Professional Documents
Culture Documents
RM Prelim
RM Prelim
As a version of a comprehensive
definition of the word risk, the author offers the following:
1.2 Approaches to Defining Risk : Definitions and
Types An event with the ability to impact (inhibit, enhance or cause
doubt about) the effectiveness and efficiency of the core
Definitions of Risk
processes of an organization.
The Oxford English Dictionary definition of risk is as follows:
Risk in an organizational context is usually defined as
‘a chance or possibility of danger, loss, injury or other
anything that can impact the fulfilment of corporate
adverse consequences’, and the definition of at risk is
objectives. However, corporate objectives are usually not
‘exposed to danger’. In this context, risk is used to signify fully stated by most organizations. Where the objectives
negative consequences. However, taking a risk can also
have been established, they tend to be stated as internal,
result in a positive outcome. A third possibility is that risk is annual, change objectives. This is particularly true of the
related to uncertainty of outcome
personal objectives set for members of staff in the
Take the example of owning a motor car. For most people, organization, where objectives usually refer to change or
owning a car is an opportunity to become more mobile and developments, rather than the continuing or routine
gain the related benefits. However, there are uncertainties operations of the organization.
in owning a car that are related to maintenance and repair
costs. Finally, motor cars can be involved in accidents, so
there are obvious negative outcomes that can occur. It is
also important to remember the legal obligations associated
with car ownership and the rules that must be obeyed when
the car is being driven on a road.
Definitions of risk can be found from many sources, and
some key definitions are set out in Table 1.1. An alternative
definition is also provided to illustrate the broad nature of
risks that can affect organizations. The Institute of Risk
Management (IRM) defines risk as the combination of the
probability of an event and its consequence.
Consequences can range from positive to negative. This is
a widely applicable and practical definition that can be It is generally accepted that risk is best defined by
easily applied. concentrating on risks as events, as in the definition of risk
provided in ISO 31000 and the definition provided by the
The international guide to risk-related definitions is ISO
Institute of Internal Auditors, set out in Table 1.1. In order
Guide 73, and it defines risk as the ‘effect of uncertainty on
for a risk to materialize, an event must occur. Therefore,
objectives’. This definition appears to assume a certain
perhaps a risk can simply be considered to be ‘an
level of knowledge about risk management and it is not
unplanned event with unexpected consequences’. Greater
easy to apply to everyday life. The meaning and application
clarity is likely to be brought to the risk management
of this definition will become clearer as the reader
process if the focus is on events. For example, consider
progresses through this book.
what could disrupt a theatre performance.
An earlier version of Guide 73 (2002) also notes that an
The events that could cause disruption include a power cut,
effect may be positive, negative, or a deviation from the
the absence of a key actor, or a substantial transport failure
expected. These three types of events can be related to
or road closures that delay the arrival of the audience, as
risks as opportunity, hazard or uncertainty, and this relates
well as the illness of a significant number of staff. Having
to the example of motor car ownership outlined above. The
identified the events that could disrupt the performance, the
guide notes that risk is often described by an event, a
management of the theatre needs to decide what to do to
change in circumstances, a consequence, or a combination
reduce the chances of one of these events causing the
of these and how they may affect the achievement of
cancellation of a performance. This analysis by the
objectives.
management of the theatre is an example of risk
The Institute of Internal Auditors (IIA) defines risk as the management in practice.
uncertainty of an event occurring that could have an impact
Types of Risks
on the achievement of objectives. The IIA adds that risk is
measured in terms of consequences and likelihood. Risk may have positive or negative outcomes or may simply
Different disciplines define the term risk in very different result in uncertainty. Therefore, risks may be considered to
ways. The definition used by health and safety be related to an opportunity or a loss or the presence of
professionals is that risk is a combination of likelihood and uncertainty for an organization. Every risk has its own
magnitude, but this may not be sufficient for more general characteristics that require particular management or
risk management purposes. analysis. In this book, risks are divided into four categories:
Given that there are many available definitions for the word • compliance (or mandatory) risks;
risk, it is important that the organization chooses the • hazard (or pure) risks;
definition that is most suitable for its own purposes. The • control (or uncertainty) risks;
definition can be as narrow or as comprehensive as the
• opportunity (or speculative) risks. uncertainty about the potential impacts and consequences
of these events
In general terms, organizations will seek to minimize
compliance risks, mitigate hazard risks, manage control There are two main aspects associated with opportunity
risks and embrace opportunity risks. However, it is risks. There are risks/ dangers associated with taking an
important to note that there is no ‘right’ or ‘wrong’ opportunity, but there are also risks associated with not
subdivision of risks. Readers will encounter other taking the opportunity. Opportunity risks may not be visible
subdivisions in other texts and these may be equally or physically apparent, and they are often financial in
appropriate. It is, perhaps, more common to find risks nature. Although opportunity risks are taken with the
described as two types, pure or speculative. Indeed, there intention of obtaining a positive outcome, this is not
are many debates about risk management terminology. guaranteed. Nevertheless, the overall approach is to
Whatever the theoretical discussions, the most important embrace the opportunity and the associated opportunity
issue is that an organization adopts the risk classification risks. Opportunity risks for small businesses include moving
system that is most suitable for its own circumstances. a business to a new location, acquiring new property,
expanding a business and diversifying into new products.
