ARC 515 - 18

SPECIALIZATION 2:
RISK MANAGEMENT

First Semester 2022-2023

AR. OWEN L. RAMOS

ASSIGNMENT
RISK REVIEW AND UPDATE

TIERRA, MONIQUE C.
18 – 11329 – 958 | 5-AR1

1 ARC515-18 SPECIALIZATION 2
 RISK REVIEW AND UPDATE

What is Risk Review?

The Risk Review is conducted at regular intervals throughout the project to assess the current
project environment to determine if any changes are needed to manage future risks.

When to review?
The risk review should be scheduled such that it occurs at regular intervals and includes input
from the project team, specifically the risk owners. It should be aligned to when changes are
planned for the project. Not every single change should require a risk review. Instead, only those
that have an impact on the overall project environment. Review may be necessary if the
following circumstances arise:

o When new members of staff are taken on

You will need to re-consider who could be at risk and how they might be harmed if your
staffing arrangements change. Remember that new members of staff are more vulnerable
to harm as they are less familiar with their work and environment.
o If new machinery or equipment is introduced
This may bring new hazards into the workplace which need to be considered. Even if
only minor adjustments need to be made, they are important as it keeps the risk
assessment up to date as the changes happen.
o If an accident or a near miss occurs
It's important to find out why an incident has occurred and recognise that existing risk
controls aren't adequate. Reviewing your risk assessment in these circumstances will help
you decide what needs to be done to prevent future incidents.
o Regular review
It's also a good idea to decide on a regular pattern of review at the time of the initial
assessment. How regularly would depend on whether the workplace was a low or high
risk environment, and how frequently changes occur. A good general rule of thumb is to
review annually.

How to use a Risk Review?

Each risk review should follow a structure so that the risk owners know how to prepare
and so that there are fewer opportunities to miss an impactful change. The risk owners, project
team, and project manager can ask questions such as these in the risk review:

o What are the new risks in each category?

o For each new risk, what is the probability of occurrence?
o For each new risk, what is the impact?
o Is the probability of occurrence the same as before for each existing risk?

2 ARC515-18 SPECIALIZATION 2
 o For each existing risk, is the impact the same as before?
o Are any individual risks occurring together, thus amplifying the impact?
o Are there existing risks that are no longer possible and should be closed?
o Are there any lessons learned to apply moving forward?

Risk Review and Update

After the risk review, the risk manager develops and writes the improvement plan for the
Risk Management to update the program in order to increase its maturity and performance. The
improvement plan should address:

o investment
o training
o communication
o policy changes
o contingency planning
o organizational changes (e.g., new teams)
o asset procurement

It is important to remember that risk management is ongoing, so the organization's Risk

Management Program is always a work in progress. As the organization improves its Risk
Management Program and reduces risk exposure and impact, it also improves its ability to
continually evaluate its operation and make improvements. The Risk Management Program is
not finished just because the organization completes a cycle of risk management; in fact, it is
never finished.

ACCOUNTABILITY AND COMMUNICATION IN THE

ASPECTS OF RISK MANAGEMENT

ACCOUNTABILITY

Many organisations today have a dedicated person or a team of ‘risk advisors’ responsible
for supporting the organisation’s risk taking initiatives and helping the Board and senior executives
manage a wide range of opportunities and risks. The role is often referred to Chief Risk Officer
(CRO), Risk Manager, Risk Advisor, Risk Management Co-ordinator or similar. Consequently,
one of the major problems facing risk advisors is the perception of who is actually responsible for
risk management. In this context, the following are the ones who plays important role in enforcing
Risk Management. These stakeholders are the Board, senior executives/ management and staff in
the risk management framework.

3 ARC515-18 SPECIALIZATION 2
The Board

Risk management governance would always start from the top and for this the Board is the starting
point. In general, the Board is ultimately responsible for adopting and committing to an
organization's Risk Management Framework/Policy. Responsibilities specific to the risk
management framework include:

o Defining risk appetite and risk tolerances;

o Approving key risk management documents such as the Risk Management Policy and Risk
Appetite Statement;
o Providing feedback to management on important risk management matters/issues raised by
management; and
o Fully considering risk management issues contained in Board reports.
o Board responsibilities may vary depending on the regulatory framework in a country and/or
specific industry.

