural factors Risk management
Implement Risk treatment
Improve Scope, context and criteria
Inclusive Structured and comprehensive
Internal Terminate

Chartered Institute of Internal Auditors. (2019). Risk management. Retrieved from

https://bit.ly/2W9NBML

and implementing effective risk management (5th ed.). London, England:
Kogan Page Limited.



Topic  Risk
Identification
4
LEARNING OUTCOMES
1. Identify two types of influences that may have the potential to affect
your organisation;
2. Determine external influences;
3. Verify internal influences; and
4. Apply SWOT analysis.
 INTRODUCTION
In Topic 3, we talked about the overall risk management process. Now, let us
move on to a more detailed aspect of the risk management processes, that is
risk identification.
As mentioned earlier in Topic 3, risk identification is a process that is used to find,

recognise and describe the risks that could affect the achievement of the
organisationÊs objectives. It is used to identify possible sources of risk in relation
to the events and circumstances that could affect the achievement of objectives. It
also includes the identification of possible causes and potential consequences.

52  TOPIC 4 RISK IDENTIFICATION
Take note that the risk management process is initiated by understanding the
background of the business as a whole and identifying the external and internal
factors to be taken into account in managing the risk. Some organisations use the
following tools to facilitate this exercise:
(a) SWOT (strengths, weaknesses, opportunities and threats) analysis;
(b) PEST (political, economic, social, technological) analysis; and
(c) PESTLE (political, economic, social, technological with additional legal and
environment) analysis.
Some organisations use financial, infrastructure, technology, competency,

operation and working environment in analysing their internal factors.
Risk should be identified in relation to its objectives. The objectives can range
from personal objectives to organisational objectives. Appropriate and effective
methodology should be adopted in order to identify risks as risks that are not
identified will not be managed.
How do we identify risk? Risk identification can be conducted through:
(a) Questionnaire surveys;
(b) Interviews; and
(c) Interactive workshops.
It is commonly done in a group where individuals from a combination of several

areas of knowledge and expertise are selected.
A bottom-up approach of risk identification is where each level of the organisation

is involved in the risk identification covering their scope of activities or level. They
will focus only on the effect of uncertainties in achieving their objectives. The
danger is when the interdependencies between levels or between departments are
not considered, some risks are excluded. As a result, the relationship between risks
are not taken into consideration.

TOPIC 4 RISK IDENTIFICATION  53
To counter this, some organisations form a risk management committee (RMC).

The RMC overlooks all the key risks across the organisation as well as determines
the interrelations between them. We can generate a list of possible risks through:
(a) Historical data;
(b) Theoretical analysis;
(c) Informed opinions;
(d) Expert advice; and
(e) Stakeholder input.
Let us learn more on risk identification in the next subtopics. Happy reading!
4.1 RISK CATEGORY

Generally, the terms category and classification of risks are often used
interchangeably. However, these terms are not defined in the ISO GUIDE 73:2009.
What do these two mean?
Both terms mean grouping the issues relating to the risks into its own particular
class. The classes or categories of risks applied in one organisation may differ from
another depending on:
(a) Location;
(b) Type of products or services; and
(c) Complexity of the production process.
To understand risk category, first we need to be exposed to the external

environmental influences that can affect businesses worldwide. Having been
already exposed to the external environmental influences and their category, you
need to relate these influences that could give rise to risks in your organisation.
For example, when we face haze problems caused by the fires in Indonesia, this
might affect the yield of a company in the plantation sector and would eventually
reduce its income target. This is an example of external environmental issue
contributing to an organisationÊs financial risk.

Apart from these external influences, there are also internal influences that could
give rise to risks in your organisation. Unlike the former, the organisation
leadership has control over the internal factors.
Thus, managing the influences is the key to business success. More often than not,
the organisation provides a formal structure by establishing clear mission and
vision statements to address them. Generally, the category of risks reflect the
category of influences. Let us look at Table 4.1 that shows you the typical category
of risks.
Table 4.1: Typical Category of Risks
External Influences Internal Influences
 Environmental  Financial
 Economic  Operational
 Political  Legal
 Technological  Strategic
 Social  Reputational
 Market
These influences are further explained in the next subtopics.
SELF-CHECK 4.1
State the categories of risk according to external and internal influences.
4.2 EXTERNAL INFLUENCES

Some businesses operate in an ever-changing environment which is beyond their
control. This is very common for those operating in a foreign country. These
external influences have a potential to give rise to significant risks that may affect
their business objectives.

Chapman (2011) in his book entitled Simple Tools and Techniques for Enterprise
Risk Management has addressed several issues related to political, economic,
social and technological aspects to be considered by organisations as external
influences. These issues are shown in Figure 4.1.
Figure 4.1: Examples of external influences

Source: Chapman (2011)
How do these issues affect organisations? The following are examples of how
issues related to political, economic, social and technological risks can negatively
affect an organisation (Philips, 2013):
(a) Negative economic growth impacting the global liquidity markets could
affect the ability of the organisation to raise or refinance debt in the capital
markets or could lead to significant increases in the cost of such borrowing
in the future.

(b) Fluctuation in exchange rates with foreign currencies, particularly the US

dollar and the Euro. Thus, appreciation of the US dollar would have an
adverse effect on reported earnings of the organisation.
(c) The credit risk of financial and non-financial counterparties with

outstanding payment obligations creates exposures for the organisation and
has an adverse effect on an organisationÊs financial condition and operating
results.
(d) Fluctuations in energy and raw material prices. Commodities such as oil are
subject to volatile market forces and significant price increases from time to
time. If the organisation is not able to compensate for or pass on its increased
costs to customers (such as through price increases), this could have an
adverse impact on its financial condition and operating results.
(e) Interest rate risk particularly in relation to its long-term debt position; this
risk can take the form of either fair value or cash-flow risk. Failure to
effectively hedge this risk can affect an organisationÊs financial condition and
operating results.
(f) Different fiscal and tax uncertainties which could have a significant impact
on local tax results such as double taxation, penalties and interest payments.
These uncertainties may have a significant impact on the local tax, which in
turn could adversely affect the organisationÊs financial condition and
operating results.
(g) Legal proceedings relating to such matters as competition issues, commercial

transactions, product liability and environmental pollution.
(h) Restriction, scrutiny and inspection by the authorities and regulatory bodies.
(i) Changes of regional and local regulatory rules which may affect the
realisation of business opportunities and investments in the countries.
(j) Non-compliance with general business principles such as anti-competitive

market practices.

(k) Changes in governmental regulations and unfavourable political

developments, which may affect the realisation of business opportunities or
impair organisationÊs local investments.
4.3 INTERNAL INFLUENCES

Now, let us move on to internal influences. Did you know that there are many
categories of risks originating from internal influences? However, there are five
most commonly used risk categories as shown in Figure 4.2.
Figure 4.2: Five most commonly used risk categories
These risks are further explained in the next subtopics. Bear in mind that the
examples given in the subtopics are only a guide to you. In reality, they depend on
the type of business, geographical location and other contributing factors. This is
because the same risks identified in one category by one organisation may be put
in a different category by another.
4.3.1 Financial Risk

Did you know that financial risk is one of the high-priority risk categories for every
business? What does it mean?
Financial risk is defined as risks that are associated with the organisationÊs
financial and accounting policies, cash management, rules and regulation as
well as potential losses from business transactions.

Some examples of financial risks adapted from Philips (2013) and the Early
Childhood Learning & Knowledge Center (ECLKC) (2018) are illustrated in
Figure 4.3.
Figure 4.3: Types of financial risks

Sources: Philips (2013); Early Childhood Learning & Knowledge Center (2018)
These five common types of financial risks are further explained in Table 4.2.
Table 4.2: Five Common Types of Financial Risks
Types of
Description
Financial Risks
Fraud What is fraud? Fraud is a wrongful or criminal deception intended to
result in financial or personal loss. It is the generic term for the
fraudulent taking of property or any act of stealing or any type of theft
include burglary, swindling, forgery and embezzlement.
Investments Investments need to be controlled and monitored regardless of the
size of the investment funds. As such, poor investment decisions such
as purchase of junk bonds and investing in „politically incorrect‰
companies will result in the organisation losing money, a loan crisis
and ultimately, bankruptcy.
Misuse of Misuse of funds occur when funds are inappropriately expended. As
funds pressures continue to mount for non-profit organisations to meet
social needs, it is often easy to lose sight of the organisationÊs mission.

Physical assets Physical assets such as office furniture, fixture and equipment are also
subject to risk. A fire or flood can damage or destroy an office.
Meanwhile, an employee, volunteer, computer hacker or other people
wanting to harm the organisation can steal or damage its assets.
Market risk Market risk is the probability of loss a business owner faces from
the entire banking industry. Banks who continually engage in risky
lending practices such as buying and selling toxic loans can increase
the market risks relating to business financing.
The identified risks need to be treated in order to control or mitigate its

consequences. What are the treatments? Let us look at Figure 4.4 for the answer.
Figure 4.4: Four most commonly used risk categories

Source: Vitez (2015)
These treatments are further explained as follows:
(a) Diversification
What is diversification?
Diversification is the attempt to spread risk among several safe and

risky investments in various economic markets.
Let us look at Table 4.3 which shows you an example of diversification as a

market strategy of an organisation.
Table 4.3: Examples of Diversification
Diversified Market Sector Diversification (%)

Sporting goods 25
Conglomerate diversification 15
Construction equipment 20
Agriculture 10
Food and beverage 30
Total 100

On a different note, you can manage your financial risk by diversifying your
investment in a specific way such that 25 per cent is in fixed deposit, 55 per
cent in physical assets and 20 per cent in insurance schemes.
(b) Use Savings Account

Use of savings accounts ensures these individuals have cash on hand for
emergency purposes if necessary. Savings account may also represent an
extremely safe investment if the bank or credit union offers interest on the
savings account balance.
(c) Invest Sooner than Later

This allows you to let their money work longer and potentially earn higher
returns. If the investment markets become extremely risky and businesses or
individuals start losing money, an investment decrease will only reduce
earned income rather than the original principal balance. This allows
individuals to cash out of extremely risky investments with little economic
loss relating to their original investment.
(d) Learn about Investments

Managing financial risk often requires you to spend plenty of time learning
about and understanding the investment market to ensure high successful
returns and reduction of significant losses.
4.3.2 Operational Risk

Did you know that this is the category of risks that exists in almost all organisations
worldwide and has the most extensive or broad area of risk coverage? What does
it mean?
Operational risk is the potential for loss due to failures of people, processes
and technology and external dependencies.
Peccia (2001)

The following are examples of operational risks:

(a) Defective internal controls include inconsistency of reporting on revenue or
expenditure figures, inaccurate disclosures to stakeholders.
(b) Disruption or system failures (such as hardware, software and
telecommunications).
(c) Non-compliance with legal and regulatory requirements such as the Personal
Data Protection Act (PDPA), Occupational Safety and Health Act (OSHA)
and Employee Act.
(d) Time-consuming prerequisite for process approval.
(e) Human error in processing transactions (due to complex accounting rules).
(f) Act of sabotage or vandalism from unsatisfied employees.
Other typical subcategories of operational risks are illustrated in Figure 4.5.
Figure 4.5: Types of operational risks

4.3.3 Legal Risk

What is legal risk?
Legal risk is generally defined as the risk of an organisation failing to meet its
legal obligations. It is a description of the potential for loss arising from the
uncertainty of legal proceedings, such as bankruptcy.
Figure 4.6 shows you some examples of legal risks.
Figure 4.6: Types of legal risks
These legal risks are further described in Table 4.4.
Table 4.4: Five Types of Legal Risk
Type of Legal Risk Description

Legislative It is the risk where a business fails to implement legislative or
regulatory requirements. For example, inability to remain aware of
existing legislation or regulation that could affect business
operations.
Contractual It is the risk of the current and future contracts exposed to the
organisation. For instance, usage of non-standard terms and
conditions, inability to enforce or to comply with contractual terms,
and inadequate or unclear authorisation.

Non-contractual This is also known as intellectual property risk. It is the risk when
right the business fails to assert its non-contractual rights. For example,
the poor management of trademarks, patents, trade secrets and
channel knowledge.
Non-contractual It is the risk that the business fails to keep to the spirit as well as the
obligation letter of the law. It includes infringement of third party intellectual
property rights and inappropriate use of the social media.
Dispute This relates to the risk that the business makes operational or
strategic errors when it manages disputes. The risk emerges when
the organisation fails to adhere to dispute resolution timelines or
other mismanagement of the disputed process.
4.3.4 Strategic Risk

What is strategic risk?
Strategic risks are the potential loss arising from a poor strategic business
decision resulting in the organisation failing to achieve its objectives.
In other words, these risks are determined by the board based on the objectives
and direction of the organisation.
Do you have any idea of your organisationÊs strategic risks? Try to do an Internet
search for them and you will find an almost endless list of answers for your
enquiry. The following are some simplified examples of strategic risks listed by
Marr (2013):
(a) Corporate governance risk is the risk that insiders (employees) will not act to
the best interest of the stockholders.
(b) Strategy execution risk occurs when a business strategy execution fails.
(c) Strategy forecast risk emerges when the organisationÊs business strategy is
off-the- mark such as due to an invalid sales forecast.
(d) Competitive risk is a result of a decline in competitive advantage.
(e) Innovation risk is an inability to innovate (failed innovation investments).
(f) Intellectual property risk is the risk of intellectual property loss and liability.
(g) Merger and acquisition risk almost always happen in integrating firms.

Figure 4.7 summarises the types of strategic risks.
Figure 4.7: Types of strategic risks
4.3.5 Reputational Risk

Last but not least, let us get to know reputational risk.
Reputational risk is the potential loss of reputation to the organisation.
This may be due to:
(a) The loss of revenue or the destruction of shareholder value; or
(b) The result of an adverse or impending criminal proceeding even if the

company is not found guilty.
In fact, reputation problem has the biggest impact on revenue and brand value
that may lead to bankruptcy in extreme cases.

Among the risks typically associated with reputation are (Deloitte Global Survey,
2014):
(a) Ethics and integrity such as fraud, bribery and corruption;
(b) Security risks including both physical and cyber breaches ă followed closely
by product and service risks, such as those related to safety, health and the
environment; and
(c) Third-party relationship is another rapidly emerging risk area, with

organisations increasingly being held accountable for the actions of their
suppliers and vendors.
ACTIVITY 4.1
Out of the categories of risks stated, identify the risks that may be
associated with your organisation. Then, explain in detail the risks,
source of these risks and the risk treatment. Post your answer for
discussion on the myINSPIRE forum.
SELF-CHECK 4.2
State the meaning of financial risk, operational risk, legal risk, strategic
risk and reputational risk. Give four types of risk related to each of them.
4.4 SWOT ANALYSIS

Before we end this topic, let us learn SWOT analysis. PEST analysis has been
around for quite some time and now, another strategic management tool that we
could use in risk identification is SWOT analysis. Simply, SWOT stands for
strengths, weakness, opportunities and threats. Figure 4.8 shows you an example
of SWOT analysis in an organisation.

Figure 4.8: Example of SWOT analysis by an organisation
If you still remember, risk has been defined as the effect of uncertainty on
objectives. Therefore, the information in both the weaknesses and threats
quadrants are the influences that could contribute to your organisationÊs risks and
need to be well managed.
ACTIVITY 4.2
Discuss the strengths and weaknesses of SWOT analysis in the

myINSPIRE forum.

 Risk categories vary from one organisation to another, depending on the type
of business, geographical location and other contributing factors.
 Most organisations categorise their risks into financial, operational, legal,

reputational and strategic risks. These risks are normally risks influenced by
both internal as well as external factors.
 External influences can be categorised into political, economic, social and

technological factors.
 Political factors can be in terms of tax policy, employment laws, environmental

regulations and political stability.
 Economic factors can be in terms of growth, interest, exchange and inflation

rates.
 Social factors can be viewed from the perspectives of health consciousness,

population growth rate, age distribution, career attitudes and emphasis on
safety.
 Technological factors can be in terms of R&D activities, automation,

technology incentives and the rate of technological change.
 Internal influences can be in the form of financial, operational, legal, strategic

and reputational.
 Financial risk is associated with the organisationÊs financial and accounting

policies, cash management, rules and regulation as well as potential losses
from business transactions.
 Operational risk exists in almost all organisations worldwide and is defined as

the potential loss due to failures of people, processes, and technology and
external dependencies.
 Legal risk is the potential for loss arising from the uncertainty of legal
proceedings, such as bankruptcy and potential legal proceedings.

 Strategic risk is the potential loss arising from a poor strategic business
decision resulting in the organisation failing to achieve its objectives.
 Reputational risk is the potential loss of reputation to the organisation.
 The SWOT (strengths, weaknesses, opportunities and threats) analysis can be

used to assist organisations in determining their risks categories.
External influences Reputational risk

Financial risk Risk identification
Internal influences Strategic risk
Legal risk SWOT analysis
Operational risk
Deloitte. (2014). 2014 global survey on reputation risk. Retrieved from

http://www2.deloitte.com/content/dam/Deloitte/pl/Documents/Report
s/pl_R eputation_Risk_survey_EN.pdf
Early Childhood Learning & Knowledge Center (ECLKC). (2018). The most
common financial, management risks facing nonprofits. Retrieved from
https://eclkc.ohs.acf.hhs.gov/fiscal-management/article/most-common-
financial-management-risks-facing-nonprofits


Marr, A. (2013). 22 strategic risks. Retrieved from

http://business.simplicable.com/business/new/22-strategic-risks
Peccia, T. (2001). Designing on operational risk framework from a bottom-up

perspective. In C. Alexander (Ed.), Mastering risk volume 2: Applications
(pp. 200218). Harlow, England: Financial Times Management.
Philips. (2013). Philips annual report 2013: Delivering innovations that matters to
you. Retrieved from
http://www.annualreport2013.philips.com/content/en/risk_management
/risk_categories_and_factors.html
Vitez, O. (2015). Five ways to manage financial risk. Retrieved from

https://smallbusiness.chron.com/five-ways-manage-financial-risk-
4564.html

Topic  Risk Analysis,
Risk Evaluation
5 and Risk
Treatment
LEARNING OUTCOMES
1. Implement proper risk analysis;
2. Use risk matrix and risk action table for risk evaluation; and
3. Apply the four strategies of risk treatment.
 INTRODUCTION
You have learnt in Topic 3 that risk identification, risk analysis and risk evaluation
are parts of risk assessment. We have discussed in detail the risk identification
process in Topic 4. Now, let us further understand the next processes namely risk
analysis, risk evaluation and risk treatment.