There are certain risk events that can only result in negative
outcomes. These risks are hazard risks or pure risks, and
these may be thought of as operational or insurable risks.
1.3 Approaches to Defining Risk : Description,
In general, organizations will have a tolerance of hazard
Inherent and Classification Systems
risks, and these need to be managed within the levels that
the organization can tolerate. A good example of a hazard Risk Description
risk faced by many organizations is that of theft.
In order to fully understand a risk, a detailed
There are other risks that give rise to uncertainty about the description is necessary so that a common understanding
outcome of a situation. These can be described as control of the risk can be identified and ownership/responsibilities
risks and are frequently associated with project may be clearly understood. Table 1.2 lists the range of
management. In general, organizations will have an information that must be recorded to fully understand a risk.
aversion to control risks. Uncertainties can be associated The list of information set out in Table 1.2 is most applicable
with the benefits that the project produces, as well as to hazard risks and the list will need to be modified to
uncertainty about the delivery of the project on time, within provide a full description of control or opportunity risks.
budget and to specification. The management of control
risks will often be undertaken in order to ensure that the
outcome from the business activities falls within the desired
range. The purpose is to reduce the variance between
anticipated outcomes and actual results.
At the same time, organizations deliberately take risks,
especially marketplace or commercial risks, in order to
achieve a positive return. These can be considered as
opportunity or speculative risks, and an organization will
have a specific appetite for investment in such risks.
Opportunity risks relate to the relationship between risk and
return. The purpose is to take action that involves risk to
achieve positive gains. The focus of opportunity risks will be
towards investment. So that the correct range of information can be collected
The application of risk management tools and techniques about each risk, the distinction between compliance,
to the management of hazard risks is the best and longest- hazard, control and opportunity risks needs to be clearly
established branch of risk management, and much of this understood. The example below is intended to distinguish
text will concentrate on hazard risks. Hazard risks are between these four types of risk, so that the information
associated with a source of potential harm or a situation required in order to describe each type of risk can be
with the potential to undermine objectives in a negative way identified.
and hazard risk management is concerned with mitigating
the potential impact. Hazard risks are the most common
risks associated with operational risk management,
including occupational health and safety programmes.
Control risks are associated with unknown and unexpected
events. They are sometimes referred to as uncertainty risks
and they can be extremely difficult to quantify. Control risks
are often associated with project management and the
implementation of tactics. In these circumstances, it is
known that the events will occur, but the precise Inherent level of risk
consequences of those events are difficult to predict and
It is important to understand the uncontrolled level of all
control. Therefore, the approach is based on managing the
risks that have been identified. This is the level of the risk
before any actions have been taken to change the risks will be classified according to the source of the risk,
likelihood or magnitude of the risk. Although there are the component impacted or of the consequences of the risk
advantages in identifying the inherent level of risk, there are materializing.
practical difficulties in identifying this with some types of
risks. Individual organizations will decide on the risk classification
system that suits them best, depending on the nature of the
Identifying the inherent level of the risk makes it possible to organization and its activities. Also, many risk management
identify the import- ance of the control measures in place. standards and frameworks suggest a specific risk
The IIA has previously held the view that the assessment of classification system. If the organization adopts one of
all risks should commence with the identification of the these standards, then it will tend to follow the classification
inherent level of the risk. The guidance from the IIA has system recommended.
previously stated that: ‘in the risk assessment, we look at
The risk classification system that is selected should be fully
the inherent risks before considering any controls.’
relevant to the organization concerned. There is no
Although there is considerable debate about whether to
universal classification system that fulfils the requirements
undertake risk assessment at inherent or current level, the
of all organizations. It is likely that each risk will need to be
purpose of any risk assessment remains the same. It is to
classified in several ways in order to clearly understand its
identify what is believed to be the current level of the risk
potential impact.
and identify the key controls that are in place to ensure that
the current level is actually achieved. 1.4 Approaches to Defining Risk : Risk Likelihood and
Magnitude
Often, a risk matrix is used to show the inherent level of the
risk in terms of likelihood and magnitude. The residual or Risk likelihood and magnitude are best demonstrated using
current level of the risk can then be identified, after the a risk matrix. Risk matrices can be produced in many
control or controls have been put in place. The effort that is formats. Whatever format is used for a risk matrix, it is a
required to reduce the risk from its inherent level to its very valuable tool for the risk management practitioner. The
current level can be clearly indicated on the risk matrix. basic style of risk matrix plots the likelihood of an event
against the magnitude or impact should the event
Terminology varies and the inherent level of risk is
materialize.
sometimes referred to as the absolute risk or gross risk.