Chief Executive Officer (CEO)

The Chief Executive Officer with the assistance from the Chief Risk Officer, senior managers
and/or risk owners is responsible for leading the development of a sound risk management culture
across the organisation. Specifically the Chief Executive Officer is responsible for:

o Creating a control environment that promotes prudent risk management practices,

calculated risk taking and effective internal controls;
o Escalating all known potential risks, emerging risks or major incidents to the Audit
Committee and Board in a timely manner;
o Ensuring that the Risk Management Policy and Risk Management Strategy are being
effectively implemented; and
o Ensuring sufficient funds are prioritised and available to support effective and efficient
management of risks across the organisation.

Chief Risk Officer (CRO)

As with any CEO direct report, the CRO should be accountable to the CEO, executive management
and the board for enabling the institution to balance risk and reward and preserve enterprise value
and reputation. For example, he or she should:

o Establish and communicate the organization’s risk management vision

o Design and implement an appropriate risk management infrastructure
o Establish, communicate and facilitate the use of appropriate risk management
methodologies, tools and techniques
o Facilitate enterprise risk assessments and monitor the capabilities around managing the
priority risks across the institution

4 ARC515-18 SPECIALIZATION 2
 o Implement appropriate/meaningful action-oriented risk reporting to the overall board,
specific board committees and senior management

Senior Managers

Senior Managers are essentially the ‘risk owners’ and are required to manage risks on a day-to-
day basis. Senior managers are the first line defence in combating risk and are responsible for
implementing effective internal controls. Senior Managers are required to create an environment
where the management of risk is accepted as the personal responsibility of all staff, service
providers and contractors. They are accountable for:

o Maintaining sound risk management processes and structures within their area of
responsibility to conform with the organisations Risk Management Policy and supporting
arrangements;
o Identifying, recording and periodically evaluating risks;
o Identifying, recording and assessing effectiveness of existing controls;
o Determining whether to accept or further treat residual risks that are assessed as medium
or higher;
o Implementing, communicating and maintaining effective internal controls;
o Developing and monitoring risk treatment plans to treat higher level risks in a timely
manner;
o Maintaining up to date risk registers through periodic reviews and updates; and
o Ensuring all major incidents or issues are reported and resolved in a timely manner.

Managers are also responsible for supporting good management practices that compliment risk
management including:

o Complying with and monitoring staff compliance with all policies, procedures, guidelines
and designated authorities;
o Maintaining and communicating up-to-date information and documentation for key
operational processes; and
o Incorporating risk treatment plans into business processes as required.

Staff

Every staff member is responsible for effective management of risk including the identification of
potential risks. Risk management processes should be integrated with other planning processes
and management activities.

All staff, service providers and contractors should act at all times in a manner which does not place
at risk the health and safety of themselves or any other person in the workplace. Staff
are responsible and accountable for taking practical steps to minimise exposure to risks in so far
as is reasonably practicable within their area of activity and responsibility.

5 ARC515-18 SPECIALIZATION 2
All staff, volunteers, service providers and contractors must be aware of operational and business
risks that apply to their role. Specific responsibilities include:

o Providing input into various risk management activities;

o Assisting in identifying risks and controls;
o Conducting risk assessments as required by various policies and procedures;
o Seeking appropriate clarification on issues, problems and concerns identified;
o Reporting all emerging risks, known risks, control breakdowns, fraud, issues, breaches,
near incidents and incidents to their manager and/or appropriate officer; and
o Following policies and procedures at all times to ensure compliance and maintain the
organisations reputation.

COMMUNICATION

Why You Should Communicate Risks?

Identifying risks should never be purely an academic exercise in reality, risk assessments are next
to useless unless effectively communicated. Why should you communicate risks?

o Promote Accountability

Before risks are identified, it can be difficult for project roles and responsibilities
to be defined. Businesses identify accountability as a key obstacle to project
completion and highlighting the need for better role allocation and procedures for dealing
with risks. If project managers are able to immediately call to the right individual or
resources to deal with an issue, projects can stay on track when or if a risk occurs,
as potential risks are already 'marked in red'. By communicating potential risks to the right
people, such as your teams and stakeholders, you're able to better understand who you
should allocate roles and responsibilities to.

o Provide Realistic Expectations

Project stakeholders will have multiple reasons for investing their finances, time, and
support into your project that is why it is important to return the gesture with transparent
communications about your project timeline. If your stakeholders have unrealistic
expectations that are not met, it's likely they will become disengaged and may cause
damage to your project by being non-responsive or communicating negatively to others. If
you find a balance in both general and risk communications and communicate the potential
risks that could alter project timelines, your stakeholders are likely to have higher trust and
confidence in your project.