TOPIC 5 RISK ANALYSIS, RISK EVALUATION AND RISK TREATMENT  71
As we discussed earlier in Topic 3, risk analysis is a process to determine the

probability and severity of the identified risk to occur which involves determining
the source of the risk and the impact of the risk towards organisation based on the
risk category. We also need to take into account the existing risk control and their
effectiveness. The analysis can be performed either quantitatively or qualitatively.
After the risk analysis, the next step is risk evaluation. Risk evaluation is the
process to determine the significance or level of a particular risk. This process
includes the decision that needs to be made on whether the risk needs treatment,
prioritising for treatment and whether the activity should be undertaken or not.
Based on the result of the risk evaluation, the next process is risk treatment. Risk
treatment is where the organisations has to determine the next course of action for
the prioritised risk or high-impact risk in order to mitigate risk; so that the
organisation can achieve its objectives. Let us learn more on these three processes
in the next subtopics. Happy reading!
5.1 RISK ANALYSIS

What is risk analysis?
Risk analysis is a process that is used to understand the risk in order

to estimate the risk level, consequences of occurrence and examine the
existing controls, if any.
As stated just now, this process can be conducted either by using quantitative or
qualitative analysis or carried out simultaneously. Alternatively, it can also be
conducted manually or by using software applications.

72  TOPIC 5 RISK ANALYSIS, RISK EVALUATION AND RISK TREATMENT
What is the main difference between qualitative and quantitative risk analysis?
The main difference between qualitative and quantitative risk analysis is that the
former uses a relative or descriptive scale to measure the probability of occurrence,
whereas quantitative analysis uses a numerical scale. Further explanation on these
two methods are given in Table 5.1.
Table 5.1: Qualitative Risk Analysis versus Quantitative Risk Analysis
Qualitative Analysis Quantitative Analysis

 According to the Project Management  A quantitative risk analysis is when
Institute, Inc. (2013), qualitative you further analyse the highest
analysis is „the process of prioritising priority risks and assign a numerical
risks for further analysis or action by or quantitative rating.
assessing and combining their  For example, Risk #1 has a 70 per cent
probability of occurrence and impact.‰ chance of occurring; Risk #2 has a 30
 Risks are scored based on their per cent chance of occurring and so on.
likelihood of occurrence and the  The example of quantitative risk
consequence should they occur. analysis techniques includes statistical
 Likelihood is generally ranked based analysis, break-even analysis, cost-
on the likelihood level; for example, on benefit analysis, feasibility studies and
a one to five scale, with five being so on.
almost certain to occur.
 The consequences scale is
organisationally defined, for example,
on a one to five scale, with five being
the critical consequence toward project
objectives.
What are the other differences between qualitative and quantitative analysis? In
general, the differences between qualitative and quantitative analysis are shown
in Table 5.2.
Table 5.2: The Differences between Qualitative Analysis and Quantitative Analysis
Qualitative Quantitative
 Organisational-level  Project-level
 Subjective evaluation of probability  Probabilistic estimates of time and cost
and impact
 Quick and easy to perform  Time consuming
 No special software or tools required  May require specialised tools

To conclude, in analysing risk, we have to analyse:
(a) The likelihood of the occurrence of the event; and
(b) The consequences of the risk and the effects on objectives and stakeholders;
and
As such, you have to establish a likelihood criteria and a consequence criteria

so that it can be consistently applied throughout the organisation. Let us look at
Table 5.3 for an example of likelihood criteria.
Table 5.3: Likelihood Criteria
Likelihood
Likelihood of Occurrence Criteria
Level
Almost Event is expected to occur in Happens most of the time within
certain most circumstances/common or fiscal year at department/centre/
repeated occurrence. other similar activities.
Likely Event will probably occur in Occurred several times before at the
most circumstances/known to department/centre/to other similar
occur, has happened before groups in the past.
several times.
Unlikely Event could occur at some point Never happened among the group
of time/not likely to occur but of companies/other similar groups
could occur. before in the past 10 years.
Rare Event may either occur in Never happened in the industry for
exceptional circumstances or is example, natural disaster.
practically impossible.
Meanwhile, Table 5.4 shows you an example of consequences criteria.
Table 5.4: Consequences Criteria
Impact
Risk Critical Major Minor Negligible
Category
Stakeholders Loss of Changes in Demand by Comments
confidence stakeholdersÊ stakeholders made by
resulting in policies for more stakeholders
withdrawal of resulting in options cause
financial loss of resulting in organisation
support by opportunities increased to review its
stakeholders competition services

Financial Negative Negative Negative Negative

financial financial financial financial
impact of impact of impact of impact of less
more than between between 1 per than 1 per
30 per cent of 21 per cent to cent to 10 per cent or less
projected 30 per cent of cent of than RM1,000
cost/income, projected projected of the targeted
or more than cost/income cost/income profit
RM1 million or between or between
of the targeted RM101,000 to RM1,000 to
profit RM1 million RM10,000 of
of the targeted the targeted
profit profit
Legal Very high High Low Very low
possibility of possibility of possibility of possibility of
legal action legal action legal action legal action
Intangible Negative Negative Some Public
publicity at publicity at expressions of awareness or
national national displeasure by concern on
and/or and/or the general SIRIM with
international international public that no noticeable
level resulting level creating raises impact on
in loss of negative questionable organisationÊs
organisationÊs views on perception on image
integrity organisationÊs organisation
credibility
Operational Failure to Failure to Able to Able to
deliver all deliver any deliver all deliver with
three QCD two QCD three QCD variations
elements elements elements without
according to according to despite affecting any
customerÊs customerÊs changes to the of customers
specification specification customerÊs QCD
specifications requirements
Strategic Total failure Failure in Delays in Delays in
in achieving achieving achieving achieving the
strategic customer strategic quarterly
objectives or objectives objectives or targets
business goals business goals without
affecting the
overall
business goals
Note: QCD ă Quality, cost and delivery

SELF-CHECK 5.1
1. What is risk analysis?

2. State the meaning of qualitative and quantitative analysis.
3. What are the differences between qualitative and quantitative
analysis?
5.2 RISK EVALUATION

What is risk evaluation?
Risk evaluation involves determining the significance of the level and type of
risk and working decisions about future activities.
In determining the significance of the risks, normally a risk assessment matrix

(RAM) is used. Figure 5.1 shows you an example of a risk assessment matrix.
Figure 5.1: An example of risk assessment matrix (RAM)

Using the RAM and the rating of consequences and likelihood earlier, you can then
find the risk rating by multiplying the scale of likelihood with consequences for
each risk event. After the risk rating had been determined, we need to decide on
the future action. In determining the action, we can establish a risk action table as
shown in Table 5.5. Using the table, the appropriate action can be decided
immediately.
Table 5.5: A Risk Action Table
Risk Rating Acceptance Action
H = High Not acceptable  Likely to threaten the survival or continued

(Scale 16) effective functioning of the programme or the
organisation, either financially or politically.
 Immediate action required and must be
managed by senior management.
S = Significant Generally not  Likely to cause some damage, disruption or
(Scale 612) acceptable breach of controls.
 Senior management attention needed and
management responsibility specified.
M = Moderate Acceptable  Unlikely to cause much damage and/or
(Scale 34) threaten the efficiency and effectiveness of the
programme or activity.
 Treatment plans to be developed and
implemented by operational managers.
L = Low Acceptable  Unlikely to require specific application of
(Scale 12) resources.
 To be managed by routine procedures.
SELF-CHECK 5.2
What is risk evaluation?

5.3 RISK TREATMENT

Do you know that there are four strategies of risk treatment? Appropriately, it is
called risk response, comprising four activities collectively known as TRAP (see
Figure 5.2).
Figure 5.2: Four activities in risk response for risk treatment
These four activities are further explained as follows:
(a) Termination of Risk

Do you know that removal is sometimes known as risk avoidance
or elimination? Normally, when the likelihood of occurrence and the
consequence of the risk is high, organisations can choose to either remove or
eliminate the risk.
How do we eliminate risk? In order to eliminate the risk, the organisation

may decide on ceasing the operation or never undertaking the activity so that
the possibility of a future loss occurring from that activity is eliminated.
Sometimes, the risk is not completely removed when they choose to

substitute it with an alternative process or outsourcing the activity. In this
case, the treatment is a combination of risk removal and risk transfer and
thus, there is a possibility that new risks will be generated.

(b) Reducing the Risk

This can be done by reducing the likelihood of the risk occurring or limiting
the loss, should the risk materialise. Loss prevention is one of the risk
treatment techniques to reduce the likelihood of a loss, thus reducing the
level of risk. For example, the installation of a pressure valve on a pressurised
vessel will prevent an explosion as it prevents the vessel from reaching an
unsafe level of pressure. This is not risk avoidance; the possibility of the
pressure vessel exploding still exists but its likelihood had been reduced.
(c) Acceptance of Risk

This is also known as risk acceptance. Normally, risk is retained or accepted
when the likelihood and consequences of the risk is low or within the risk
appetite of the organisation.
What is residual risk?
Residual risk is the risk leftover after you have implemented a risk
treatment option.
In other words, it is the risk that remains after you have reduced the risk,
removed the source of the risk, transferred the risk or retained the risk.
Let us look at Table 5.6, which is generated by some organisations to identify

the residual risk based on the effectiveness of the risk control and the gross
risk level (before the application of control).
Table 5.6: An Example of Risk Residual Rating
Gross Risk
Control Low Moderate Significant High
Effectiveness
Ineffective Moderate Significant High High
Need improvement Low Moderate Significant High
Effective Low Moderate Moderate Significant
Very effective Low Low Moderate Moderate
Take note that it is important that the risk treatment applied is able to reduce
the risk or the residual risk to an acceptable level.

(d) Passing the Risk

This is about transferring a risk that does not reduce the risk; it only removes
it to another party. Risks can be transferred to another party by purchasing
an insurance policy or by a contractual agreement. Although the risk can be
transferred, the cost of risk transfer should also be taken into consideration
in determining the residual risk.
SELF-CHECK 5.3
Describe the four strategies of risk treatment.
ACTIVITY 5.1
Discuss in the myINSPIRE forum on one identified risk in your

organisation. Do the required analysis and think of the risk treatment.
 Risk analysis and risk evaluation are parts of the risk assessment.
 Risk analysis is a process that is used to understand the risk in order

to estimate the risk level, consequences of occurrence and examine the existing
controls, if any.
 Risk analysis can be conducted either by using quantitative or qualitative

analysis or carried out simultaneously.
 Risk evaluation involves determining the significance of the level and type of
risk and working decisions about future activities.
 Two tools that can be used to evaluate risk are risk assessment matrix (RAM)
and risk action table.
 There are four strategies of risk treatment or risk response. It can be simplified
into TRAP which stands for termination of risk, reduction of risk, accepting the
risk and passing the risk.

Accepting the risk Risk analysis

Consequences Risk assessment matrix (RAM)
Likelihood Risk evaluation
Pass the risk Risk rating
Qualitative Risk treatment
Quantitative Severity
Reduction of risk Termination of risk
Risk action table
Project Management Institute, Inc. (2013). A guide to the project management body
of knowledge (PMBOK® guide) (5th ed.). Newtown Square, PA: Author.

Topic  Other Risk
Management
6 Process
LEARNING OUTCOMES
1. Establish the communication and consultation plan of the risk
management;
2. Conduct monitoring and review the performance of the risk
management of your organisation; and
3. Demonstrate how recording and reporting should be done in your
organisation relating to the risk management.
 INTRODUCTION
Apart from risk identification, risk analysis, risk evaluation and risk treatment,
there are other processes, which are important that make up an effective risk
management. These other processes are as shown in Figure 6.1.
Figure 6.1: Three other processes of risk management based on ISO 31000:2018
Source: ISO (2018)

82  TOPIC 6 OTHER RISK MANAGEMENT PROCESS
These processes are essential in ensuring the effective application of risk

management processes at varying levels and situations in the organisation. It is
also to ensure adequate reporting of results of the risk management processes as a
basis for decision-making and accountability.
All the processes should be embedded in the risk management and to be applied
in organisational practices. Let us learn more on these three processes in the next
subtopics. Happy reading!
6.1 COMMUNICATION AND CONSULTATION

The organisation needs to establish the approved approach in communication and
consultation of effective risk management. We should share the risk information
with the right audience and consultation needs a two-way communication by
giving feedback in making correct decision. The processes should be done in a
timely manner to ensure that relevant information is collected, collated,
synthesised and shared accordingly and feedback will contribute to improvement.
The standards require the organisation to establish appropriate risk management

framework in identifying who, whom, when, where and how different types of
decisions made across the organisations and to ensure that arrangements for
managing risk are clearly understood and practised, as illustrated in Table 6.1.
Table 6.1: An Example of Arrangements for Managing Risk
Risk Level Communication

Critical  Notify top management.
 Immediate action to be taken.
High  Notify top management.
 Refer to strategic planner.
Medium  Action to be taken without notifying top management.
Low  Accept risk but need monitoring.
What is the purpose of communication and consultation? The purpose of

communication and consultation is to assist relevant stakeholders in
understanding risk, the basis on which decisions are made and the reasons why
particular actions are required.

TOPIC 6 OTHER RISK MANAGEMENT PROCESS  83
In addition, the communication seeks to promote awareness and understanding

of risk and the consultation involves obtaining feedback and information to
support decision-making.
Therefore, the organisation needs to consult internal stakeholders and external

stakeholders in development of the risk framework. It will be effective if the right
elements of risks are being communicated to the right people at the right time.
In other words, the roles and responsibilities of the board of directors, chief
executive, directors, managers, steering committee, task force, internal auditors
and other relevant key personnel who are involved in the risk management
process of the organisation should be clearly defined. As a result, the process of
communication and consultation could be effectively implemented.
SELF-CHECK 6.1
What is the purpose of communication and consultation?
6.2 MONITORING AND REVIEW

Why do we need to monitor and review in the risk management process? The
answer is because we need to know the performance and we need to evaluate the
effectiveness of the control. Of course, we want to monitor the control and their
effectiveness especially for the identified risks which are extreme/significant (high
likelihood and high severity) and risk which has a high impact on the organisation,
irrespective of the likelihood of occurring (20ă80 rule applies).
Therefore, these processes are important because the context of the risk may
change, for example, by taking new control, we could create new risks to the
system, existing results might also change, the treatment may not effective, risk
may be lost and so on.
The organisation should periodically measure the risk management performance

against its:
(a) Objective;
(b) Implementation plan;

(c) Key performance indicators; and
(d) Expected behaviour to be effective.
Therefore, we should continually monitor and review the performance to evaluate

whether it remains suitable to support the achievement of objectives in the
organisation.
What is the purpose of monitoring and review? The purpose of monitoring and
review is to assure and improve the quality and effectiveness of process, design,
implementation and outcomes. Ongoing monitoring and periodic review of the
risk management process and its outcomes should be a planned part of the risk
management process, with responsibilities clearly defined as what we discussed
in communication and consultation processes.
Monitoring and review should take place at all stages of the process. It includes
planning, gathering and analysing information, recording results and providing
feedback. The result of monitoring and review should be incorporated throughout
the organisationÊs performance management, measurement and reporting
activities. Table 6.2 shows you an example of reporting on the performance and
effectiveness of the controls in risk management.
Table 6.2: An Example of Reporting on the Performance and Effectiveness of the Controls
in Risk Management
Rating Description
Very good Management is aware and manages risks well. Mitigations are
strong and sufficiently robust to manage risks adequately.
Compliance is in place.
Good No major issues with controls and compliances. Mitigations are
adequate and sufficiently robust.
Satisfactory Mitigations and compliances are generally in place. Minimum
mitigation issues.
Unsatisfactory Mitigations are inadequate and not sufficiently robust to manage
risks. A large number of mitigation lapses and/or non-compliance
issues.
Poor Absence of mitigations. Non-compliance to policies and procedures.
General lack of compliance culture.

Take note that to monitor means to determine the current status and to assess
whether the expected performance levels are actually being achieved. Reports on
the effectiveness of the risk response implemented and the decisions from the
management on the report is part of the documents that need to be established.
Review activities are carried out in order to determine whether something is a

suitable, adequate and effective way of achieving the established objectives.
In general, ISO 31000:2018 expects us to review our risk management framework

and our risk management process. It specifically expects us to review our risk
management policy and plans as well as our:
(a) Risks;
(b) Risk criteria;
(c) Risk treatments;
(d) Controls;
(e) Residual risks; and
(f) Risk assessment process.
Output from the monitoring and review process provides an updated risk register.
The updated risk response adapts to the current external factors and internal
factors contributing to the uncertainties in achieving the business objectives.
SELF-CHECK 6.2
What is the purpose of monitoring and review?
6.3 RECORDING AND REPORTING

Finally, in the risk management processes, the ISO 31000:2018 added additional
processes which are recording and reporting.
The standard says that, „The Risk management process and its outcomes should
be documented and reported through appropriate mechanisms. Recording and
reporting aims to:
(a) Communicate risk management activities and outcomes across the
organisation;

(b) Provide information for decision-making;

(c) Improve risk management activities; and
(d) Assist interaction with stakeholders, including those with responsibility and
accountability for risk management activities.‰
Recording and reporting will be based on the communication and consultation

framework as well as monitoring and review processes across the organisation. If
the processes are clearly defined and understood, the risk management could be
effectively implemented.
The standard further stated that „Reporting is the integral part of the organisationÊs
governance and should enhance the quality of dialogue with stakeholders and
support top management and oversight bodies in meeting their responsibilities.
Factors to consider for reporting include but are not limited to the following:
(a) Differing stakeholders and their specific information needs and requirements;
(b) Cost frequency and timeliness of reporting;
(c) Method of reporting; and
(d) Relevance of information to meet organisational objective and decision-
making.‰
Therefore, some of the reporting objectives based on the level of stakeholders

could be established as stated in Table 6.3.
Table 6.3: The Reporting Objectives Based on the Level of Stakeholder
Level of
Description
Stakeholder
Top management The reporting system allows them to understand and identify
actual and evolving risk that could lead them to make effective
decision-making.
Senior level The reporting system allows them to propose recommendations
for improvement from the analysis and evaluation.
Management level The reporting system allows the management to present the area
of concern, changes, the threats and opportunities as well as the
strengths and weaknesses in the system.
Support level The reporting system allows them to understand the importance
of reporting the risks that they are facing and provide feedback on
the probability and impacts if it is not properly managed.

