INTRODUCTION TO RISK MANAGEMENT

LEARNING OUTCOMES

• Provide a range of definitions of risk and risk management and describe the usefulness of the various definitions;

• List the range of characteristics of a risk that need to be identified in order to provide a full risk description and justify the inclusion of each item;

• Summarize the options for the attachment of risks to various attributes of an organization and describe the advantages of each approach;

• Identify the features of the four types of risk that enable them to be identified as compliance, hazard, control and opportunity risks;

• Summarize the origins and development of the discipline of risk management, including the various specialist areas and approaches;

• Explain the characteristics of enterprise risk management (ERM) and the benefits of the ERM approach over traditional risk management;

• Summarize the principles (PACED) and aims of risk management and its importance to strategy, tactics, operations and compliance (STOC);

• Describe the key outputs of risk management in terms of mandatory obligations, assurance, decision making and effective and efficient core
processes (MADE2).
DEFINITIONS OF RISK
OXFORD ENGLISH DICTIONARY
A chance or possibility of danger, loss, injury or other adverse consequences’, and the definition of at risk is
‘exposed to danger’.
INSTITUTE OF RISK MANAGEMENT (IRM)
The combination of the probability of an event and its consequence. Consequences can range from positive to
negative.
ISO Guide 73
The ‘effect of uncertainty on objectives’.
An effect may be positive, negative, or a deviation from the expected.

INTRODUCTION TO RISK MANAGEMENT

DEFINITIONS OF RISK
INSTITUTE OF INTERNAL AUDITORS (IIA)
The uncertainty of an event occurring that could have an impact on the achievement of objectives.
OCCUPATIONAL SAFETY AND HEALTH
Risk is the likelihood that a person may be harmed or suffers adverse health effects if exposed to a
hazard.
ORGANIZATIONAL CONTEXT
An event with the ability to impact (inhibit, enhance or cause doubt about) the effectiveness and
efficiency of the core processes of an organization.

INTRODUCTION TO RISK MANAGEMENT

TYPE OF RISKS
Risk may have positive or negative outcomes or may simply result in uncertainty. Therefore, risks may be
considered to be related to an opportunity or a loss or the presence of uncertainty for an organization. Every
risk has its own characteristics that require particular management or analysis. Risks are divided into four
categories:
● Compliance (or mandatory) risks
the threat posed to a company's financial, organizational, or reputational standing resulting from violations of laws,
regulations, codes of conduct, or organizational standards of practice.

● Hazard (or pure) risks;

Risk events that can only result in negative outcomes. the risks that can only inhibit achievement of the corporate mission.
Typically, these are insurable-type risks or perils, and will include fire, storm, flood, injury and so on.

INTRODUCTION TO RISK MANAGEMENT

TYPE OF RISKS
● Control (or uncertainty) risks;
Risks that cause doubt about the ability to achieve the organization's mission. Internal financial control protocols are a
good example of a response to a control risk. Control risks are associated with uncertainty, and examples include the
Potential for failure to achieve legal compliance and losses caused by fraud.

● Opportunity (or speculative) risks.

The risks that are (usually) deliberately sought or embraced by the organization. These risks arise because the
organization is seeking to enhance. The achievement of the mission, although they might inhibit the organization if the
outcome is adverse. This is the most important type of risk for the future long-term success of any organization.
ORGANIZATIONS WILL SEEK TO MINIMIZE COMPLIANCE RISKS, MITIGATE HAZARD RISKS, MANAGE CONTROL
RISKS AND EMBRACE OPPORTUNITY RISKS.

INTRODUCTION TO RISK MANAGEMENT

LEVEL OF RISK
It is important to understand the uncontrolled level of all risks that have been identified. This
is the level of the risk before any actions have been taken to change the likelihood or
magnitude of the risk.
Inherent risk is the amount of risk that exists in the absence of controls. In other words,
before an organization implements any countermeasures at all, the risk they face is inherent
risk.
Residual risk is the risk that remains after controls are accounted for. It’s the risk that
remains after your organization has taken proper precautions.

INTRODUCTION TO RISK MANAGEMENT

RISK CLASSIFICATION SYSTEM

•According to the nature of the attributes of the risk

•According to the nature of the impact and/or likely magnitude of the
risk
•According to the component or feature

INTRODUCTION TO RISK MANAGEMENT

RISK LIKELIHOOD AND MAGNITUDE
Risk likelihood and magnitude are best demonstrated using a risk matrix. The risk matrix also referred to as a risk map or heat map. This is
a commonly used method of illustrating risk likelihood and the magnitude (or severity) of the event should the risk materialize. The use of
the risk matrix to illustrate risk likelihood and magnitude is a fundamentally important risk management tool. The risk matrix can be used to
plot the nature of individual risks, so that the organization can decide whether the risk is acceptable and within the risk appetite and/or risk
capacity of the organization.