Also, the current level of risk is often referred to as the Figure 1.1 is an illustration of a simple risk matrix, also
residual level, net level or the managed level of risk. The referred to as a risk map or heat map. This is a commonly
example in the box below provides an example of how used method of illustrating risk likelihood and the magnitude
inherently high-risk activities are reduced to a lower level of (or severity) of the event should the risk materialize. The
risk by the application of sensible and practical risk use of the risk matrix to illustrate risk likelihood and
response options. magnitude is a fundamentally important risk management
tool. The risk matrix can be used to plot the nature of
individual risks, so that the organization can decide whether
the risk is acceptable and within the risk appetite and/or risk
capacity of the organization.
Throughout this book, a standard format for presenting a
risk matrix has been adopted. The horizontal axis is used to
Risk Classification Systems represent likelihood. The term likelihood is used rather than
frequency, because the word frequency implies that events
Risks can be classified according to the nature of the will definitely occur and the risk matrix is registering how
attributes of the risk, such as timescale for impact, and the often these events take place. Likelihood is a broader word
nature of the impact and/or likely magnitude of the risk. that includes frequency, but also refers to the chances of an
They can also be classified according to the timescale of unlikely event happening. However, in risk management
impact after the event occurs. The source of the risk can literature, the word ‘probability’ will often be used to
also be used as the basis of classification. In this case, a describe the likelihood of a risk materializing.
risk may be classified according to its origin, such as
counterparty or credit risk. A further way of classifying risks The vertical axis is used to indicate magnitude in Figure 1.1.
is to consider the nature of the impact. Some risks can The word magnitude is used rather than severity, so that
cause detriment to the finances of the organization, the same style of risk matrix can be used to illustrate
whereas others will have an impact on the activities or the compliance, hazard, control and opportunity risks. Severity
infrastructure. Further, risks may have an impact on the implies that the event is undesirable and is, therefore,
reputation of the organization, or on its status and the way related to compliance and hazard risks. The magnitude of
it is perceived in the marketplace. the risk may be considered to be its gross or inherent level
before controls are applied.
Risks may also be classified according to the component or
feature of the organization that will be impacted. For Figure 1.1 plots likelihood against the magnitude of an
example, risks can be classified according to whether they event. However, the more important consideration for risk
will impact people, premises, processes or products. An managers is not the magnitude of the event, but the impact
important consideration for organizations when deciding of the event and the consequences that follow. For
their risk classification system is to determine whether the example, a large fire could occur that completely destroys
a warehouse of a distribution and logistics company. likelihood of these events occurring, limit the damage
Although the magnitude of the event may be large, if caused by these events and contain the cost of the events.
sufficient insurance is in place, the impact in terms of
Compliance will be enhanced because the risks associated
financial costs for the company could be minimal, and if the
with failure to achieve compliance with statutory and
company has produced plans to cope with such an event,
customer obligations will be recognized.
the consequences for the overall business may be much
less than would otherwise be anticipated. It is no longer acceptable for organizations to find
themselves in a position whereby unexpected events cause
The magnitude of an event may be considered to be the
financial loss, disruption to normal operations, damage to
inherent level of the event and the impact can be
reputation and loss of market presence. Stakeholders now
considered to be the risk-managed level. Because the
expect that organizations will take full account of the risks
impact (and the associated consequences) of an event is
that may cause disruption within operations, late delivery of
usually more important than its magnitude (or severity),
projects or failure to deliver strategy.
every risk matrix used in the remainder of this book will plot
impact against likelihood, rather than magnitude against The exposure presented by an individual risk can be
likelihood. defined in terms of the like- lihood of the risk materializing
and the impact of the risk when it does materialize. As risk
exposure increases, the likely impact will also increase.
Guide 73 refers to this measurement of likelihood and
impact as being the current or residual ‘level of risk’. This
level of risk should be compared with the risk attitude and
risk appetite of the organization for risks of that type. The
risk appetite will sometimes be described as a set of risk
criteria.