In order to effectively implement risk management, some documentation needs to

be established for recording purpose. The typical documentation structure of risk
management is illustrated in Figure 6.2.
Figure 6.2: Typical documentation structure of risk management
The risk management manual should address, among others, the:
(a) Risk management framework of the organisation;
(b) Risk management policy;
(c) Risk management organisation structure;
(d) Key roles and responsibilities in ensuring the effective implementation of the
risk management; and
(e) Related risk management procedures and guidelines.
A typical table of content in a typical risk management manual in line with ISO
31000:2018 is displayed in Figure 6.3.

Figure 6.3: A typical table of content in a typical risk management manual

6.3.1 Risk Assessment Procedure

For a complex and large organisation, it is recommended that a specific risk
assessment procedure or guideline be developed. Typically, the procedures will
address the responsibility and process of conducting the risk assessment as well
as the monitoring and reviewing, clear communication and consultation including
recording and reporting of the risk response plan. The use of certain format for
capturing information such as risk register and risk action plan report should also
be addressed.
6.3.2 Records
Records reflect the evidence that an activity or process has been conducted. Thus,
in the process of managing risks, the risk register is a form of record that needs to
be kept for future reference, as it is a document for recording:
(a) Identified risks;
(b) Current control being undertaken; and
(c) Additional actions that are proposed for further improvement.
A basic risk register is shown in Table 6.4.
Table 6.4: A Basic Risk Register
Current Level of Risk

Risk
Risk Description Overall Control in Place
Index Likelihood Consequence
Rating
1 Serious traffic accident Low High Medium  Police emergency
involving the plans
transport of  Highway agency
fuel/explosives. plans
Anticipate fatalities
and evacuation within  Local authority
1km radius, emergency plan
depending on the  Company emergency
substances involved. response
Potential for release of
 Liaison with the
up to 30 tonnes of
families of staff
liquid fuel into the
local environment.  Notification to
customers

2 Storm-force winds Medium Medium Medium  Police emergency

affecting transport plans
routes for up to six  Highway agency
hours. Anticipate that plans
most roads in the
vicinity will be closed  Investigate weather
or access will be forecast
restricted. Journey  Liaison with the
times will be extended families of staff
and late deliveries
 Notification to
probable.
customers
Source: Hopkin (2010)
Apart from a risk register, a risk profile which records the overall identity or
profile of the risk, management review minutes and risk report for board of
directorsÊ deliberations are also considered as essential records to be retained.
SELF-CHECK 6.3
1. What are the aims of recording and reporting risks?
2. What is the purpose of risk register?
ACTIVITY 6.1
Draft a framework for communication and consultation plan, monitor

and review plan, and lastly recording and reporting plan for the risk
management of your organisation. Post your answer for discussion on
the myINSPIRE forum.

 Communication and consultation, monitoring and review, and recording and

reporting processes are important in ensuring effective application of risk
management processes at varying levels and situations in the organisation. It
is also to ensure adequate reporting of results from the risk management
processes as a basis for decision-making and accountability.
 All the processes should be embedded in the risk management and to be

applied in organisational practices.
 The organisation needs to establish the approved approach in communication

and consultation of effective risk management. We should share the risk
information with the right audience, and consultation needs to be a two-way
communication by giving feedback in making correct decision.
 The purpose of communication and consultation is to assist relevant

stakeholders in understanding risk, the basis on which decisions are made and
the reasons why particular actions are required.
 The organisation should periodically measure the risk management

performance against its objective, implementation plan, key performance
indicators and expected behaviour to be effective.
 The purpose of monitoring and review is to assure and improve the quality
and effectiveness of process, design, implementation and outcomes.
 Recording and reporting will be based on the communication and consultation

framework as well as monitoring and review processes across the organisation.
If the processes are clearly defined and understood, the risk management could
be effectively implemented.
 In order to effectively implement the risk management, some documentation

needs to be established for recording purpose.
 Typical documentation structure of risk management starts from records,

procedure and then, risk management manual.

Communication Reporting
Consultation Procedure
Monitor Record
Review Risk management manual
Recording

and implementing effective risk management. London, England: Kogan Page
Limited.


Topic  Risk Appetite,
Tolerance and
7 Culture
LEARNING OUTCOMES
1. Explain risk appetite;
2. Discuss risk tolerance; and
3. Relate risk appetite and risk tolerance; and
4. Summarise the definition, characteristics, importance and method to
build a risk culture.
 INTRODUCTION
Did you know that risk appetite, risk tolerance and risk culture are three terms
that are commonly used by risk practitioners in establishing and maintaining
the risk management process? Nevertheless, not many of us are able to apply it
appropriately in making the risk management process effective.
In this topic, we will elaborate on the meaning of the three terms at length and the
interrelation between them. Indeed, there is a relationship between risk appetite,
risk tolerance and risk culture.
Therefore, an in-depth understanding is necessary to prevent confusion. For this

purpose, we will begin our study by explaining risk tolerance and risk appetite
first. This will be followed by an explanation of risk culture. Happy reading!

94  TOPIC 7 RISK APPETITE, TOLERANCE AND CULTURE
7.1 RISK APPETITE

What is risk appetite?
Risk appetite is the amount and type of risk that an organisation is willing to
pursue or retain.
ISO GUIDE 73:2009
In other words, it is the total impact of risk an organisation is prepared to accept

in the pursuit of its strategic objectives.
Factors such as external environment, people, business systems and policies can
all influence an organisationÊs risk appetite. Put simply, this means that the
amount of impact from risk that an organisation is prepared to accept will vary
from one organisation to another.
Take note that developing risk appetite is not a one-off process. It has to be
communicated to those involved in the decision-making process. There should be
a process of monitoring and updating risk appetite in responding to external and
internal changes.
Thus, developing risk appetite is a continuous process. What are the steps required
in developing a risk appetite? Let us look at Figure 7.1, which shows you the three
steps involved in developing a risk appetite.
Figure 7.1: Three steps in developing risk appetite

TOPIC 7 RISK APPETITE, TOLERANCE AND CULTURE  95
7.1.1 Determining an Organisation’s Risk Appetite

How do we determine risk appetite? In determining risk appetite, normally
organisations will first establish a risk matrix. Risk matrix has been introduced to
you in Topic 5. It is developed after a long deliberation at the board and
senior management level taking into account:
(a) StakeholderÊs interest;
(b) Business systems and policies; and
(c) The external environment.
You have seen an example of a risk matrix in the previous Figure 5.1.
As stated before, the risk matrix is based on the likelihood and consequences
criteria. The likelihood and consequence criteria contribute to the level of risks
where the risk appetite is developed.
The board and senior management will decide the appropriate risk appetite for the
organisation. For example, a company may decide that any risk that falls under
the L (lower) and M (moderate) boxes are acceptable, while those labelled as S
(significant) and H (high) are unacceptable (refer back to Figure 5.1).
Risk appetite may differ depending on its scope of application, whether to

the overall organisation, a specific category of risk, process or project. The criteria
of appetite, whether low or high also varies with the type of business, activity or
project. For example, a consultation firm which depends heavily on their
consultants in delivering their service will have a low appetite on the consultant
turnover rate. This is because a high turnover rate will have a great impact on their
business.
On the other hand, a real estate agency could adopt a higher appetite on employee
turnover rate, but a low appetite on interest rate fluctuations and financing risk.
A higher or larger risk appetite range contributes to a lower impact in achieving
business objectives because the greater the range, the more allowance or wider the
buffer for the organisation to strategise their plan. For instance, an agency is able
to accept risks as a result of high turnover, most probably because there are plenty
of real estate agents in the market. Therefore, the impact towards achieving
business objective is low or insignificant.

Meanwhile, lower appetite does not provide much room for the organisation to
respond and, thus, it contributes to greater impact on business objectives. Hence,
slight fluctuation of interest rate will impact the organisation tremendously
because the real estate market is influenced by its price and demand. The higher
price will obviously reduce the demand for real estate ultimately achieving the
organisationÊs business objective. Figure 7.2 shows you the relationship between
appetite and impact to business objectives.
Figure 7.2: Relationship between risk appetite and impact to business objectives
However, there are instances where the organisation would take a high appetite
for a high return. Consider the following scenarios:
(a) A Malaysian oil and gas company, PPP has decided to sign a joint venture
agreement with a company in Sudan for an exploration job. Due to the
political instability there, the potential risks identified have exceeded their
tolerance level.
However, the decision was to proceed with the joint venture agreement
considering the organisation can gain high returns if the exploration is
successful. PPP is now in critical stage where their oil reserves will be
depleted in a couple of years.

(b) A chemical testing laboratory has the capacity to conduct tests and produce
reports for 10 cooking oil samples. They are given the target of 360 samples
to be tested per year in order to achieve their income target. After a long
deliberation between the head of the laboratory and the technicians, they
have set an upper and lower range of acceptable number of samples that can
be tested for each month as follows (see Figure 7.3):
Figure 7.3: Appetite scale for chemical testing laboratory
The upper level is set after considering the quality and timely delivery
factors, while the lower level is set in consideration of the targeted income. In
this case, the appetite for the acceptance of test samples is between
25 to 40 samples per month.
In this case, the risk of inability to meet the customer satisfaction due to the late
delivery of test report can be avoided or reduced by setting an appropriate risk
appetite. There are instances where testing laboratories have sacrificed their
customersÊ satisfaction (such as low quality test report, late test results) over short-
term returns (income) by accepting as many test samples as possible. They are
actually putting their business at risk.
In real life, what is the acceptable range or is there any rule of thumb that you can
use in setting a risk appetite? The answer can be influenced by the:
(a) OrganisationÊs top management decision;
(b) Historical data;
(c) Market trend;
(d) Cost benefit;

(e) Experience of top management;
(f) Geographical location; and
(g) Work culture and others.
Thus, the risk appetite may vary between different subsidiaries within a
conglomerate despite having similar types of risk.
SELF-CHECK 7.1
1. Define risk appetite.
2. How do we determine risk appetite?
ACTIVITY 7.1
In the myINSPIRE forum, discuss this case study with your coursemates:
A research institute has realised that their inability to complete the

research project according to their milestones is one of the reasons that
they are not able to achieve their income target. Currently, out of 95
research projects in hand, only 66 per cent of these projects meet the
milestone. The income target given to them is RM10 million. This
contributes to 80 per cent of the total company income target. Based on
the performance of project delivery report for Q2, they have secured only
RM2 million.
In your discussion, suggest the:
(a) Objective;
(b) Risk;
(c) Source of risk;
(d) Risk appetite; and
(e) Risk treatment in order to achieve the objective.
You can add some assumptions in order to present your justification for
your suggestions.

7.1.2 Communicating Organisation’s Risk Appetite

Once the risk appetite has been developed, it is important for the board and top
management to discuss about them as they are meaningless if they are not part of
their daily management decisions.
However, consistent communication is a challenge  the sender must send the

message clearly while the receiver must be able to listen and decode the message
accurately.
Hence, communication of the organisationÊs appetite focuses on constantly

improving how the risk function and business lines can work together to ensure
that consistent risk information is shared across the business. How do we ensure
that the focus is being communicated well?
This can be done by creating a general risk appetite statement which provides a
high-level overview on the organisationÊs risk appetite by:
(a) Translating the boardÊs vision in measurable terms;
(b) Quantifying the identified risk;
(c) Aligning incentives; and
(d) Strengthening risk controls.
Hence, it sends the same standard of acceptance on risk to all employees. As a

result, everyone in the organisation will be able to understand and apply the risk
appetite as they work to achieve their objectives.
A concise and precise statement contains definition, time line and confidence level
and monitoring segments. The following are two examples of risk appetite
statements to increase your understanding.

Table 7.1: Two Examples of Risk Appetite Statements
Example 1: Banking Sector Appetite Statement Example 2: Zero Appetite Statement

(a) Mandated Role (a) We seek to minimise the downside
To perform the BankÊs mandated role which; risk from the impact of unforeseen
value and support the small and medium operational failures within our
enterprises (SMEs) through activities such as business and in our suppliers and
export, cross-border financing and credit service providers.
insurance for Malaysian exporters.
(b) The firm has no appetite for
(b) Capital individual operational losses above
The bank is to preserve its capital above the £x and cumulative losses above £y
regulatory requirement. within a 12 month period. Any
operational risk losses exceeding
(c) Regulatory and Compliance £z are reported to the Group
The bank shall comply with the applicable laws Operational Risk Committee.
and guidelines; and is determined in a manner
consistent with the supervisory risk-based Source: Thirlwell (2013)
framework.
(d) Earning/Profitability
The bank will strive to maximise its profitability.
(e) Concentration Risk

The bank shall effectively manage the credit
concentration risk, particularly where the
potential losses can jeopardise the bankÊs
solvency or public confidence.
(f) Asset Quality

The bank shall effectively manage, monitor and
maintain the quality of financing asset.
(g) Islamic Financing and Shariah Compliance

The bank aspires to be a full-fledged Islamic
banking.
(h) Market/Liquidity/Interest Rate Risk

The bank shall ensure that there is sufficient
liquidity to meet any unexpected call on the
contingent liabilities and undrawn amount at all
times.
(i) Operational Risk

The bank aims to minimise operational losses
through a robust operating environment.
Source: Exim Bank Malaysia (2017)

7.1.3 Monitor and Review Organisation’s Risk

Appetite
The developed risk appetite cannot be left alone. It needs constant monitoring and
review instead. Measuring them as part of key performance indicators (KPIs)
enables the organisation to consistently monitor its implementation across the
organisationÊs activities.
For example, a monthly KPI performance report or internal audit review exercise
can support your organisation to monitor the consistency of risk appetite
application in its day-to-day operations. Any variation or discrepancies detected
will be reported to the board and top management for deliberation and review. As
a result, this permits a timely enterprise-wide view of risk and changes in risk as
well as ultimately contributes to the building of a good risk culture.
ACTIVITY 7.2
Read more on risk appetite at https://bit.ly/32Zkhdn. Summarise the

article and then share it with your coursemates for discussion in the
myINSPIRE forum.
7.2 RISK TOLERANCE

Now, let us move on to risk tolerance. What does it mean?
Risk tolerance is an organisationÊs or stakeholderÊs readiness to bear the risk

after risk treatment in order to achieve its objectives. It is a measure of an
organisationÊs capacity to handle risk.
ISO GUIDE 73:2009

Risk appetite and risk tolerance seem similar at a glance as they are used
interchangeably.
However, they are not the same and it depends on the application. Some
organisations prefer to have both, the risk appetite scale as well as the risk
tolerance. Consider the example illustrated in Figure 7.4.
Figure 7.4: Explanation on risk appetite and risk tolerance
Figure 7.4 shows that after considering their financial forecasting, the companyÊs
risk appetite is between 2,000 to 5,000 customers per month.
However, they can still tolerate at the upper limit up to 6,000 customers. If they
accept more than this limit, they will be facing other emerging risks that could
affect their profitability.
On the other hand, at the lower limit, they can tolerate customer count up to 1,500.
If they go lower than this, the business will not be breaking even and they will be
operating at a loss.
SELF-CHECK 7.2
Define risk tolerance.

ACTIVITY 7.3
Super Chicks is operating a fast-food restaurant. After considering all

expenses and other associated factors, they are willing to accept risks that
may result in customers as low as 50 per month and as high as 200 per
month. This is their risk appetite. At the same time, they have set a lower
tolerance of 30 and below and 300 and above. When the customers go
below 30 for six consecutive months, they will have to leave the business.
Likewise, if the customers exceed 300 per month for six consecutive
months, they will have to move to a bigger premise.
Discuss in the myINSPIRE forum a scenario where you can apply a

simple risk assessment technique, develop risk appetite and risk
tolerance for the restaurant.
7.3 RISK APPETITE AND RISK TOLERANCE

Now that you have been exposed to risk appetite and risk tolerance, can you
explain the relationship between the two? To facilitate your understanding, look
at the examples of the differences between risk appetite and risk tolerance for three
different types of business as shown in Table 7.2.
Table 7.2: Examples of Differences between Risk Appetite and Risk Tolerance
Risk Appetite Risk Tolerance

1. A kindergarten can accommodate 100 children The principle can accept 10 per
per term. However, they can accept 10 per cent cent more than the limit set
more than the capacity, which is an additional provided they are of the ages five
of 10 children. and above.
2. The Shah Alam Hospital sets a client charter For non-life threatening cases, the
where every patient will be treated within one patients may not receive attention
hour upon registration at the emergency within three hours.
department. For critically ill patients, they will
be treated within 15 minutes.
3. BCTBU Sdn Bhd, a manufacturer of bio- The manufacturer will not accept
composite wood flooring slab, has accepted a a defect rate of up to 50 per cent
higher risk appetite relating to product defects above the limit set (1.5 scratch
where they can only accept one defect of one mark per 1,000 feet of slab).
scratch mark per 1,000 extruded slabs.