The term likelihood is used rather than frequency, because the word frequency implies that events will definitely occur and the risk matrix is
registering how often these events take place. Likelihood is a broader word that includes frequency, but also refers to the chances of an
unlikely event happening. However, in risk management literature, the word ‘probability’ will often be used to describe the likelihood of a
risk materializing.

The word magnitude is used rather than severity, so that the same style of risk matrix can be used to illustrate compliance, hazard, control
and opportunity risks. Severity implies that the event is undesirable and is, therefore, related to compliance and hazard risks. The
magnitude of the risk may be considered to be its gross or inherent level before controls are applied.

INTRODUCTION TO RISK MANAGEMENT

IMPACT OF RISK IN ORGANIZATION
All organizations are taking a greater interest in risk and risk management. It is increasingly understood that the explicit and
structured management of risks brings benefits. By taking a proactive approach to risk and risk management, organizations will be
able to achieve the following four areas of improvement:

• Strategy, because the risks associated with different strategic options will be fully analyzed and better strategic decisions will be
reached.

• Tactics, because consideration will have been given to selection of the tactics and the risks involved in the alternatives that may
be available.

• Operations, because events that can cause disruption will be identified in advance and actions taken to reduce the likelihood of
these events occurring, limit the damage caused by these events and contain the cost of the events.

• Compliance will be enhanced because the risks associated with failure to achieve compliance with statutory and customer
obligations will be recognized.

INTRODUCTION TO RISK MANAGEMENT

IMPACT OF RISK IN ORGANIZATION
The exposure presented by an individual risk can be defined in terms of the likelihood of the risk materializing and the
impact of the risk when it does materialize. As risk exposure increases, the likely impact will also increase. Guide 73 refers
to this measurement of likelihood and impact as being the current or residual ‘level of risk’. This level of risk should
be compared with the risk attitude and risk appetite of the organization for risks of that type. The risk appetite will
sometimes be described as a set of risk criteria.
The term ‘magnitude’ is used to indicate the size of the event that has occurred or might occur. The term ‘impact’ is used
to define how the event affects the finances, operations, reputation and/or marketplace (FIRM) of the organization. This
use of terminology is also consistent with the use of impact in business continuity planning evaluations. This is a measure
of the risk at the current level. The term ‘consequences’ is used in this book to indicate the extent to which the event
results in failure to achieve effective and efficient strategy, tactics, operations and compliance (STOC).

INTRODUCTION TO RISK MANAGEMENT

RISK AND REWARD
The particular risks that the organization faces will need to be identified by management or by the organization.
Appropriate risk management techniques will then need to be applied to the risks that have been identified.
The illustration given below is about risk and reward applies to opportunity risks. However, it must always be
the case that risk management effort produces rewards. In the case of hazard risks, it is likely that the reward
for increased risk management effort will be fewer disruptive events. In the case of project risks, the reward for
increased risk management effort will be that the project is more likely to be delivered on time, within budget
and to specification/quality.
For opportunity risks, the risk versus reward analysis should result in fewer unsuccessful new products and a
higher level of profit or (at worst) a lower level of loss for all new activities or new products. In all cases, profit
or enhanced level of service is the reward for taking risk.

INTRODUCTION TO RISK MANAGEMENT

ATTITUDES TO RISK
Different organizations will have different attitudes to risk. Some organizations may be considered to be risk averse, whilst others
will be risk aggressive. To some extent, the attitude of the organization to risk will depend on the sector and the nature and
maturity of the marketplace within which it operates, as well as the attitude of the individual board members.

Risks cannot be considered outside the context that gave rise to them. It may appear that an organization is being risk aggressive,
when in fact, the board has decided that there is an opportunity that should not be missed. However, the fact that the opportunity
entails high risk may not have been fully considered.

Improvement in the robustness of decision-making activities is one of the key benefits of risk management. Attitude to risk is a
complex subject and is closely related to the risk appetite of the organization, but they are not the same. Risk attitude indicates the
long-term view of the organization to risk and risk appetite indicates the short-term willingness to take risk. This is similar to the
difference between the long-term or established attitude of an individual towards the food they eat and their appetite for food at a
particular moment in time.

INTRODUCTION TO RISK MANAGEMENT