Throughout this book, the term ‘magnitude’ is used to
indicate the size of the event that has occurred or might
occur. The term ‘impact’ is used to define how the event
affects the finances, operations, reputation and/or
marketplace (FIRM) of the organization. This use of
The risk matrix is used throughout this book to provide a terminology is also consistent with the use of impact
visual representation of risks. It can also be used to indicate inbusiness continuity planning evaluations. This is a
the likely risk control mechanisms that can be applied. The measure of the risk at the current level. The term
risk matrix can also be used to record the inherent, current ‘consequences’ is used in this book to indicate the extent to
(or residual) and target levels of the risk. which the event results in failure to achieve effective and
efficient strategy, tactics, operations and compliance
Shading or colour coding is often used on the risk matrix to
(STOC).
provide a visual representation of the importance of each
risk under consideration. As risks move towards the top
right-hand corner of the risk matrix, they become more likely
and have a greater impact. Therefore, the risk becomes
more important and immediate and effective risk control
measures need to be in place.
1.5 Impact of Risk on Organizations : Level, Impact
and Attachment
Impact of Hazard Risks
Level of Risk
Hazard risks undermine objectives, and the level of impact
Following the events in the world financial system during of such risks is a measure of their significance. Risk
2008, all organizations are taking a greater interest in risk management has its longest history and earliest origins in
and risk management. It is increasingly understood that the the management of hazard risks. Hazard risk management
explicit and structured management of risks brings benefits. is closely related to the management of insurable risks.
By taking a proactive approach to risk and risk Remember that a hazard (or pure) risk can only have a
management, organizations will be able to achieve the negative outcome.
following four areas of improvement
Hazard risk management is concerned with issues such as
Strategy, because the risks associated with different health and safety at work, fire prevention, avoiding damage
strategic options will be fully analysed and better strategic to property and the consequences of defective products.
decisions will be reached. Hazard risks can cause disruption to normal operations, as
Tactics, because consideration will have been given to well as resulting in increased costs and poor publicity
selection of the tactics and the risks involved in the associated with disruptive events.
alternatives that may be available. Hazard risks are related to business dependencies,
Operations, because events that can cause disruption will including IT and other supporting services. There is
be identified in advance and actions taken to reduce the increasing dependence on the IT infrastructure of most
organizations and IT systems can be disrupted by computer the corporate objectives and/or the stakeholder
breakdown or fire in server rooms, as well as virus infection expectations, as well as by analysis of the core processes
and deliberate hacking or computer attacks. of the organization. For example, the failure of Northern
Rock occurred because the wholesale money markets, on
Theft and fraud can also be significant hazard risks for
which the bank depended, stopped functioning. Another
many organizations. This is especially true for organizations
way of viewing the concept of attachment of risks is to
handling cash or managing a significant number of financial
consider that the features shown in Figure 2.1 offer
transactions. Techniques relevant to the avoidance of theft
alternative starting points for undertaking a risk
and fraud include adequate security procedures,
assessment. For example, a risk assessment can be
segregation of financial duties, and authorization and
undertaken by asking ‘what do stakeholders expect of us?’
delegation procedures, as well as the vetting of staff prior
and ‘what risks could impact the delivery of those
to employment.
stakeholder expectations?’
It is worth reflecting on terminology, because this is
In the build-up to the recent financial crisis, banks and other
especially important in relation to hazard risks, if an event
financial institutions established operational and strategic
occurs. If a hazard risk materializes, it may have a very
objectives. By analysing these objectives and identifying
large magnitude, such as the destruction of the main
the risks that could prevent the achievement of them, risk
distribution warehouse of an organization. This large
management made a contribution to the achievement of the
magnitude event will have an impact on the organization high-risk objectives that ultimately led to the failure of the
related to potential financial costs, destruction of
organizations. This example illustrates that attaching risks
infrastructure, damage to reputation and the inability to
to attributes other than objectives is not only possible but
function in the marketplace. Magnitude represents the may well have been desirable in these circumstances.
gross or inherent level of the risk.
However, the impact of the event will be reduced because
of the controls that are in place. Impact represents the net,
residual or current level of the risk. These controls reduce
the financial impact, the extent of destruction of
infrastructure, as well as controls designed to protect
reputation and marketplace activities. But, what is also
important for the organization is the consequences of the
major warehouse fire. These consequences relate to the
effect that the fire might have on the strategy, tactics,
operations and compliance activities within the
organization.
Finally, the importance of compliance risks should not be
underestimated. Compliance risks can be substantial for
many organizations, especially those business sectors that
are heavily regulated. In some cases, compliance with
mandatory requirements, represents a ‘licence to operate’
and failure to achieve the level of compliance activities
required by the relevant regulator can have a significant
impact on the reputation of the organization and substantial
consequences for routine business activities.