All types of organisations have to take risks in order to make profit, or to meet
stakeholderÊs expectations. The level of risk they are willing to pursue is their risk
appetite. In the first example of Table 7.2, the kindergarten is willing to accept an
additional 10 children in order to meet the demand from the parents.
However, should the demand grow beyond that, they can have an additional 10
children provided all of them are at the age of five and above. They should stop
taking more children beyond this tolerance limit as it will create a risk to their
operation. This shows how the risk appetite and risk tolerances help the
kindergarten in balancing their performance with respect to financial and
operational perspectives.
ACTIVITY 7.4
Based on Examples 2 and 3 given in Table 7.2, discuss in the myINSPIRE

forum the reasons behind the development of the risk appetite and risk
tolerance statement.
7.4 RISK CULTURE

What do you understand by risk culture? Let us look at some definitions of risk
culture in Table 7.3.
Table 7.3: Two Definitions of Risk Culture
Source Risk Culture Meaning

Institute of Risk Risk culture is a term describing the values, beliefs, knowledge,
Management attitudes and understanding about risk shared by a group of people
(n.d.) with a common purpose. This applies to all organisations, including
private companies, public bodies, governments and not-for-profits.
Narvaez (2017) Risk culture is the system of values and behaviours present in
an organisation that shapes risk decisions of management and
employees. One element of risk culture is a common understanding
of an organisation and its business purpose.

However, what constitutes a risk culture? What are the characteristics of an

organisation that has a matured and strong risk culture? How do we build a risk
culture in our organisation? The following subtopics will provide us with the
answers.
7.4.1 Characteristics of a Good Risk Culture

A sound risk culture must be developed to ensure that the risk management
exercise can be conducted effectively to achieve the organisationÊs objective. What
are the characteristics of a good risk culture? The characteristics of a good risk
culture are:
(a) Direction and action from the top management who recognise it as a core
competency and not merely an academic exercise;
(b) Commitment to ethical principles;
(c) Common acceptance throughout the organisation and clear accountability

for an ownership of specific risk and risk area;
(d) Transparent and open communication at all levels;
(e) Encouragement of risk-event reporting for lessons learnt;
(f) Clear risk policy and process to achieve the desired attitude and behaviour;
(g) Manage, develop and reward employees to encourage the right attitude and
behaviour; and
(h) Encourage and support risk management culture through technical training
or professional qualification.
7.4.2 Importance of Risk Culture

Why is risk culture important? Generally, an inappropriate risk culture can
contribute to huge losses to the organisation. It may lead to reputational, financial
and strategy risks to the organisation in the future.
If a project manager is not clear on his or her accountability and ownership on

specific risks, some of the project risks may not be identified and actions to reduce
the risks will not be appropriately executed.

Thus, the project will not be able to deliver its objectives in terms of quality, cost
and delivery. The backlash from this could result in the company not being able to
get future projects or be blacklisted altogether.
Although risk culture is a relatively new term to some organisations, the impact of
inappropriate risk culture cannot be underestimated. Normally, when an
organisation is in crisis or on the verge of collapse, one of the root causes could be
due to having an inappropriate risk culture.
7.4.3 Building a Risk Culture

Risk must be adequately defined to enable it to be managed effectively. As such,
building a risk culture is a time-consuming process.
According to Farrell and Hoon (2009), common understanding of an organisation

and its business purpose is one of the elements of risk culture. They explained that
understanding risk, compliance procedures and ethical behaviour can ensure the
organisation to „do the right thing‰ and this is fundamental to good enterprise risk
management (ERM) practice.
Building a risk culture should begin from the top, that involves the board and
senior management. As leaders of organisations, they are the drivers of change.
The middle management also plays a vital role in setting the attitude and
influencing the behaviour of their subordinates.
Thus, the board and senior management need to communicate and determine the
risk culture throughout the organisation in order to create the expected employeeÊs
attitudes and behaviour towards risk. Figure 7.5 summarises the correlation
between attitude, behaviour and culture in an organisation.
Figure 7.5: Correlation between attitude, behaviour and culture
Figure 7.5 shows the relationship of employeeÊ attitudes towards risk and towards
the creation of the right behaviour in dealing with risks while executing their job.

The establishment of the risk culture throughout the organisation happens once all
employees behave correctly towards risks. Therefore, the employeeÊs attitude
towards risk and their behaviour determines the level of risk culture in an
organisation.
For example, an employer agrees that punctuality is important. However, in

executing his work, he may not be punctual in attending a meeting. This shows
that he is displaying the right attitude or belief but not the right behaviour.
Therefore, he is not contributing to the culture of punctuality in his organisation.

Culture can only be established when all employees share the same behaviour that
the organisation has recognised.
As such, the senior management must ensure that they lead the programmes in
creating awareness to all employees on:
(a) Risk management in the organisation;
(b) The set objectives and the top 10 risks the organisation is facing;
(c) Its risk treatment; and
(d) The developed risk appetite and tolerances.
In addition, management at all levels should also ensure that they apply risk-based
thinking in all decision-making process.
As a result, both the management and employees need training in order to

understand and to make risk-related decisions in ensuring consistent risk
behaviour in an organisation. The human resources department has a vital role to
play in enforcing and regulating the code of ethics and values among employees.
Last but not least, the reward and punishment policy should also be in place.
SELF-CHECK 7.3
1. What is risk culture?
2. State the characteristics of risk culture.

ACTIVITY 7.5
1. Discuss and share with your coursemates in the myINSPIRE forum

the current status of your organisationÊs risk culture. Then, make
recommendations to further improve the risk culture in your
organisation.
2. Read and understand the statements in the following table. Give

your opinion on the choices of your answer. Discuss with your
coursemates in the myINSPIRE online forum.
Description Agree Disagree Depend

The board and top management is
accountable for the development of
risk appetite and risk tolerance.
Risk tolerance is the amount and
type of risk that an organisation is
willing to pursue or accept.
Risk appetite has a linear
relationship with impact of
business objectives.
Risk appetite is the organisationÊs
readiness to bear the residual risk in
order to achieve its objectives. Risk
appetite is a subset of risk tolerance.
Ethical behaviour is not crucial in
creating a strong risk culture in an
organisation. There are more critical
components that require urgent
attention.

 Risk appetite statement for an organisation is normally qualitative in nature

and provides a direction to set risk appetite for specific process, unit or project.
 Risk tolerance is related to risk appetite. Risk tolerance should be determined

in line with the risk appetite being developed. Sometimes, organisations decide
on zero tolerance for specific activity, project or category of risk.
 All types of organisations have to take risks in order to make profit, or to meet
stake holderÊs expectations. The level of risk they are willing to pursue is their
risk appetite.
 The risk appetite and risk tolerance help the organisations balance their
performance with respect to financial and operational perspectives.
 Risk culture is a term describing the values, beliefs, knowledge, attitudes and
understanding about risk shared by a group of people with a common
purpose. This applies to all organisations, including private companies, public
bodies, governments and not-for-profit organisations.
 The characteristics of a good risk culture should assist organisations to

evaluate their risk culture level.
 In developing risk culture, the board and senior management play the most
important role. Their attitude and behaviour towards risk reflects the level of
risk culture in the organisation.
Risk appetite Risk matrix

Risk appetite statement Risk tolerance
Risk culture

Farrell, J. M., & Hoon, A. (2009). Risk culture of companies. Retrieved from
http://erm.ncsu.edu/library/article/risk-culture-companies
Institute of Risk Management. (n.d.). Risk culture. Retrieved from

https://www.theirm.org/what-we-say/thought-leadership/risk-culture/

Exim Bank Malaysia. (2017). Annual report 2017 ă Rise to the challenge. Retrieved
from
www.exim.com.my/images/pages/media_centre/annual_report/2017/ex
im_ar_2017.pdf
Narvaez, K. (2017). Risk appetite and risk tolerance: Critical components

of an effective ERM program. Retrieved from http://www.erm-
strategies.com/blog/wp-content/uploads/2013/07/Risk-Appetite-and-
Risk-Tolerance.pdf
Thirlwell, J. (2013). Risk appetite for operational and non-financial risks.

Retrieved from
http://www.iia.no/filestore/Komiteer/Konferansekomiteen/Presentasjon
er/Bod/IIANorway2013Riskappetitev3. pdf

Topic  Risk
Assessment
8 Techniques
LEARNING OUTCOMES
1. Apply appropriate risk assessment techniques by taking into
consideration the type of business, process, activity or project to be
applied;
2. Consider environmental aspects and impact assessment;
3. Conduct hazard identification, risk assessment and determining
control (HIRADC); and
4. Consider other critical success factors in risk assessment.
 INTRODUCTION
There are many methodologies or techniques that we may apply in risk
management. Some of the popular techniques used are:
(a) Hazard identification, risk assessment and determining control (HIRADC);
(b) Hazard and operability study (HAZOP);
(c) Hazard analysis critical control points (HACCP);
(d) Aspect and impact  ISO 14001:2015 Environmental Management Systems ă
Requirements with Guidance for Use;
(e) Hazard analysis  OHSAS 18001:2007 Occupational Health and Safety
Management Certification;
(f) Fault tree analysis (FTA); and
(g) Failure mode and effect analysis (FMEA).

112  TOPIC 8 RISK ASSESSMENT TECHNIQUES
You may have come across many types of risk assessment techniques. They range
from techniques as simple as brainstorming which can be applied broadly to any
type of organisation to very complex and complicated techniques specifically
applied to certain types of processes or services.
But bear in mind, it does not necessarily mean that the more complicated and
complex the technique, the better it is for an organisation. There is no one
technique that can suit all.
Generally, but not always, the more hazardous the industry, the more complex the
risk assessment technique to be applied. For example, if the organisation is
classified as a major hazard installation (those industries that can pose major risk
to the employees, neighbours and the environment such as petrochemical,
chemical as well as oil and gas industries), more complex techniques such as
HAZOP, bowtie, fault tree or event tree analysis are normally applied.
No matter how simple or complex the techniques, the basic elements in a risk
assessment exercise which are identify, analyse and evaluate should not be left out.
The dilemma facing most organisations is always in choosing the most suitable
technique to apply for their risk assessment. A simple but practical technique
should always be the preferred choice but organisations should also take into
consideration the competency and capability of human resources, finances and the
culture of the organisation in the selection process. This is because some
techniques need to rely on costly software and require fully-trained personnel to
administer them. In this topic, you will learn more about risk assessment
techniques. Happy reading!
8.1 IEC 31010:2019 RISK MANAGEMENT –

RISK ASSESSMENT TECHNIQUES
IEC 31010:2019 has described at length the 31 types of risk assessment techniques
available for use. It is highly recommended that you have a copy of it available for
easy reference. Some of the techniques such as FMEA, HAZOP, root-cause analysis
and cause-and-effect analysis may already be familiar to you. There are also other
techniques that are not so commonly used such as the:
(a) Markov analysis;
(b) Monte Carlo analysis; and
(c) Bayesian analysis.

TOPIC 8 RISK ASSESSMENT TECHNIQUES  113
Do not worry, we do not expect you to master all of these techniques! However,
the more exposure you get to these techniques, the better, as it will help you in the
selection process. As a risk executive, familiarisation with two or three techniques
is adequate as they are all quite similar to one another.
Although there are 31 types of risk assessment techniques addressed in the

standard, you must take note that not all of them fully apply the three steps, which
are identify, analyse and evaluate.
Table 8.1 summarises of the applicability of the three elements of risk assessment
in the risk assessment processes which are risk identification, risk analysis and risk
evaluation.
Table 8.1: Application of the Risk Assessment Processes
Risk Assessment Process
Risk Analysis
Tool and Technique Risk Risk
Identification Level of Evaluation
Consequence Probability
Risk
Brainstorming SA NA NA NA NA
Structured or semi- SA NA NA NA NA
structured interviews
Delphi SA NA NA NA NA
Checklists SA NA NA NA NA
Primary hazard analysis SA NA NA NA NA
Hazard and operability SA SA A A A
studies (HAZOP)
Hazard analysis and SA SA NA NA SA
critical control points
(HACCP)
Environmental risk SA SA SA SA SA
assessment
Structure < what if? > SA SA SA SA SA
(SWIFT)
Scenario analysis SA SA A A A
Business impact analysis A SA A A A
Root cause analysis NA SA SA SA SA
Failure mode effect SA SA SA SA SA
analysis

Fault tree analysis A NA SA A A

Event tree analysis A SA A A NA
Cause-and-consequence A SA SA A A
analysis
Cause-and-effect analysis SA SA NA NA NA
Layer protection analysis A SA A A NA
(LOPA)
Decision tree NA SA SA A A
Human reliability SA SA SA SA A
analysis
Bowtie analysis NA A SA SA A
Reliability-centred SA SA SA SA SA
maintenance
Sneak circuit analysis A NA NA NA NA
Markov analysis A SA NA NA NA
Monte Carlo simulation NA NA NA NA SA
Bayesian statistics and NA SA NA NA SA
Bayesian networks
F-N curves A SA SA A SA
Risk indices A SA SA A SA
Consequence/probability SA SA SA SA A
matrix
Cost/benefit analysis A SA A A A
Multi-criteria decision A SA A SA A
analysis (MCDA)
Legend: SA ă Strongly applicable NA ă Not applicable A ă Applicable

Source: IEC (2019)

Let us now examine in detail how the risk assessment technique is applied in an
organisation. In doing so, we will be focusing on two commonly used techniques:
(a) Environmental aspect and impact assessment; and
(b) Hazard identification, risk assessment and determining control (HIRADC).
These two techniques are commonly used as they are applied to comply with the
requirements stated in the ISO 14001:2015 Environmental Management Systems ă
Requirements with Guidance for Use and ISO 45001:2018 Occupational Health and
Safety Management Systems ă Requirements with Guidance for Use. These two
standards are specifically developed to manage risks related to the environment
and occupational safety and health.
SELF-CHECK 8.1
Name a few popular techniques for risk assessment.
8.2 ENVIRONMENTAL ASPECTS AND IMPACT

ASSESSMENT
The ISO 14001:2015 Environmental Managements Systems ă Requirements with
Guidance for Use is an international standard used by organisations to manage the
risks that they may pose to the environment caused by their business operations
or activities. Thus, the standard is intended to protect the environment and
support sustainable development.
The government, through the enforcement of the Environmental Quality Act

(Act 127), is monitoring all industries in Malaysia to prevent, abate and control
pollution and enhance the environment. So, how does the risk assessment
technique support the purpose and intent of the ISO 14001:2015 standard and the
Environmental Quality Act?

In order to understand this, we need to study the requirements under the ISO
14001:2015 carefully. Firstly, you must realise that the environmental management
systems is a risk-based standard. This means that the system is based on the
concept of risk management. Secondly, risk management process begins with
establishing the context and then conducting the risk assessment followed by risk
treatment. These processes are explicitly specified in the ISO 14001:2015. Figure 8.1
displays the four basic steps in the assessment of aspect and impact.
Figure 8.1: Four steps in environmental aspect and impact assessment
8.2.1 Identifying Environmental Aspects and Impact

Before we delve deeper into the identification of environmental aspects and
impact, it is important to understand that environmental aspects and impacts are
synonymous with „cause and effect‰ or „source of risk and risk‰.
The environmental aspects originating from all activities in the organisation

during normal as well as abnormal conditions, such as an emergency shut-down
or a power disruption, need to be identified.
In conducting the assessment, a team which is directly involved in the activity or

process, together with an environmental specialist, will initiate a brainstorming
session to identify the possible environmental aspects (source of the environmental
risks) and its related impacts to the environment (environmental risks). To assist
them, normally an aspect and impact listing is used as a reference. Let us refer to
Table 8.2 for an example of the aspect and impact listing.

Table 8.2: Examples of Aspects and Impacts
Environmental Aspect Environmental Impact

 Emissions of solvent to air  Air pollution
 Emissions of solvent to water  Water pollution
 Use of electricity  Depletion of natural resources
 Use of raw materials and natural  Depletion natural resources and raw
resources materials
 Spillage/leakage from equipment  Land/soil or water pollution
 Spillage/leakage from waste drum  Land/soil or water pollution
 Fuel usage from vehicles  Depletion of natural resources
 Paper usage  Depletion of natural resources
 Oil spills  Land/soil or water pollution
 Potential acid releases  Land/soil or water pollution
 Automobile, bus, truck emissions  Air pollution
 Industrial emissions  Air pollution
 Hazardous or radioactive waste, air  Land/soil or water pollution
deposition
 Vibration  Nuisance
 Noise  Nuisance
 Heat  Nuisance
 Odour  Nuisance
 Pesticide use  Land/soil or water pollution
 Generation of garbage  Shortage of landfill
 Generation of waste paper, aluminium  Shortage of landfill
cans, scrap metal, cardboard, wood
pallets
 Generation of solid waste  Shortage of landfill
 Recycle/reuse  Beneficial
The information on each activity being assessed and its corresponding aspects and
impacts need to be recorded as shown in Table 8.3.
Table 8.3: Example of Relationship between Activity, Aspects and Impacts
Activity Aspect Impact

Transporting goods  Emission of CO2, CO  Air pollution
 Consumption of fuel  Depletion of natural resources

SELF-CHECK 8.2
List some popular examples of environmental aspects and impact.
8.2.2 Addressing Significant Environmental Impact

After the environmental aspects have been identified and its impact determined,
the next step is to analyse them in order to determine the significant environmental
aspects. It is then up to the organisation to choose the criteria for determining
significant environmental aspects. The criteria can relate to the:
(a) Frequency of the aspects or the severity;
(b) Exposure; and
(c) Regulatory implications of the impacts.
An example of the environmental aspect significant rating table is shown in

Table 8.4.
Table 8.4: Example of an Environmental Aspect Significant Rating Table
Significance Rating
Frequency (F) Severity (S) Regulatory (R) Controllability (C) Accumulated
12345 12345 12345 12345 Ratings (AR)
How often can To what What kind of To what extent can Total from
the impact degree can regulation is the impact be each column.
occur? the impact required? controlled or
affect the influenced?
environment?
Accumulated ratings:
<11: Not significant
>11: Significant

In this exercise, information such as the maintenance report, permits and licences
from regulatory bodies, specific acts and regulations applicable to the
organisation, environmental monitoring report and the previous incident report
should be made available for reference.
Normally, ratings are given to each criteria and analysed to determine the
significance as shown in the previous Table 8.4. The team has to decide based on a
score of 1 to 5 the rating for each criteria. Table 8.5 is a guide to the assessor in
determining the rating for each criteria.
Table 8.5: Example on the Definition of Rating
Frequency Severity Regulatory Controllability

12345 12345 12345 12345
Rating How often can To what degree What kind of To what extent
the impact occur? can the impact regulation is can the impact be
affect the required? controlled or
environment? influenced?
1 Seldom  Rarely; Harmless  No Non-regulated Directly
six months or potential for controllable 
more harm, correctable Company
controls
processes and
material, no
requirements
imposed by
customers
2 Intermittently  Minor  Easily Group SIRIM Indirectly
From time to correctable, BerhadÊs policy ă controllable 
time; one to six short-term, Industry Company
months clearable standard, code of controls supplier
practice or other contract,
initiatives that mandates use of
guide established materials and/or
practice, but is processes
not formally
codified

3 Regularly  Moderate  Group SIRIM Influenceable 

Recurring; one Correctable BerhadÊs policy ă Processes and
week to one Industry materials
month standard, code of controlled by
practice or other customers or
initiatives that suppliers
have been
adopted and
formalised into
SIRIM-wide
policy
4 Often ă One day Serious  More Potential to Indirectly
to one week difficult to become influenceable 
correct; regulated in Processes and
recoverable future  Not materials
currently controlled by an
mandated by the independent
government third party
5 Repeatedly  Severe  Regulated  Uncontrollable 
Happening again Complex effect Mandated by Processes and
and again; daily with complicated government materials are not
solution and controlled
great effort to
correct and
recover
Then, the rating for each criteria will be added to one sum which will reflect the
accumulated rating for the environmental aspect. The higher the number, the more
significant the aspect.
Once you have determined the overall rating for the environmental aspect, you
need to evaluate the significance and determine what action needs to be taken. In
the evaluation, a risk action table will be used. An example of risk action table is
shown in Table 8.6.