6 ARC515-18 SPECIALIZATION 2
 o Unify Your Team

By taking steps to communicate risk, you identify potential issues beforehand and equip
your teams with the ability to respond effectively. This reduces confusion and enhances
problem-solving skills in your teams. Risk analysis software can detect potential risks
and communicate them using graphical reports. This provides your teams with easily
understood information, enabling them to respond to risk instantly, without needing to be
informed by other personnel who may be in different locations or time zones.

How to Communicate Risk to Stakeholders

Risks need to be clearly communicated before, during, and after a project to ensure that stakeholder
expectations and opinion are upheld.

Unfortunately, we all know that risk management isn't as easy as writing a list and sliding it across
the table towards your most important stakeholders. Project managers need to involve stakeholders
in project conversations, keep important individuals engaged, and use the correct tools to enable
effective communication.

Here are our four tips for communicating risks to stakeholders, and why they're important:

1. Involve Your Team

Project managers are often held responsible for communicating with stakeholders, but they
shouldn't be the only line of communication. Risk management requires the involvement
of all of your project team members, especially if individuals hold expertise in certain risk
areas, or are leaders of a specific aspect of the project.

These particular specialists will provide relevant and detailed information, and help build
more realistic stakeholder expectations. By meeting expectations, it's easier to relate to
project stakeholders and obtain their vital support for your project.

Studies conducted by The Project Management Institute found that by shaping realistic
stakeholder expectations, projects were found to be more successful, as support was a
distinguishing factor between successful and challenged projects. By allocating
communication responsibilities to expert individuals, stakeholders can obtain more
relevant information that provides them with these vital realistic expectations.

2. Consider Stakeholder Location

If key stakeholders aren't located near you or your project, it can make it difficult to
communicate effectively. Ideally, you should choose a project team member who is close

7 ARC515-18 SPECIALIZATION 2
to the location of your stakeholders, whether it's by region, country, or timezone, who can
more easily respond to questions and concerns.

In our digital age, face-to-face communication can build stronger working

relationships and encourage higher engagement, so consideration of stakeholder location
should be a priority if you want to communicate effectively. If you're holding a weekly call
at a time where a stakeholder in a different time zone may be asleep, or can't find a time or
day when essential stakeholders are available, it's likely they'll become disengaged.
Remote members of your team can use your risk assessment reporting system as the central
hub of their information and communicate to stakeholders with greater foresight into
potential risks.

3. Utilize technology

Risk analysis technology can equip you and your team members with the ability to
communicate quantitative risk analysis to your stakeholders. When risk assessment is
purely speculative or includes an inaccurate assessment of resources, finances, or time,
stakeholder expectations can become misguided towards unrealistic demands. This can
leave them unhappy with your project's management, potentially damaging their support.

Cost risk tools can perform a cost-only risk analysis from the beginning of your project
until closeout, ensuring that financial expectations are met. Additionally, risk analysis
technology can perform a schedule risk analysis that identifies high-risk areas of your
project, provides high value information such as a prioritized report of the top risks likely
to delay your project, and allows you to accurately determine an end date (a crucial
stakeholder expectation).

Moreover, risk assessment tools enable you to visualize alternative scenarios to your risks
and enable you to calculate the impact of them. By using technology, you can communicate
accurate information to your stakeholders that is more likely to ensure their support.

4. Use Reporting and Alerts

If we recognise the importance of communicating with stakeholders, how do project

managers ensure that communications are regular, stakeholders are engaged, and that
stakeholders are fully aware of the risks of their project?

By regularly reporting on your project, you can check for common issues, report potential
issues with interactive links, and submit them for analysis. You can then set up alerts for
potential risks and retroactively react and inform key individuals or stakeholders who need
to know.

8 ARC515-18 SPECIALIZATION 2
REFERENCES

https://insights.sei.cmu.edu/blog/10-steps-managing-risk-octave-forte/
https://projectmanagementacademy.net/resources/blog/risk-audit-vs-risk-review/
https://www.linkedin.com/pulse/who-responsible-risk-managementscope-responsibilities-khan
https://www.safran.com/blog/how-to-communicate-risk-to-project-stakeholders

9 ARC515-18 SPECIALIZATION 2