What risk is andwhy it

is important
Lecturer: Fatima Rustamova
 1. Definitions of risk
2. Types of risks
3. Risk description
4. Levels of risk
5. Classification systems

Content 6.

7.
Risk likelihood and impact
Why understanding risk is important
8. Impact of hazard risks
9. Attachment of risks
10. Risk and reward
11. Attitudes to risk
12. Risk and triggers
 Whatever we think of as ‘risk’, it is changing in the digital age.
Organizations of all types – government, local and health authorities,
manufacturers and service providers, financiers and criminals – now use
computers and are digitally processing immense amounts of data. Almost
half of all households worldwide have a computer at home, and, whilst it is
estimated that number is a third of households in developing countries, the
Introduction impact on everyday lives and activity cannot be underestimated.
As our everyday activity is changing, so should our attitude to risk. Mark
Zuckerberg famously said that ‘in a world that is changing really quickly, the
only strategy that is guaranteed to fail is not taking risks’.
Definitions of
risk
Risk is often perceived as being
undesirable: The Oxford
English Dictionary defines risk
in terms of hazard, danger, loss
or adverse consequence.
 Risk may have positive or negative outcomes and may be considered to be
related to an opportunity or a threat, or simply to uncertainty of outcome for
an organization. Every risk has its own characteristics that require particular
management or analysis. In this book, risks are divided into four categories:

● compliance (or mandatory) risks;

Types of risks ●
●
hazard (or pure) risks;
control (or uncertainty) risks;
● opportunity (or speculative) risks.
In general terms, organizations will seek to minimize compliance risks,
mitigate hazard risks, manage control risks and embrace opportunity risks.
Types of risks
Types of risks
Types of risks
Types of risks
 In order to fully appreciate a risk, a detailed description is necessary so that a com-
Risk mon understanding of the risk can be identified and ownership/responsibilities may be
clearly established. To determine the correct range of information to collect about each
description risk, the distinction between compliance, hazard, control and opportunity risks needs to
be clearly understood.
 It is important to understand the level of risk that has been identified
if no controls are in place:

● Inherent level of risk: The level of risk before any actions have
been taken to change the likelihood or magnitude of the risk.
● Current or residual level of risk: The level of risk after initial
Levels of risk control measures have been put in place.
● Target level of risk: The level of risk that is desired or will be
obtained with the application of further control measures.

The inherent level of risk is sometimes referred to as the ‘gross’ or

absolute risk. The current or residual level of risk is sometimes
referred to as the ‘net’ or the managed level of risk.
 Risks can be classified according to the nature of the attributes of the risk.
These can be:

timescale – both at impact and after the event;

Classification source of the risk, for example counterparty or credit risk;
nature of the impact and/or likely magnitude of the risk;
systems component or feature that will be impacted (eg risks can impact
people, premises, processes or products).
There is no universal classification system that fulfils the requirements of all
organizations. It is likely that each risk will need to be classified in several
ways in order to clearly understand its potential impact.
Risk
likelihood and
impact
 Following the Covid-19 pandemic, many organizations took a greater interest
and a proactive approach to risk and risk management. It is increasingly
understood that the explicit and structured management of risks brings bene
ts. Organizations that manage risks will be able to achieve the following four
Why areas of improvement, which are abbreviated as STOC throughout this book:

understanding Strategy: Because the risks associated with different strategic options will be
fully analysed, better strategic decisions will be reached.
risk is Tactics: Because consideration will have been given to selection of the tactics
and the associated risks involved, available alternatives can be evaluated.
important Operations: Because events that can cause disruption will be identified in
advance and actions taken to reduce their likelihood of occurring, the damage
caused by these events will be limited and the costs contained.
Compliance: This will be enhanced because the risks associated with failure to
achieve compliance with statutory and customer obligations will be addressed.
 Hazard risks are often insurable as they can only have a negative outcome.
Hazard risk management is concerned with issues such as health and safety at
work, re prevention and avoiding the consequences of defective products.
Hazard risks can cause disruption to normal operations, as well as resulting
Impact of in increased costs and poor publicity associated with disruptive events.
If a hazard risk materializes, it may have a very large impact. For example, a
hazard risks re could destroy the main distribution warehouse of an organization, but the
risks can be reduced by putting in place controls to minimize nancial impact
(by insurance) or reduce the extent of damage to reputation (through crisis
management).
 The organization will need to
ask what features or
components are key to success.
This will result in the identi
cation of the strengths,
weaknesses, opportunities and
threats facing the organization.
This is often referred to as a
SWOT analysis. Having identi
ed key dependencies, the
organization can then consider

Attachment of the risks that will impact these

dependencies.

risks Risks may be attached to core

processes, as well as being
attached to objectives and/or
key dependencies. Core
processes can be classi ed as
strategic, tactical, operational
and compliance (STOC). In all
cases, the core processes need
to be effective and ef cient.
Mature (or sophisticated) risk
management activities can then
be designed to enhance the
effectiveness and ef ciency of
core processes.
Risk and
reward
 Different organizations will have different attitudes to risk. However, risk
attitude is the organization’s approach to assess, pursue, retain or avoid risks.
Some organizations may be considered to be risk averse, whilst others will be
Attitudes to risk aggressive. The attitude of the organization to risk will depend on the
attitude of the board, the nature of the sector and the marketplace within
risk which it operates.
Risks need to be considered inside the context that gave rise to them. An
organization may appear to be risk aggressive about an opportunity the board
has decided should not be missed. The particular opportunity needs to have
been fully considered for the organization to evaluate that risk correctly.
 Attitude to risk is a complex subject and is closely related to the risk appetite
of the organization, but they are not the same.

Attitudes to Risk attitude indicates the way the organization perceives the likelihood
and impact of uncertainty (including what it can do about the uncertainty).
risk Risk appetite indicates the amount of risk an organization is willing to
seek or accept in pursuit of its long-term objectives.
 The purpose of using the
bow-tie illustration is to
demonstrate the risk
classification systems
used by the organization
and the potential range
of impacts should a risk
materialize. Controls
can be put in place to

Risk and
optimize the risk
occurring (preventing
downside or, if it’s an
triggers opportunity, controls
can make it more likely
to happen and impact
bigger) and these can be
represented by vertical
lines on the left-hand
side of the bow-tie. In a
similar manner,
recovery controls can be
represented on the right-
hand side of the bow-tie.
Risk and
triggers
THANKS!ANY
QUESTIONS?