Table 8.6: Risk Action Table
Risk Rating Description Actions

1520 Severe Immediate corrective action required
1114 High Need corrective action within one month
510 Moderate Recommended to do corrective action, if necessary
14 Low Does not require corrective action
The output from the environmental aspect and impact assessment can be recorded
in a register as shown in Figure 8.2.
Figure 8.2: An example of an output from an environmental aspect and impact

assessment

ACTIVITY 8.1
Conduct an environmental aspect and impact assessment on the

activities at your local industrial area. Generate an environmental aspect
and impact register. Share your answer for discussion in the myINSPIRE
forum.
8.3 HAZARD IDENTIFICATION, RISK

ASSESSMENT AND DETERMINING
CONTROL (HIRADC)
What is hazard identification, risk assessment and determining control
(HIRADC)?
Hazard identification, risk assessment and determining control (HIRADC)

is a technique used to identify the hazards and risks associated with
occupational safety and health.
The activities of the industry may pose safety and health hazards as well as risks
to the employees and, thus, they must be eliminated or minimised. The HIRADC
is conducted normally to comply with the requirements in the ISO 45001:2018
Occupational Health and Safety Management Systems ă Requirements with
Guidance for Use.
In addition to this, OSH risk assessment is also a requirement under the

Occupational Safety and Health Act (Act 514) to fulfil its objectives as stated in the
Act:
(a) To secure the safety, health and welfare of persons at work against risks to
safety or health arising out of the activities of persons at work; and
(b) To protect persons at a place of work other than persons at work against risks
to safety or health arising out of the activities of persons at work.

Figure 8.3 shows you the process flow in conducting HIRADC.
Figure 8.3: Process flow in conducting HIRADC

Source: Department of Occupational Safety and Health (2008)
As shown in the Figure 8.3, HIRADC assessment starts with identifying the
activity, then conducting the risk assessment and determining the control. It is
worth noting that, in conducting HIRADC, the participation from all employees is
critical. This is specifically addressed in the ISO 450001:2018 standard.
8.3.1 Risk Identification

The owner of the activity, and the workers together with the OSH expert should
brainstorm to identify the hazards and risks associated with a particular workplace
activity. In identifying the hazards related to the activity, the team can use the
guideline as listed in Table 8.7.

Table 8.7: Examples of Hazards
Type of Hazard Example

Physical  Slippery or uneven ground.
 Working at height.
 Objects falling from height.
 Inadequate space at work.
 Poor ergonomics.
 Manual handling.
 Repetitive work.
 Trapping, entanglement and burns arising from equipment.
 Transport hazards, that is, on the road or on premises while
travelling.
 Fire and explosion.
Chemical  Inhalation of vapours, gases or particles.
(substances  Contact with or being absorbed through the body.
hazardous to safety
or health due to the  Ingestion.
given examples)  The storage, incompatibility or degradation of materials.
Biological  Inhaled.
(biological agents,  Transmitted via contact, including by bodily fluids, insect
allergens or bites and so on.
pathogens such as
bacteria or viruses)  Ingested, that is, via contaminated food products.
Psychosocial  Lack of communication or management control.

(situations that can  Workplace physical environment.
lead to negative
psychosocial  Physical violence.
[including  Bullying or intimidation.
psychological]
conditions such as
stress, anxiety,
fatigue and
depression)
As you can see in Table 8.7, these hazards can be classified into several groups
such as physical, chemical, biological and psychosocial.

After the hazards have been identified, the associated risks should be determined.
Let us refer to Table 8.8 for an example of the relationship between activity, hazard
and risks.
Table 8.8: Example of the Relationship between Activity, Hazards and Risks
Activity Hazard Risk

Storage of  Use of work or personal  Fatality due to explosion
explosives equipment that creates sparks. ignited from sparks.
 Insufficient security in the  Fatality due to explosion
warehouse. caused by unauthorised use of
explosives.
At this point, we have completed the risk identification stage.
8.3.2 Risk Analysis

Risk analysis can be conducted either qualitatively or quantitatively depending on
the:
(a) Availability of data;
(b) Information; and
(c) Resources.
However, quantitative risk analysis is normally time-consuming as it requires an

analysis on databases or surveys.
Let us look at Table 8.9 which shows you a general comparison between
quantitative and qualitative risk analysis.
Table 8.9: Comparison between Quantitative and Qualitative Risk Analysis
Qualitative Risk Analysis Quantitative Risk Analysis

 Organisational level.  Process or project level.
 Subjective evaluation of probability  Estimation of probability of time/cost
and consequences. and others.
 Quick and easy to perform.  Time consuming.
 No special software or tools  May require specific software or tools.
required.

As for qualitative risk analysis, it can be conducted using the likelihood and
consequence tables as shown in Table 8.10 and Table 8.11.
Table 8.10: Sample of Likelihood Table
Probability of Occurrence of Incident Rating
Practically impossible 1
Not likely to occur but could occur 2

Known to occur, happened before 3
Common or repeated occurrence 4
Table 8.11: Sample of Consequence Table
Description Rating
Negligible injuries or ill health without medical leave (MC) (for example,
1
slight cuts, bruised skin, dizziness due to fume inhalation)
(a) Injuries (for example, open wounds, sprains or strains) or
(b) Ill health (for example, headaches due to fume inhalation) or 2
(c) Injuries or ill health with medical leave (MC)  four days.
(a) Serious injuries (for example, tears of muscles, fractures, amputations) or
(b) Serious ill health (for example, poisoning, fainting due to fume
3
inhalation) or
(c) Serious injuries or ill health with medical leave (MC)  five days.
Fatality, permanent disability, occupational illnesses or other severe life
4
shortening diseases.
Please bear in mind that different organisations may have different descriptions
on the likelihood and consequence levels. The risk level is obtained by multiplying
the likelihood with consequence. The risk level can be determined by using the
risk rating matrix as shown in Table 8.12.

Table 8.12: Sample of risk rating matrix
Likelihood
Consequence
L4 4 L3 3 L2 2 L1 1
C4 4 High 16 High 12 High 8 Medium 4
C3 3 High 12 High 9 Medium 6 Medium 3
C2 2 High 8 Medium 6 Medium 4 Low 2
C1 1 Medium 4 Medium 3 Low 2 Low 1
We have just completed the risk analysis process. The next stage is risk evaluation.
8.3.3 Risk Evaluation

After the risk rating has been determined, the level of significance of the risk and
the action to be taken can be identified using Table 8.13.
Table 8.13: Example of Risk Action Table
Risk
Risk Level Control Measure and Timeline
Ranking
LOW 12 Maintain existing control.
Maintain existing control. Consideration may be given to a
MEDIUM
34 cost-effective solution or improvement. Monitoring is
(tolerable)
required to ensure that the controls are maintained.
Efforts should be made to reduce the risk. Recommended
MEDIUM control measures shall be implemented as low as
6
(moderate) reasonably practicable and preventive measures shall be
planned for the future.
Recommended corrective action shall need to be
HIGH implemented immediately until the risk ranking is reduced
812
(substantial) to six and preventive actions need to be identified for the
future.
HIGH Work shall not be continued until the risk ranking is
16
(intolerable) reduced to six.

In determining the necessary control measures, you can refer to the hierarchy of
control as a basis. The determination of controls should always begin with
identifying the highest hierarchy which is eliminate, followed by substitute,
engineer controls, administrative controls and lastly, personal protective
equipment (PPE) (see Figure 8.4 and Table 8.14).
Figure 8.4: Hierarchy of control

Source: The National Institute for Occupational Safety and Health (NIOSH) (2015)
Table 8.14: Hierarchy of Control
Control Detail of Control

Eliminate Completely remove hazardous substance from the workplace.
Substitute Change a work practice, substance or piece of equipment to provide a
safer environment. For example, substitute old, non-adjustable office
chairs with ergonomic chairs to reduce the risk of injuries.
Engineer Modify the design of the workplace or plant and/or environmental
conditions. For example, the use of a fume extraction system to remove
fumes generated by hazardous substance use in labs.
Administrative Developing procedures and systems to control the interaction between
people and hazards. For example, reducing the time of exposure to
noise by requiring people to be remote from equipment during
operation, providing manual-handling training to persons so they are
better able to identify/report/control/avoid hazards in the workplace.

Personal Implementing PPE to prevent physical contact between a person

protective and a hazard. For example, wear correct footwear, gloves, goggles and
equipment so on.
(PPE)
Source: The National Institute for Occupational Safety and Health (NIOSH) (2015)
Now, that we have completed the HIRADC process, the information gathered
from the HIRADC assessment will be recorded in a HIRADC register. A sample of
a HIRADC register is shown in Table 8.15.
Table 8.15: Example of HIRADC Register

Work Existing Risk Recommended
Hazard Risk Likelihood Consequence
Activity Control Rating Control
Arc Exposure to Damage to Wear 2 4 8

welding bright light cornea goggles
and UV
radiation Face shield
Exposure to Manganese PPE 2 4 8

toxic fumes ă recommend
depending ParkinsonÊs ed in ANZI
on the disease Z49.1
welding
rods Nickel/
chromium ă
Cancer
Steel ă
Respiratory
illness
Exposure to Heat stress Drink 1 3 3

fire and heat or heat plenty of
exhaustion water
before/after
Hair and conducting
body job
catching fire
Wear fire
resistant cap
under
helmet
Wear long
sleeved shirt
Exposure to Heating loss Wear ear 1 3 3

noise plugs

SELF-CHECK 8.3
Describe the hierarchy of control.
ACTIVITY 8.2
Discuss in the myINSPIRE forum how to establish a HIRADC register for

these activities:
(a) Metal stamping; and
(b) Spray painting.
8.4 CRITICAL SUCCESS FACTORS

Even though choosing the appropriate risk assessment technique is essential in
ensuring a successful implementation, there are other factors that need to be taken
into consideration as well. In the following subtopics, we will discuss some of the
critical factors for consideration.
8.4.1 Commitment and Support from Top

Management
Many studies have shown that full commitment and support from top
management is the main contributing factor for the risk assessment exercise to be
successful. The top management should drive the organisation by providing
adequate resources, making decisions through the risk assessment process and
acknowledging those contributing to the business objectives through the correct
application of risk assessment.

8.4.2 Competency and Training

In order for the risk assessment to produce an accurate identification, analysis and
evaluation report, it must be conducted by competent personnel. Competency
should be based on their:
(a) Experience;
(b) Education; and
(c) Training.
Training requires some allocation of support and commitment from top

management to provide resources, such as budget for training.
8.4.3 Efficient and Clear Documentation

As we know, risk assessment should not be shouldered by just a few employees.
Instead, it involves everyone in the organisation. Thus, there are many sources of
input that could be obtained.
In order to control it, specific reporting methods need to be established and a focal
point (person) need to be appointed.
The focal point must be clear on what reporting template is to be used for and also
what other related documentation need to be supplied for the assessment. This
would ensure the risk assessment process can be conducted smoothly.
8.4.4 Consistent Monitoring and Reporting

Findings from the risk assessment need to be communicated to the process owner
as well as to the top management for decision and implementation of the
recommended action plan.
There is no specific frequency for reporting of risk assessment activity. It depends

on the complexity of the activity. Some might require monthly assessment and
some assessment will be on annual basis.

ACTIVITY 8.3
Can you think of other critical success factors that can contribute to the
success in implementing risk assessment? Discuss the answer in the
myINSPIRE forum.
 There are a number of risk assessment techniques available and the IEC
31010:2019 has explained a total of 31 techniques for reference.
 Some of the popular techniques used are hazard identification, risk assessment
and determining control (HIRADC), and hazard analysis critical control points
(HACCP).
 The ISO 14001:2015 is an international standard used by organisations to

manage the risks that they may pose to the environment caused by their
business operations or activities.
 There are four basic steps in the assessment of aspect and impact:
ă Identify environmental aspects;
ă Determine environmental impacts;
ă Address significant environmental impacts; and
ă Determine the control.
 Environmental aspects and impacts and HIRADC are examples of risk

assessment techniques. They are used to assess environmental, and
occupational safety and health risks. It is conducted to comply with the
requirements of ISO 45001:2018.
 The risk analysis can be conducted in qualitative or quantitative methods.

 Quantitative risk analysis requires an analysis on databases or surveys.
 Qualitative risk analysis can be conducted using the likelihood and

consequence tables.
 After the risk rating has been determined, the level of significance of the risk
and the action to be taken can be identified using risk action table.
 Hierarchy of control consists of elimination, substitution, engineering,

administrative and personal protective equipment (PPE).
 Organisations have to choose the most appropriate technique to be applied. In

doing so, they must take into consideration the complexity of the process, the
availability of information or data and the competency and availability of
resources.
 Critical success factors in implementing risk assessment technique include:
ă Commitment and support from top management;
ă Competency and training;
ă Efficient and clear documentation; and
ă Consistent monitoring and reporting.
Critical success factors Qualitative risk analysis

Environmental aspect and impact Quantitative risk analysis
Hazard identification, risk assessment and Risk analysis
determining control (HIRADC)
Risk assessment techniques
IEC 31010:2019
Risk identification
ISO 14001:2015
Risk evaluation
ISO 45001:2018

Department of Occupational Safety and Health. (2008). Guidelines for hazard

identification, risk assessment and risk control (HIRARC). Kuala Lumpur,
Malaysia: Author.


The National Institute for Occupational Safety and Health (NIOSH). (2015).
Hierarchy of control. Retrieved from
https://www.cdc.gov/niosh/topics/hierarchy/default.html

Topic  Global Risk
Management
9 Scenario
LEARNING OUTCOMES
1. Identify the global top risks influencing the organisationÊs risk;
2. Examine the critical success factors in risk management; and
3. Investigate the barriers in implementing risk management.
 INTRODUCTION
Businesses must compete, innovate, enter new markets and launch new products
in order to stay competitive. By doing so, they are exposed to higher risks. Those
who succeed seem to have better risk management capabilities. Unfortunately, for
some organisations, good governance, risk management and internal controls exist
only in name, not in spirit nor in practice.
Besides, their risk management processes and internal control have become static
and obsolete. As these organisations continue to evolve, they will face more and
more issues and problems until „the fire becomes out of control‰ and all they can
do is to be in a constant „fire-fighting‰ stage.

136  TOPIC 9 GLOBAL RISK MANAGEMENT SCENARIO
As a result, the organisations will become fatigued leading to a decline in

productivity and profitability. Therefore, the board of directors (BOD) and top
management play an important role in ensuring that their organisation has the
appropriate risk culture, risk management systems and capabilities to deal with
any types of risks or challenges ahead.
Global risks and its relationship with enterprise risks, and the current scenario on
risk management are the focus of this topic. These aspects are important in order
for us to be more alert of the emerging risks that may be faced by an organisation
and how to respond to these risks effectively. Happy reading!
9.1 TOP RISK CONCERNS

Before going into the top risk concerns for enterprises worldwide, we should first
be aware of the top risk concerns facing countries all over the world. Let us learn
more on the global top risks in the next subtopic.
9.1.1 Global Top Risks

Firstly, what does global risk mean? According to The Global Risk Report 2019 
14th Edition, global risk is defined as an uncertain event or condition that, if it
occurs, can cause a significant negative impact for several countries and industries
within the next 10 years.
Based on this definition, a total of 30 global risks were identified. These risks were
then grouped into five categories:
(a) Economic vulnerabilities;
(b) Environmental fragilities;
(c) Geopolitical tensions;
(d) Societal and political strains; and
(e) Technological instabilities.
These categories of global risks are further elaborated in Table 9.1.

TOPIC 9 GLOBAL RISK MANAGEMENT SCENARIO  137
Table 9.1: Examples of Global Risks
Type of
Example Description
Global Risk
Economic Asset bubbles in a Unsustainably overpriced assets such as
vulnerability major economy commodities, housing, shares in a major
economy or region.
Deflation in a major Prolonged near-zero inflation or deflation
economy in a major economy or region.
Failure of a major Collapse of a financial institution and/or
financial mechanism or malfunctioning of a financial system that
institution impacts the global economy.
Failure/shortfall of Failure to adequately invest in, upgrade
critical infrastructure and/or secure infrastructure networks
(such as energy, transportation and
communications), leading to pressure or a
breakdown with system-wide
implications.
Fiscal crises in key Excessive debt burdens that generate
economies sovereign debt crises and/or liquidity
crises.
High structural A sustained high level of unemployment
unemployment or or underutilisation of the productive
underemployment capacity of the employed population.
Illicit trade (such as Large-scale activities outside the legal
illicit financial flows, framework such as illicit financial flows,
tax evasion, human tax evasion, human trafficking,
trafficking, organised counterfeiting and/ or organised crime
crime) that undermine social interactions,
regional or international collaboration, and
global growth.
Severe energy price Significant energy price increases or
shock (increase or decreases that place further economic
decrease) pressures on highly energy-dependent
industries and consumers.
Unmanageable Unmanageable increases in the general
inflation price levels of goods and services in key
economies.

Environmental Extreme weather Major property, infrastructure, and/or

fragilities events (such as floods, environmental damage as well as loss of
storms) human life caused by extreme weather
events.
Failure of climate- The failure of governments and businesses
change mitigation and to enforce or enact effective measures to
adaptation mitigate climate change, protect
populations and help businesses impacted
by climate change to adapt.
Major biodiversity loss Irreversible consequences for the

and ecosystem collapse environment, resulting in severely
(terrestrial or marine) depleted resources for humankind as well
as industries.
Major natural disasters Major property, infrastructure, and/or
(such as earthquakes, environmental damage as well as loss of
tsunamis, volcanic human life caused by geophysical
eruptions, geomagnetic disasters such as earthquakes, volcanic
storms) activity, landslides, tsunamis or
geomagnetic storms.
Man-made Failure to prevent major man-made
environmental damage damage and disasters, including
and disasters (such as environmental crime, causing harm to
oil spills, radioactive human lives and health, infrastructure,
contamination) property, economic activity and the
environment.
Geopolitical Failure of national Inability to govern a nation of geopolitical
tensions governance (such as importance as a result of weak rule of law,
failure of rule of law, corruption or political deadlock.
corruption, political
deadlock)
Failure of regional or Inability of regional or global institutions

global governance to resolve issues of economic, geopolitical
or environmental importance.
Interstate conflict with A bilateral or multilateral dispute between
regional consequences states that escalates into economic (such as
trade/currency wars, resource
nationalisation), military, cyber, societal or
other conflict.

Geopolitical Large-scale terrorist Individuals or non-state groups with

tensions attacks political or religious goals that successfully
(contÊd ) inflict large-scale human or material
damage.
State collapse or crisis State collapse of geopolitical importance
(such as civil conflict, due to internal violence, regional or global
military coup, failed instability, military coup, civil conflict,
states) failed states.
Weapons of mass The deployment of nuclear, chemical,
destruction biological, and radiological technologies
and materials, creating international crises
and potential for significant destruction.
Societal and Failure of urban Poorly planned cities, urban sprawl and
political strains planning associated infrastructure that create social,
environmental and health challenges.
Food crises Inadequate, unaffordable or unreliable
access to appropriate quantities and
quality of food and nutrition on a major
scale.
Large-scale involuntary Large-scale involuntary migration induced
migration by conflict, disasters, environmental or
economic reasons.
Profound social Major social movements or protests (such
instability as street riots, social unrest) that disrupt
political or social stability, negatively
impacting populations and economic
activity.
Rapid and massive Bacteria, viruses, parasites or fungi that
spread of infectious cause uncontrolled spread of infectious
diseases diseases (for instance as a result of
resistance to antibiotics, antivirals and
other treatments) leading to widespread
fatalities and economic disruption.
Water crises A significant decline in the available
quality and quantity of fresh water,
resulting in harmful effects on human
health and/or economic activity.

Technological Adverse consequences Intended or unintended adverse

instabilities of technological consequences of technological advances
advances such as artificial intelligence, geo-
engineering and synthetic biology causing
human, environmental and economic
damage.
Breakdown of critical Cyber dependency that increases
information vulnerability to outage of critical
infrastructure and information infrastructure (such as the
networks (critical Internet, satellites) and networks, causing
information widespread disruption.
infrastructure
breakdown)
Large-scale cyber- Large-scale cyber-attacks or malware
attacks causing large economic damages,
geopolitical tensions or widespread loss of
trust in the Internet.
Massive incident of Wrongful exploitation of private or official
data fraud/theft data that takes place on an unprecedented
scale.
Source: World Economic Forum (2019)
Consequently, more urgent and drastic effort and initiatives should be put in place
to reduce these global risks.
9.1.2 Top Risk Concerns of Enterprises

Now that we know of the different types of global risks we face nowadays, it is
clear that organisations need to keep abreast with what are happening around
them locally and globally before deciding on any strategic plan or business
development activities.
Being alert and updated on these issues and integrating them in the risk
management, strategic planning and internal control activities are the key factors
for businesses to grow and be sustainable. They have to determine the factors that
can affect their business and identify the risks and manage them in a systematic
and effective manner.

Every year, surveys have been conducted by risk-related organisations, risk

consulting firms and universities worldwide to identify the top risks facing the
enterprise. For the past several years, the top 10 risks have not changed much; only
the ranking of the risks may have changed slightly over the years. Some of the top
risks are explained in Table 9.2.
Table 9.2: Top Risks in Organisations
Risk Description
Existing operations This risk is a composite of several significant uncertainties  the
and legacy IT systems companyÊs digital readiness, its lack of resiliency and agility in
may not be able to staying ahead of or keeping pace with changing market
meet performance realities, the restrictive burden of significant technical debt, the
expectations related lack of out-of-the-box thinking about the business model,
to quality, time to fundamental assumptions underlying the strategy and the
market, cost and existence or threat of more nimble competitors. With the
innovation, as well as reduction of entry barriers, established incumbents are leery of
competitors, new competitors that can grow quickly by leveraging hyper
especially „born scalable digital capabilities that enable them to operate more
digital‰ and/or low- efficiently, digitise new products and services, enhance the
cost-base competitors customer experience and/or transform the business model.
or established
competitors with
superior operations.
Succession challenges Labour markets continue to tighten as unemployment declines
and the ability to to levels at which economists debate the theoretical point where
attract and retain top full employment is reached. Vital specialised knowledge and
talent in a tightening subject matter expertise are becoming harder to acquire and
talent market may retain on a cost-effective basis. What is at stake is sustaining the
limit ability to workforce with the requisite talent and skills needed to think
achieve operational out of the box in a rapidly changing digital marketplace,
targets. execute high-performance business models and implement
increasingly demanding growth strategies.
Regulatory changes For the past years, regulatory risk has been a top five risk. The
and scrutiny may increment in comparison to last year is likely due to increased
heighten, noticeably scrutiny at federal, state and local levels on a variety of
affecting the way regulatory fronts, particularly in Europe. For example,
products or services uncertainty over the results of the forthcoming US midterm
will be produced or elections may have also weighed on the minds of respondents
delivered. from the US (survey conducted in September-October 2018).

Lack of preparedness This risk is no surprise. There are two categories of companies
to manage  those that have been breached and know it, and those that
cyberthreats that have been breached but do not know it yet. Cybersecurity is a
have the potential to moving target, as innovative digital transformation initiatives,
significantly disrupt cloud computing adoption, mobile device usage, machine
core operations learning and other applications delivering exponential
and/or damage the increases in computing power continue to outpace the security
brand. protections companies have in place. Increasingly sophisticated
attacks on the human perimeter by perpetrators of cybercrime
add to the uncertainty. As advanced persistent threats (APTs)
spread, public disclosure requirements tighten and reputation
hits from significant breaches increase in severity, the stakes for
effective cybersecurity spiral upward.
Resistance to change Enabling change continues to be a significant priority for just
may restrict ability to about every organisation on the planet, for change is becoming
make necessary a way of life for most companies. Whether covert or overt,
adjustments to the resistance to necessary change spawned by disruptive
business model and innovations that alter business fundamentals can be lethal.
core operations. Strategic error in the digital economy can result in the ultimate
price if a company continues to play a losing hand in the
marketplace, ultimately suffering what a well-known CEO
refers to as „stasis, followed by irrelevance, followed by
excruciating, painful decline, followed by death.‰ Board
members and C-suite executives recognise the importance of
positioning their organisation as early movers in exploiting
market opportunities and responding to emerging risks.
Rapid speed of The top risk in 2018, this strategic risk remains important. With
disruptive the onslaught of advances in digital technologies and rapidly
innovations and/or changing business models, organisations must be agile and
new technologies resilient in elevating their customersÊ experiences, digitising
within the industry new products and services, increasing the velocity of quality
may outpace ability decision-making and sustaining operational excellence. The big
to compete and/or challenge with disruptive change is that even when executives
manage the risk are aware of emerging technologies that obviously have
appropriately, disruptive potential; it is not easy deciding how to respond.
without making This risk is especially a concern for board members and CEOs,
significant changes to with both groups of respondents rating it as a top five risks
the business model. concern.

Privacy/identity This risk is likely to remain a top 10 risk for a long time. The
management and proliferation of legislation to protect privacy of personal
information security information has created enormous complexities for businesses,
risks may not be with potential fines, penalties and reputation loss that
addressed with cannot be ignored. As the expanding digital economy enables
enough resources. businesses and third-party organisations to house sensitive
information obtained in many ways, fresh exposures to
sensitive customer and personal information and identity theft
present themselves.
Inability to utilise Respondents continue to be concerned with their ability to
data analytics and harness the power of data and advanced analytics to achieve
„big data‰ to achieve competitive advantage and manage operations more
market intelligence effectively. The prevailing view is that knowledge
and increase differentiates in the digital marketplace, as the winners will be
productivity and those companies that capture and analyse the insightful,
efficiency may clarifying intelligence that positions them to be nimbler and
significantly affect more responsive to market shifts and changing customer
core operations and preferences than competitors.
strategic plans.
The organisationÊs The effectiveness of formal and ad hoc upward communication
culture may not processes is of vital importance to keeping an organisationÊs
sufficiently encourage leaders in touch with business realities. Coupled with concerns
timely identification over resistance to change, the presence of this risk reflects on
and escalation of the strength of the organisationÊs culture, including its tone at
significant risk issues the top, mood in the middle and buzz at the bottom.
that have the
potential to
significantly affect
core operations and
achievement of
strategic objectives.
Sustaining customer Companies with high churn rates incur significant costs in
loyalty and retention replacing lost customers. Sustaining customer loyalty and
may be increasingly retention is about increasing profitability through superior
difficult due to top-line performance and reduced marketing costs and other
evolving customer costs associated with educating new customers. Customer
preferences and/or preferences can shift rapidly in the digital age, but companies
demographic shifts in must keep pace with such shifts and retain customers in an
the existing customer environment where growth rates are modest in certain sectors.
base.
Source: Deloach (2019)

SELF-CHECK 9.1
1. What are the five categories of risks?
2. Explain the top five risks faced by most organisations.
ACTIVITY 9.1
For each of the risks identified in Table 9.2, apply the risks to the activities
or projects undertaken in your organisation. Decide on the appropriate
mitigation plan. Share your answer for discussion on the myINSPIRE
forum.
9.2 CRITICAL SUCCESS FACTORS IN RISK

MANAGEMENT
The success of risk management initiatives lies in several factors. The key success
factors identified in the following subtopics are essential in making the risk
management initiatives effective.
9.2.1 Effective Risk Oversight

The BOD faces a challenging task of effectively overseeing the organisationÊs
enterprise-wide risk management to balance the way risks are being managed and
to add value to the organisation. In principle, risk oversight is the role of the BOD.

However, many approaches to risk oversight fail to link risks to strategic business
objectives. Figure 9.1 shows an example of an effective risk oversight structure.
Figure 9.1: Example of effective risk oversight structure

Source: Smiths Group PLC (2018)
Nowadays, the concept of enterprise risk management has gain increased

acceptance to better connect the risk oversight with the creation of value to the
organisation and stakeholders. It assists the BOD and management to make better
strategic decisions. The BODÊs focus on effective risk oversight is critical to set the
tone and culture towards effective risk management through:
(a) Strategy setting;
(b) Formulating high level objectives; and
(c) Approving broad-based resource allocations.
The elements that contribute to effective BODÊs oversight with regard to enterprise
risk management are:
(a) Understanding the risk philosophy of the organisation and concurring with
its risk appetite (the amount of risk ă on a broad level ă an organisation is
willing to accept in pursuit of stakeholder value). Constant discussion
between the management and the BOD is needed to establish the
understanding of the organisationÊs overall appetite for risks;

(b) Knowing the extent to which management has established effective

enterprise risk management of the organisation. The BOD needs to
understand the existing risk management processes, its application in
strategy setting and whether it provides reasonable assurance regarding the
achievement of objectives;
(c) Reviewing the overall portfolio of risk and considering it against the entityÊs
risk appetite. Effective BODÊs oversight of risks is dependent on the ability
of the board to understand and assess an organisationÊs strategies with risk
exposures; and
(d) Assessing the most significant risks and deciding whether management is
responding appropriately. Management needs to regularly update the BOD
on the key risk indicators.
The Chartered Global Management Accountant (CGMA) has conducted a survey

in obtaining an understanding of the current state of enterprise risk oversight
among entities of all types and sizes. Based on 445 respondents (from the American
Institute of Certified Public AccountantsÊ (AICPA) business and industry group)
of the online survey conducted, the key findings are (Beasley, Branson & Hancock,
2019):
(a) Most executives perceive that uncertainties in the business environment are
leading to more complex risks. Most respondents (59 per cent) believe the
volume and complexity of risks is increasing extensively over time. They are
particularly concerned about risks related to talent, innovation, the economy,
and their reputation and brand. In addition, 68 per cent of organisations
indicate they have recently experienced an operational surprise due to a risk
they did not adequately anticipate.
(b) Despite concerns about a number of potential risk issues on the horizon,
few executives describe their organisationÊs approach to risk management
as mature. Twenty-three per cent of respondents describe their risk
management as „mature‰ or „robust‰ with the perceived level of maturity
declining over the past two years. Thirty-one percent of organisations (54 per
cent of the largest organisations) report that they have complete ERM
processes in place.

(c) External stakeholders expect greater senior executive involvement in risk

management. External parties (59 per cent) are putting pressure on senior
executives for more extensive information about risks, and 65 per cent of
boards are calling for „somewhat‰ to „extensively‰ increased management
involvement in risk oversight. Strong risk management practices are
becoming an expected best practice. These pressures are increasing for large
organisations and public companies, particularly.
(d) Boards are focused on risk oversight, but they tend to delegate
responsibilities to a committee rather than retain that for the full board. Just
under two-thirds (61 per cent) of boards of the full sample (83 per cent of
public companies) have delegated risk oversight to a board committee, with
most delegating to an audit committee unless they are a financial services
organisation with a board-level risk committee.
(e) More organisations are appointing an executive to oversee their risk

management processes, with most organisations creating a management-
level risk committee. About half of the full sample have designated an
individual to serve as chief risk officer (or equivalent), with 58 per cent of
large organisations and 56 per cent of public companies doing so. Over 80
per cent of large organisations, public companies and financial services
entities have management-level risk committees.
(f) Few organisations perceive their approaches to risk management as

providing important strategic value. Less than 20 per cent of organisations
view their risk management process as providing important strategic
advantage. Only 26 per cent of the organisations report that their board
substantively review top risk exposures in a formal manner when they
discuss the organisationÊs strategic plan.
(g) About half of the organisations engage in formal risk identification and risk
assessment processes. About one-half (46 per cent) of the organisations have
a risk management policy statement, with 49 per cent maintaining risk
inventories at an enterprise level. Just over 40 per cent have guidelines for
assessing risk probabilities and impact. Most (77 per cent), update risk
inventories at least annually.

(h) While boards receive written reports about top risk exposures, there is some
question as to whether the process used to generate the reports is systematic
or robust. Most boards of large organisations (84 per cent) or public
companies (87 per cent) discuss formal reports about top risks at least
annually; however, less than 60 per cent of those describe the underlying risk
management process as systematic or repeatable. Forty-one percent of the
respondents admit they are „not at all‰ or only „minimally‰ satisfied with
the nature and extent of internal reporting of key risk indicators.
(i) Organisations are not building in explicit accountabilities for risk management
with few organisations embedding risk oversight responsibilities as
components of compensation plans. The lack of risk management maturity
may be tied to the challenges of providing sufficient incentives for them to
engage in risk management activities. Most (64 per cent), have not included
explicit components of risk management activities in compensation plans.
(j) Perceived roadblocks exist that prevent organisations from strengthening

their approach to risk management. Respondents of organisations that have
not yet implemented an enterprise-wide risk management process indicate
that one impediment is the belief that the benefits of risk management do not
exceed the costs or there are too many other pressing needs.
9.2.2 Integrating Risk Management, Internal Control

and Internal Audit Process
There is a very clear relationship between internal control and risk management.
Basically, after the risk has been identified, understood and assessed, the
appropriate internal control needs to be put in place. Internal control generally
involves anything that can control the risks to the organisation. As such, policy,
procedures and code of conduct are the control items that need to be established,
communicated and followed by employees to facilitate internal control. It provides
a reasonable assurance in reducing the risks to an acceptable level, thus increasing
the certainty of achieving its organisational objectives.

The internal audit function is important. It carries out the task of monitoring, both
on an ongoing basis and in relation to specific needs, the operation and the
adequacy of the internal control and risk management process, through an audit
plan approved by the BOD, based on a structured analysis and prioritisation of
key risks. Detailed roles of internal audit are shown in Figure 9.2.
Figure 9.2: Typical internal audit roles

Source: Standards Australia Limited (2010)
SELF-CHECK 9.2
State the typical internal audit roles.
9.2.3 Emphasise on Building a Strong Risk Culture

What is risk culture? According to Unterheiner (2017), some defined „risk culture
as the values, beliefs, knowledge, attitude and understanding of risk shared across
the organisation.‰ Risk culture depends on the organisation, market, country and
regulatory environments, but basically, some of the elements towards building up
the risk culture are given in Table 9.3.

Table 9.3: The Elements of Risk Culture
Element Description
Governance Clear communication approach on risk and understood by all levels
of staff in the organisation.
Tone from the Employee is shaped through directions from the top. Communication
top on decision-making is important to avoid misleading the employees.
Accountability Level of authority and accountability need to be clear and enforced.
Incidents and Open discussion should be on digging what actually went wrong,
escalation what can be learned and whether changes to processes or controls are
required.
Incentives and To link remuneration to the operation of the risk management
remunerations framework. Setting goals around key performance indicators will
influence the culture.
Training, These elements should support and enforce the desired culture and
succession behaviour. If the desired culture differs from the existing one, then
planning and talent management carries significant influence on the cultureÊs
talent ability to change.
management
Most organisations focus more on legal compliance and other forms of risk rather
than embedding risk culture within organisation. A strong risk culture is
important and it can be seen through a sound understanding about risk by
employees, where emerging risks are being addressed effectively and businesses
are conducted both legally and ethically. Figure 9.3 illustrates the relationship
between risk culture and the behaviour of employees.
Figure 9.3: Relationship between risk culture and the behaviour of employees
Source: ISACA (2009)

Based on Figure 9.3, the risk awareness culture begins at the top, with board and
business executives who set the direction, communicate risk-aware decision-
making and reward effective risk management behaviours. Risk awareness also
implies that all levels within an enterprise are aware of how and why to respond
to adverse information technology (IT) events.
As a conclusion, risk culture is a concept that is not easy to describe. It consists of

a series of behaviours, as shown in the previous Figure 9.3. It includes:
(a) Behaviour towards taking risk  How much risk does the enterprise feel it
can absorb and which risks is it willing to take?
(b) Behaviour towards following policy  To what extent will people embrace
and/or comply with the policy?
(c) Behaviour towards negative outcomes  How does the enterprise deal with
negative outcomes, i.e., loss events or missed opportunities? Will it learn
from them and try to adjust, or will blame be assigned without treating the
root cause?
9.3 BARRIERS IN IMPLEMENTING RISK

MANAGEMENT
Lastly, let us look at the barriers in implementing risk management. There are
several issues faced by organisations during the implementation of risk
management. These barriers have stalled the risk management initiatives and
caused its inability to support the achievement of their objectives. The common
barriers are explained in Table 9.4.

Table 9.4: Some Common Barriers in Implementing Risk Management
Barrier Description
Unsupportive A risk management initiative cannot be successful unless the
culture BOD and senior management lead in the creation of a risk
culture in the organisation. Their involvement in risk overview,
risk communication, decision-making, setting strategic objectives,
project risk assessment and risk-based decision-making is essential.
Without their support, the level of risk maturity in the organisation
will be low. Thus, the organisation will be unaware of the need for
the management of risk and will not attempt to prepare for any
threat or uncertainties.
Lack of risk- By integrating enterprise risk management in strategy development
strategy and strategy execution capabilities, the organisation will be best
integration positioned to create and enhance sustainable value. However, there
has been a poor acceptance in the risk-strategy integration processes.
Why is that so? BOD and senior management are unaware of the
organisationÊs enterprise risks because of a lack of knowledge, and
sometimes due to ignorance. They rely heavily on the executives
responsible for the operations or the strategic planning department
when it comes to risk management.
Lack of practical It is common to all organisations at the initial stage of
experience implementation to have a lack of practical experience. This barrier
can be overcome by conducting a visit to an organisation which has
established a matured risk management process, participating in the
development of risk management standards in the country and
having close communication with risk management practitioners.
Lack of policy Although there are numerous standards and guidelines on risk
and procedures management, organisations seem to have difficulties in establishing
of managing the relevant policy and procedures. This may be due to several
risk reasons such as lack of understanding, lack of priority and lack of
commitment and interest from the designated personnel.
Lack of expertise A formal training curriculum to develop risk management
to lead a risk awareness and competencies needs to be established. An
management organisation has to evaluate the level of competencies for key
team personnel that are involved in risk management. An organisation
should formally roll out a training plan and training curriculum to
develop a competent team for risk management in the company. The
lack of competencies and expertise is a recipe for disaster in
implementing risk management.
Source: Mosheh, Niemann & Kotze (2018)

As for Beasley, Branson, Hancock and ERM Initiative (2015), they identified three
barriers in implementing risk management as explained in Figure 9.4.
Figure 9.4: Three barriers in risk management implementation

Source: Beasley, Branson, Hancock & ERM Initiative (2015)
Even though these barriers seemed to be relatively unimportant in practice, they

do pose a significant challenge to the success of the risk management process.
SELF-CHECK 9.3
What are the common barriers in risk management?
ACTIVITY 9.2
Identify other possible potential problems that you may face in

establishing a risk management initiative in your organisation. Then, list
down your action plan to overcome these problems. Share your answer
for discussion in the myINSPIRE forum.

Ć Global risks have an impact on enterprise risk. Businesses need to keep abreast
and be alert with these external factors that may have a potential to impact
their business.
Ć There are five categories of global risks namely economic vulnerabilities,

geopolitical tensions, societal and political strains, environmental fragilities
and technological instabilities.
Ć The risk oversight undertaken by the BOD and senior management is crucial
in the achievement of an organisationÊs strategic objectives.
Ć Critical success factors in risk management are effective risk oversight,

integrating risk management, internal control and internal audit process, and
emphasise on building a strong risk culture.
Ć Implementing risk management in an organisation requires full commitment

from all levels in the organisation.
 Building the right risk culture requires leadership from the BOD and senior
management.
 Some common barriers in implementing risk management are unsupportive

culture, lack of risk-strategy integration, lack of practical experience and lack
of expertise to lead the risk management team.
Barriers Internal control

Critical success factors Risk appetite
Enterprise risk Risk culture
Enterprise risk management Risk oversight
Global risks Strategic objectives
Internal audit

Beasley, M. S., Branson, B. C., Hancock, B. V., & ERM Initiative. (2015). CGMA
report: Global state of enterprise risk oversight 2nd edition: Analysis
of the challenges and opportunities for improvement. Retrieved from
https://erm.ncsu.edu/az/erm/i/chan/library/Global-State-of-Enterprise-
Risk-Oversight-Report-2nd-Edition-June-2015-ERM-NCState-CGMA.pdf
Beasley, M. S., Branson, B. C., & Hancock, B. V. (2019). 2019  The state of
risk oversight  An overview of enterprise risk management practices 
10th anniversary editionSpring 2019. Retrieved from
https://erm.ncsu.edu/az/erm/i/chan/library/2019_Current_Report_on_
State_of_Risk_Oversight.pdf
Deloach, J. (2019). 10 top risks for 2019  Annual survey reveals growing threats.
Retrieved from https://www.corporatecomplianceinsights.com/10-top-
risks-for-2019/
ISACA. (2009). The risk IT framework  Excerpt. Retrieved from

https://m.isaca.org/Knowledge-Center/Research/Documents/Risk-IT-
Framework-Excerpt_fmk_Eng_0109.pdf
Mosheh, R., Niemann, W., & Kotze, T. (2018). Enterpise risk management
implementation challenges: A case study in a petrochemical supply chain.
South African Journal of Industrial Engineering, 29 (4), 230244.
Smiths Group PLC. (2018). Smiths Group PLC annual report 2018  Creating the
future. Retrieved from https://www.smiths.com/-/media/files/smiths-
group-annual-report-fy2018.pdf
Standards Australia Limited. (2010). Delivering assurance based on ISO

31000:2009 Risk management: Principles and guidelines: Handbook. Sydney,
Australia: Author.
Unterrheiner, S. (2017). Risk culture is an evolving process  Be prepared. Gen

Re  Risk Management Review. Retrieved from
http://media.genre.com/documents/rmrv17-1-unterrheiner-en.pdf
World Economic Forum. (2019). The global risks report 2019  14th edition.
Retrieved from
http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf

Topic  Case Studies
10
LEARNING OUTCOMES
1. Relate an actual case study with the lessons learned from Topic 1 to
Topic 9 of this module;
2. Support the importance of risk management for business continuity;
3. Demonstrate risk management in decision-making in real-life
situations; and
4. Plan for transformation in your organisationÊs risk management.
 INTRODUCTION
The evolution of risk management over the past two decades has been from simple
concepts and visions on how risks should be addressed to a complete management
process with detailed techniques expected by those in oversight roles such as
governing bodies and senior management.
It was somewhere in the 1990s that the concept of managing risks was viewed in a
holistic manner across the many management systems and the term „enterprise
risk management‰ became well known. In earlier days, the term „enterprise risk
management‰ was used to describe risk management at the lower levels of the
organisation and did not necessarily capture the concepts of enterprise-level
approaches to risk.

TOPIC 10 CASE STUDIES  157
The leading and most commonly used guideline to holistic risk management is
ISO 31000:2018. However, it should be mentioned that in the US, the Committee
of Sponsoring Organisations of the Treadway Commission 2004 (COSO)
Enterprise Risk Management  Integrated Framework has been the dominant
framework used to date. Many organisations are currently adopting one or the
other of these frameworks and then customising them to their own context.
In this last topic, case studies are chosen based on real-life situations in order to
expose the fundamentals of risk management to be understood by risk
management learners and practitioners. Each case study provides opportunities to
explore of what went well, what could have been done differently and what
lessons are to be learned.
The case studies also demonstrate that risk management takes time to evolve. At
times, organisations have to go through a painful experience before they can
seriously embark into risk management successfully. The ultimate goal of risk
management is to have it embedded into the risk culture of the organisation and
drive the decision-making process so that the management make more sound
business decisions. Are you ready to wrap up this course? Let us investigate the
case!
10.1 CASE STUDY 1: A SCENARIO OF THE

BHOPAL TRAGEDY
The short scenario on the Bhopal incident revealed a number of risk categories that
the company had not fully addressed. As the risks are interrelated, they cannot be
addressed in silo. Focusing too much on financial risks at the cost of other risks has
been shown to be disastrous for the company.
10.1.1 The Case

The description of this tragedy is as follows:
In the early morning hours of 3 December 1984, a large amount of toxic methyl
isocyanate (MIC) gas was released from a Union Carbide India Limited (UCIL)
pesticide plant, which swept over a large, densely populated area south of the
plant. Thousands of people were killed including some at the railway station
2km away.

158  TOPIC 10 CASE STUDIES
I was an employee of Union Carbide Corporation (UCC), the US parent

company of UCIL at the time of the accident. There is a great deal that we will
never know about the accident. It is difficult to investigate a catastrophe of this
magnitude. Most investigations focused on the technical story. We know that,
although significant safeguards were designed into the plant to prevent an MIC
release or at least to minimise its impact, all of the safeguards were bypassed,
out-of-service or otherwise rendered ineffective.
But there is a social story that is just as important. Four social drivers form the
backdrop to the tragedy:
(a) The appeal of socialism in India;
(b) An extreme anti-expatriate legal system;
(c) General national poverty with abject localised poverty near the plant; and
(d) The lack of a safety culture.
All of these made it difficult to operate a plant of this sort in India at that time.
Financial factors were important as well; the plant was not making money.
UCIL had decided to permanently shut it down, thereby significantly affecting
operator morale and exacerbating maintenance deficiencies. The plant was in
its last production run at the time of the accident, working off the last batch of
MIC.
Much has changed in the process industries as a result of Bhopal including

many things that we take for granted, such as hazard and operability analysis,
management of change, permit to work and dispersion modelling. There is an
important lesson that we have not learned ă effective use of standard operating
procedures (SOPs). The oil and gas industry needs to catch up with the airline
and space exploration industries to instil an effective safety culture and to make
following SOPs an absolute priority.
I am frequently struck by how little people know about this accident. I think it
is important to not only remember those killed and injured in the accident but
also to resolve that nothing like it will ever happen again.
Source: Duhon (2014)
You can go to the following link for more details on the Bhopal tragedy at
https://bit.ly/32raKvs.

10.1.2 Conclusion
How can this tragedy be prevented? The tragedy could have been prevented if the
company managed their risks appropriately, right from the beginning. The
political, social and legal factors contributing to the companyÊs risks seemed to be
overlooked. The decisions made were mainly based on cutting costs in order to
make profit and not based on risk assessment reports. Safety risk was not
considered as a main category of risk, as such they have caused thousands of lives
to vanish in just a few days.
ACTIVITY 10.1
Based on Case Study 1:
(a) Determine the objectives of setting up the company in Bhopal,

India.
(b) What are the possible risks?
(c) What are the sources of those identified risks?
(d) Establish a risk profile for each risk identified.
(e) It you are the owner of the company, would you agree with the
decision to set up the company in Bhopal, India?
Share your answers for discussion in the myINSPIRE forum.
10.2 CASE STUDY 2: PAY AND DISPLAY (P&D)

PARKING METER PROJECT
In this case study, you can see that the application of a detailed risk assessment in
a project has shown to be important in making decisions ă to proceed or not to
proceed with the project. The risk assessment process used in this case study can
be applied to any project. It is also part of the requirements under project
management.

10.2.1 The Case
PDP Technology Sdn Bhd is a small company dealing with pay and display
(P&D) parking meters. They are facing a problem with their existing product
that has been supplied and would like to analyse the real issues on the product.
At the same time, they are interested to develop their own locally made
product.
In order to realise their objectives, they approached ST Research Sdn Bhd and
explained their issues and requirements. ST Research Sdn Bhd is an established
research organisation well-known in developing a research contract for small
and medium industries. They have embedded a risk culture in their
organisation. As such, they have a good risk culture in their organisation
because their enterprise risk management has reached the level of inculcating
before coming to a decision. The project manager in ST Research together with
their own team members conducted a detailed risk assessment on the project.
The objective of the project is to design and develop a working set of P&D
parking meters for a local council within a year. The productÊs key features are
as follows:
(a) High strength stainless steel keeps it secure and rust free;
(b) High-security, large capacity, stainless steel cash box;
(c) Microsoft® Windows® CE operating system, combined with a 32-Bit

ARM® processor;
(d) Thirty two MB of SDRAM and 32 MB of flash memory;
(e) Flexible, modular design that is easy to upgrade, service and maintain;
(f) Remotely monitor equipment, generate reports and receive alerts, no

matter where you are;
(g) Comprehensive and easy-to-use configuration menus;

(h) Features a colour VGA liquid crystal display (LCD) with backlight,
capable of displaying graphics;
(i) The multi-language capability allows users to select the language of their
choice to carry out transactions; and
(j) Allow both coins and notes payment methods.
Normally, after the objective and all the product requirements have been specified
by the customer, the project team will review it against the project team capabilities
and capacities. This can be done by detailing all the tasks according to project work
breakdown structure (WBS) and also analysing the risk for each task to see the
impact on the project based on the quality, cost and delivery (QCD).
10.2.2 Defining Work Breakdown Structure (WBS)

What is a work breakdown structure (WBS)?
A work breakdown structure (WBS) (in project management and systems

engineering) is a deliverable-oriented decomposition of a project into smaller
components.
In other words, a work breakdown structure organises the teamÊs work into
manageable sections.
Meanwhile, according to the Project Management Institute, Inc. (2013), work

breakdown structure was defined as a "deliverable oriented hierarchical
decomposition of the work to be executed by the project team."
A work breakdown structure element may be a product, data, service or any

combination thereof. A WBS also provides the necessary framework for detailed
cost estimating and control, along with providing guidance for scheduled
development and control.

The P&D parking meter (as shown in Figure 10.1), comprises two main
components ă electronic and mechanical.
Figure 10.1: Typical P&D parking meter

Source: Mackay Meters (2019)
We can detail up the WBS for this product as in Figure 10.2.

TOPIC 10
Figure 10.2: Work breakdown structure (WBS) of pay and display (P&D) parking meter

CASE STUDIES

163
As for Figure 10.3, it shows you the relationship between all the components for
the product which relate to the WBS.
Figure 10.3: Pay and display (P&D) parking meter electronic block diagram
Based on the WBS, we can start analysing the project teamÊs strengths and
weaknesses before we can see the impact on the project QCD. This analyses all the
issues that the project team will face and also the opportunity that we can grab as
part of the risk assessment process. The WBS also enables the project leader to
determine the duration of each work item.
SELF-CHECK 10.1
1. Define a work breakdown structure (WBS).
2. What is the advantages of WBS?

10.2.3 Work Breakdown Structure (WBS),

Responsibility Assignment Matrix (RAM) and
Duration
Now, it is time to assign responsibility to the respective engineer and identify the
duration of each work package (see Table 10.1).
Table 10.1: WBS, Responsibility and Duration for P&D Parking Meter
Eng Eng Eng Eng Eng Eng Eng Duration/

ID WBS
1 2 3 4 5 6 7 Month
1 Power Management Unit
Solar panel  4
Battery charger  4
Sealed lead acid 
1
battery
Power supply  5
2 Main Processing Unit
Central 
18
monitoring board
Memory  3
3 Display Unit
Liquid crystal
 6
display
4 Module Unit
GSM module  6
WiFi module  6
Ticket printer 
6
module
Coin validator  6
Note reader  6

5 Firmware
Flowcharting  2
Source code study  2
Source code 
4
design
Integration  6
6 Middleware
Architecture 
4
overview
Modelling  6
Runtime  12
Experiment  6
7 Application Software
System analysis  2
System design  4
System 
4
implementation
System roll-out  4
Post
 6
implementation
Maintenance
 6
contract
8 Mechanical
9 Main Casing
Front slot casing  6
High impact 
6
plastic window
10 Solar Panel
Bracket
High impact 
6
plastic window
Keypad  4
P&D meter stand  6

Based on Table 10.1, the project is expected to be completed in 30 months. Risk

assessment is also conducted based on Table 10.1. The detail of risk assessment
output is shown in Table 10.2.
Table 10.2: Risk Profile Table for P&D Parking Meter
Risk Rating
No Task Risk Risk Source Action Plan
L C R
1 Power Management Unit
To engage with the
Unable to get a Limited suppliers
right supplier with
suitable that can supply the
Solar panel L Ma S good technical
customised solar right customised
knowledge of solar
panel on time solar panel
panels
To attend a
Unable to design Lack of expertise in
Battery training or engage
a low power power management L Ma S
charger an expert with the
battery charger design
right knowledge
Off-the-shelf To contact the right
Higher capacity of
Sealed lead battery is not supplier on the
battery needed for UL Ma S
acid battery suitable for the battery
the product
product requirements
Lack of To engage with the
One of the team
experience in power supply
Power members is not
designing a L Ma S expert or to buy
supply from an electrical
power supply power supply off-
power background
module the-shelf
2 Main Processing Unit
Central
Unable to deliver Lack of knowledge To attend an ARM-
monitoring
the design of ARM-based based processor
board using L Ma S
according to processor design, training
ARM
milestone needs longer time programme
processor
Unable to get the High capacity To buy memory
right memory module with low off-the-shelf with
Memory UL Mi M
module for the current might be the right
project difficult to get specifications
3 Display Unit
Unable to meet
Customised design To accommodate
Liquid design
will be costly and the time of the
crystal requirements L Ma S
takes a longer time delivery in the
display with a limited
to be delivered schedule
project cost

4 Module Unit
Unable to deliver To work closely
Lack of knowledge
GSM the design with the supplier
of GSM module L Ma S
module according to the and their technical
interface design
milestone expertise
To buy module off-
Unable to deliver
Lack of knowledge the-shelf and work
WiFi the design
of WiFi module L Ma S closely with the
module according to the
interface design supplier and their
milestone
technical expertise
To buy module off-
Unable to deliver
Ticket Lack of knowledge the-shelf and work
the design
printer of GSM module L Ma S closely with the
according to the
module interface design supplier and their
milestone
technical expertise
To buy module off-
Unable to deliver
Coin the design
of coin detection L Ma S closely with the
validator according to the
design supplier and their
milestone
technical expertise
To buy module off-
Unable to deliver
the design
Note reader of note detection L Ma S closely with the
according to the
design supplier and their
milestone
technical expertise
To attend
Unable to deliver
training/engage
the design No expertise in this
5 Middleware AC C H external expert/
according to the competency
outsource the task
milestone
to external expert
Unable to deliver
No knowledge of To attend training
Application the design
6 Linux system L M S on Linux system
Software according to the
design design
milestone

7 Mechanical
Unable to deliver Customised design To design
Main the design may affect the according to
UL Mi M
casing according to the project schedule specific
milestone and cost requirements
Unable to deliver Lack of expertise in To design
Solar panel the design designing a high according to
UL Mi M
bracket according to the impact plastic specific
milestone window requirements
Unable to deliver Customised design
To buy keypad off-
the design may affect the
Keypad L Mi S the-shelf that suits
according to the project schedule
the requirement
milestone and cost
Unable to deliver Customised design To design
P&D meter the design may affect the according to
UL Mi M
stand according to the project schedule specific
milestone and cost requirements
Figure 10.4 shows you the risk matrix table.
Figure 10.4: Risk matrix table

10.2.4 Project Schedule

The project schedule is illustrated in Figure 8.5 using software application. It
enables the schedule to be updated and revised as and when needed.
Figure 10.5: Project schedule for the P&D parking meter

10.2.5 Conclusion
There are two major issues based on the risk profile listed just now:
(a) Skill and knowledge of the specific area; and
(b) The project duration.
In order to proceed with the project, they need to send their staff for training or
engage external experts or outsource the job to other companies to solve the skill
and knowledge issues. This will have an impact on the overall price of the project.
In terms of project duration, they are not able to deliver the product within one
year. Lack of experience and full-time workforce will prolong the project duration.
Therefore, based on the risk assessment, the project is a „no go‰.
ACTIVITY 10.2
Assuming that the managing director still insists that the project
manager proceed with the proposal of P&D parking meter, what action
would he or she propose in order to further mitigate the identified risks?
Discuss this matter in the myINSPIRE forum.
10.3 CASE STUDY 3: TRANSFORMING RISK

MANAGEMENT
This case is chosen from Chapter 29 of Implementing Enterprise Risk
Management: Case studies and Best Practices by Fraser, Simkins and Narvaez
(2015) because it provides a good example of how a company can make a
transformation in their current risk management. The decision to transform a
companyÊs risk management approach usually comes from the board of directors
or BOD or senior management level. They discovered some discrepancies in the
current approach which is reflected in their key performance indicators (KPIs)
such as weak financial performance, slow delivery of services or sale of products
and not meeting the stakeholderÊs expectation.

10.3.1 The Case

The description of the case study is as follows:
Akawini Copper has recently been acquired by an international company,

United Minerals. Akawini has a rudimentary approach to risk management
that must be improved if the new owners are to realise the level of return
claimed in the business case that was used to justify the acquisition. Akawini
owns a single mine and concentrate plant approximately 50 kilometres from
the coast. It ships the concentrate using trucks to a nearby port for export. The
company earns a revenue of USD774 million a year from the sale of concentrate
and employs a total of 1,500 people at the mine site and port.
United Minerals has developed and implemented a framework for managing

risk based on ISO 31000. In particular, this has enabled it to properly integrate
the risk management process into its approach to making decisions on major
projects and investment decisions and also into the way it develops, plans and
executes projects.
During due diligence prior to the acquisition, the risk management team for
United Minerals reviewed the current approach to risk management at
Akawini and from a cursory examination of documents was unable to
determine that the approach was very limited and was unlikely to yield much
real value. The team found, for example, that:
(a) A process for formal risk assessment was applied only to what was
described as „business risks‰. This occurred only once a year as part of a
risk review that updated the current risk register so that it could be
reported to an Audit Committee;
(b) There was a different process applied for safety risks that actually did not
consider risk as such but generated a risk rating using matrix system only
for hazards;
(c) No systematic process for assessing and treating risks was used in
support of major decisions. In particular, project management did not
include any form of explicit risk management process;

(d) The Akawini risk manager mostly dealt with insurance matters and asked
the companyÊs external audit provider to offer a facilitator for the annual
risk review;
(e) The annual internal audit plan did not seem to be based on the outcomes
of the risk assessment and did not focus on assuring many of the critical
controls;
(f) The risk criteria systems used for both „business risks‰ and „safety risks‰
covered only detrimental consequences and seemed to be based on five
levels of consequences and consequence types that were not associated in
any meaningful way with the companyÊs objectives;
(g) Both systems used the term probability to estimate likelihood and did not
consider the frequency or return period for consequences;
(h) In both systems, risks were analysed incorrectly by combining the

likelihood of an event with what was described as „the plausible worse-
case consequences.‰ This produced many „extreme‰ risks, which were
then being discounted by managers as implausible;
(i) Once risk registers were created on spreadsheets, they were kept on
separate personal computers and were rarely considered until the next
yearly review. Any risk treatment actions decided on were not followed
up or closed out;
(j) Critical controls were not identified and were not assigned to individuals
for ongoing monitoring and periodic review; and
(k) There was no coherent process that defined and captured learning from
successes and failures.
The risk management team signalled its concerns to the acquisition team and
the need for improvement of Akawini CopperÊs approach to risk management
to bring it into line with ISO 31000. Then, the United Minerals framework was
placed on the transformation plan and given a high priority.

10.3.2 The Transformation Process

Once the acquisition was completed, the risk management team followed the step-
wise process in Figure 10.6 to transform the approach to risk management at
Akawini.
Figure 10.6: Risk management transformation stepwise process

The starting point was a structured analysis of AkawiniÊs current approach to

managing risks, to identify where changes had to be made and then, to assign a
priority to particular tasks. This was conducted in two parts:
(a) A full desk-based review of AkawiniÊs risk management documentation; and
(b) A complementary set of interviews with Akawini management.
The second activity was important because from the experience of the United
Mineral risk management team it was vital to observe and review how risk
management takes place in practice.
This was particularly true if there might be any discontinuity of practice across
Akawini or inconsistent processes and systems. It was also important to test out
Akawini managementÊs perceptions of the current approach to risk management
to see if it was currently viewed as effective and if managers perceived it as likely
to satisfy their future needs. The risk management team conducted a series of
structured interviews with senior management from Akawini so that the team
could draw an objective conclusion on:
(a) The suitability of the current approach to manage risk associated with an
organisation of the size and complexity of Akawini, its risk profile and its
risk attitude;
(b) The drivers of that attitude, based on what were organised as the key success
factors and growth objectives for the organisation;
(c) The perceived usefulness of the current risk management process and its
degree of integration into key decision-making processes;
(d) The strengths and limitations of the other risk-type specific approaches to
risk management that coexisted in the company ă specifically, whether the
tools and methods currently being used were capable of providing Akawini
with a current, correct and comprehensive understanding of its risks and
informing it whether the risks were within its risks criteria;
(e) The level of understanding of senior management about aspects of the risk
management culture; and
(f) An outline of the perceived risk profile of Akawini and whether this varied
from that reported to the board in the past.

The risk management team members consolidated their findings and compared
them with the elements of the existing United Minerals risk management
framework and the requirements of ISO 31000. They particularly mapped what
they found by comparing it with the principles for effective risk management in
Clause 3 and the attributes in Annex A of the Standard.
10.3.3 Gaining Senior Management Ownership for

Transformation
For effective management, it was regarded as critical that senior management at
Akawini appreciated and could comment on and contribute to the findings and
conclusion of the review so that this would lead to ownership of the
transformation plan. The risk management team therefore presented its findings
and recommendations at a meeting with senior managers that covered:
(a) Fundamentals of risk and the best practice risk management;
(b) Overall findings and assessment of the benchmarking review;
(c) Suggested improvements and enhancement strategies; and
(d) Draft enhancement plan.
The risk management team elicited feedback and acceptance of the conditions it
found and prompted a discussion on the desired situation. In this way, the team
helped managers identify what needed to change. The diagram of the desired
framework architecture given in Figure 10.7 was used to demonstrate the strengths
and weaknesses of the current approach.

Figure 10.7: Desired framework architecture

Source: Fraser, Simkins & Narvaez (2015)
To demonstrate the desired outcomes, the risk management team explained that
the primary purpose of risk management in United Minerals was to act in a
dynamic way to support decisions and that the company framework had been
designed to ensure that:
(a) Assumptions and preconceptions were properly challenged before decisions

could be made;
(b) Appropriate actions were then taken to reduce the uncertainty that objectives
would be achieve;

(c) Early warnings were provided if key controls were not in place or were not
fully effective, so that pre-emptive action could be taken; and
(d) The organisation learned in a systematic way from its successes and failures,
at a fundamental level so that learnings would lead to lasting changes.
To help the organisation as a whole improve its ability to manage risk, the
company had adopted 10 performance requirements that it called its „standards.‰
These were, in outline:
(a) The risk management process will be integrated into all key decision-making
processes;
(b) The risk management process will be integrated into strategic, business and
project planning processes;
(c) Key controls will be identified and allocated to owners for monitoring;
(d) After every major decision, event or change or at the conclusion of all plans,
the organisation will learn lessons from the successes and failures using a
root cause analysis;
(e) The same consistent methodology will be used for analysing risks and for
evaluating control effectiveness;
(f) The significance of risks will be evaluated using one set of risk criteria;
(g) Viable options for treating risks will always be considered, and those options
will be implemented where there is a net benefit to the business;
(h) Accountability for managing risk will be allocated in a manner that is fully
consistent with the management of the business and with the delegations of
authority system;
(i) Only one database system will be used to hold and manage all forms of risk
management information; and
(j) Sites will plan how they will implement these standards and will report on
the progress with this implementation and the effectiveness of risk
management as part of the companyÊs governance processes.

10.3.4 The Transformation Plan

The Akawini management team was then encouraged to discuss and compare
options and to suggest major actions for the enhancement plan. The actions were
allocated to the members of the management team and completion dates were
agreed. These agreements were recorded and became the risk management plan
that described the transformation process for managing risk at the sites. The
management team was also asked to commit on a review and reporting process
for the transformation plan.
10.3.5 Conclusion
The transformation process that has been introduced in this case study has
managed to address all the gaps identified in AkawiniÊs risk management. The
transformation plan, provided that it is executed accordingly, should enable
Akawini to meet its stakeholderÊs expectations, which is United Minerals in
particular.
ACTIVITY 10.3
If you are the plant manager of Akawini,
(a) Would you consider employing a risk manager? If yes, show in a

hypothetical organisation chart, where the risk manager should be
located.
(b) What would you set as key performance indicators for the risk
manager and operations manager in relation to risk management?
(c) What report do you expect to be produced (by the risk manager or
other managers) to monitor and review the execution of the
transformation plan?
Share your answers for discussion in the myINSPIRE forum.

Ć It is essential for businesses to embark on risk management as many major

incidents in the world have occurred because of poor management of risk.
Ć Project risk assessment is an integral part of project management.
Ć Identification of project risks through a work breakdown structure (WBS) can

comprehensively address all the risks associated with the project and increases
the likelihood of meeting the project objectives.
Ć Risk cannot be addressed in silo. Some risks are integrated and thus, the risk
treatment has to be addressed in such a way that one will not cause a negative
impact to another.
Ć Transforming a risk management in an organisation is a complex exercise

where involvements from all levels are important in realising the
transformation plan.
Acquisition Risk matrix table

Due diligence Risk profile
Framework Risk register
Project schedule Transformation plan
Risk management process Work breakdown structure (WBS)

Duhon, H. (2014). Bhopal: A root cause analysis of the deadliest industrial accident
in history. Retrieved from https://pubs.spe.org/en/ogf/ogf-article-
detail/?art=141
Fraser, J., Simkins, B., & Narvaez, K. (2015). Implementing enterprise risk
management: Case studies and best practices. Hoboken, NJ: John Wiley &
Sons.

MacKay Meters. (2019). MacKay GuardianTM multi elite. Retrieved from

https://www.mackaymeters.com/index.php/products/multi-
space/mackay-guardian-elite/
Project Management Institute, Inc. (2013). A guide to the project management body
of knowledge (PMBOK®guide) (5th ed.). Newtown Square, PA: Author.

MODULE FEEDBACK
MAKLUM BALAS MODUL
If you have any comment or feedback, you are welcome to:
1. E-mail your comment or feedback to modulefeedback@oum.edu.my
OR
2. Fill in the Print Module online evaluation form available on myINSPIRE.
Thank you.
Centre for Instructional Design and Technology

(Pusat Reka Bentuk Pengajaran dan Teknologi )
Tel No.: 03-78012140
Fax No.: 03-78875911 / 03-78875966


SMQR5103: Enterprise Risk Management

Uploaded by

Copyright:

Available Formats

You might also like

SMQR5103: Enterprise Risk Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SMQR5103: Enterprise Risk Management

Uploaded by

Copyright:

Available Formats

SMQR5103

Enterprise Risk Management

Copyright © Open University Malaysia (OUM)

Copyright © Open University Malaysia (OUM)

Module Writer: Nor’afiza Saim

Moderators: Sharifah Rosfashida Syed Ab Latib

Enhancer: Azhar Dollah

Developed by: Centre for Instructional Design and Technology

First Edition, December 2015

Copyright © Open University Malaysia (OUM)

Topic 1 Introduction of Risk Management 1

Topic 2 Requirements of Risk Management 13

Topic 3 Risk Management 33

Copyright © Open University Malaysia (OUM)

Topic 4 Risk Identification 51

Topic 5 Risk Analysis, Risk Evaluation and Risk Treatment 70

Topic 6 Other Risk Management Process 81

Topic 7 Risk Appetite, Tolerance and Culture 93

Copyright © Open University Malaysia (OUM)

7.4 Risk Culture 104

Topic 8 Risk Assessment Techniques 111

Topic 9 Global Risk Management Scenario 135

Copyright © Open University Malaysia (OUM)

Topic 10 Case Studies 156

Copyright © Open University Malaysia (OUM)

Copyright © Open University Malaysia (OUM)

COURSE GUIDE DESCRIPTION

As an open and distance learner, you should be acquainted with learning

Copyright © Open University Malaysia (OUM)

Table 1: Estimation of Time Accumulation of Study Hours

COURSE LEARNING OUTCOMES

2. Apply risk management programme in both manufacturing and service

Copyright © Open University Malaysia (OUM)

Topic 1 explains the concept of risk on individuals and organisations, risk-based

Topic 3 explains the process of establishing and applying risk management in

Topic 6 covers the risk management requirements of establishing plans for

Copyright © Open University Malaysia (OUM)

TEXT ARRANGEMENT GUIDE

Self-Check: This component of the module is inserted at strategic locations

Copyright © Open University Malaysia (OUM)

Activity: Like Self-Check, the Activity component is also placed at various

Copyright © Open University Malaysia (OUM)

Department of Standards Malaysia. (2011). Risk management ă Risk assessment

Hopkin, P. (2018). Fundamentals of risk management: Understanding, evaluating

International Electrotechnical Commission (IEC). (2019). IEC 31010:2019 Risk

International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk

TAN SRI DR ABDULLAH SANUSI (TSDAS)

Copyright © Open University Malaysia (OUM)

Copyright © Open University Malaysia (OUM)

Figure 1.2: Risk, source of risk and risk-mitigation plan relationship

Copyright © Open University Malaysia (OUM)

(a) Identifying the risk;

(b) Figuring out the causes; and

(c) Planning to mitigate the risk.

1.1 RISK MANAGEMENT CONCEPT

Figure 1.3: Association of risk

Now, let us move on to risk management. What is risk management?

Copyright © Open University Malaysia (OUM)