Professional Documents
Culture Documents
Module 2
Module 2
Module 2
What is risk?
Risk: unrealized future loss arising from a present action or inaction.
• Risks are the opportunities and dangers associated with uncertain future events.
• A company cannot function without taking any risk.
• Risks help to generate higher returns.
• Not accepting risk tends to make a business less dynamic. Incurring risk also implies that the
returns from different activities will be higher i.e. the ‘benefit’ being the return for accepting risk.
• The benefits can either be financial or non-financial in nature.
• Risks help a business to gain competitive advantage.
• Focusing on low-risk activities can easily result in a low ability to obtain competitive advantage –
although where there is low risk there is also only a limited amount of competitive advantage to be
obtained.
• For example, a mobile telephone operator may produce its phones in a wide range of colours.
There is little or no risk of the technology failing, but the move may provide limited competitive
advantage where customers are attracted to a particular colour of phone.
• Some low-risk activities, however, will provide higher competitive advantage. When these can
be identified, then the activity should be undertaken because of the higher reward. or example, the
mobile phone operator may find a way of easily amending mobile phones to make them safer
regarding the electrical emissions generated.
• High-risk activities can similarly generate low or high competitive advantage.
• Activities with low competitive advantage will generally be avoided. There remains the risk that
the activity will not work, and that the small amount of competitive advantage that would be
generated is not worth that risk.
• high-risk activities may generate significant amounts of competitive advantage. These activities are
worth investigating because of the high returns that can be generated.
ALARP Principle
• As we cannot eliminate risk altogether the. Risks are a part of life, after all. But risk must be
controlled.
• Time, money and resources are needed to reduce risks. You are not expected to spend infinite
resources and money on eliminating all risks.
• How could you stay in business if that was the case? You would never make a profit, forever
chasing the impossible - zero risks.
• We have ALARP (As Low As Reasonably Practicable) principle, simply states that residual risk
should be as low as reasonably practicable
• Taking into consideration, the costly nature of risk reduction, The ALARP principle expresses a
point at which the cost of additional risk reduction would be grossly disproportionate to the
benefits achieved.
For example:
An extreme example to clarify the point:
– A company spending a million pounds to prevent a member of staff suffering from a bruised knee is
grossly disproportionate.
– A company spending a million pounds to prevent a major explosion capable of killing 150 people is
proportionate
ALARP tools
Optioneering
Codes and standards
Good practice and engineering Judgement
Risk assessment and cost benefit analysis
Peer review and benchmarking
Stakeholder consultation
Rules of thumb
The more complex the project, the more complex the decision and the more sophisticated the tools
required.
The higher the risk, the more comprehensive and robust the ALARP assessment needs to be.
Risk management
Process of reducing the possibility of adverse consequences either by reducing the likelihood of an
event or its impact or taking advantage of the upside risk.
A business typically faces many risks like product risk, market risk, credit risk, currency risk,
reputation risk, interest rate risk, political risk, legal risk, economic risk. financial risk, technology
risk, environmental risk, H&S risk, etc.
• Risk identification – Risks are identified by key stakeholders. Risks must be identified before they
can be managed.
• Risk assessment – Risks are evaluated according to the likelihood of occurrence and impact on the
organisation. This assessment provides a prioritised risk list identifying those risks that need the most
urgent attention.
• Risk planning – This involves establishing appropriate risk management policies. Policies include
ceasing risky activities through to obtaining insurance against unfavourable events. Contingency
planning involves establishing procedures to recover from adverse events if they occur.
• Risk monitoring – Risks need to be monitored regularly. If risks change or new risks are identified,
these are added to the risk assessment for correct categorisation and action.
Types of risk
Strategic risks are those risks that arise from the possible consequences of strategic decisions
taken by the organization.
For example: risk of a merger/acquisition not working out. These also arise from the way that an
organisation is strategically positioned within its environment. These are high-level risks and should
be identified and assessed at senior management and board level. PESTEL and SWOT techniques
could be used to identify these risks.
Operational risks refer to potential losses that might arise in business operations. For example: risks
of fraud, poor quality production, lack of inputs for production. These risks are comparatively of low
level and can be managed by internal control systems.
BUSINESS RISK
• Generic risks are those risks that affect all businesses. For example: changes in the interest rates,
non-compliance with company law, etc.
• Specific risks are those risks that affect individual business sectors. For example: rise in the prices of
petrol will affect a transport company more than an audit firm.
Risk identification
Impact on stakeholders
Risk map
• A common qualitative way of assessing the significance of risk is to produce a ‘risk map’:
• The map identifies whether a risk will have a significant impact on the organisation and links
that into the likelihood of the risk occurring.
• The approach can provide a framework for prioritising risks in the business.
• Risks with a significant impact and a high likelihood of occurrence need more urgent attention than
risks with a low impact and low likelihood of occurrence.
• The significance and impact of each risk will vary depending on the organisation: – e.g. an increase in
the price of oil will be significant for airline company but will have almost no impact on a financial
services company offering investment advice over the internet.
• The severity of a risk can also be discussed in terms of 'hazard'. The higher the hazard or impact
of the risk, the more severe it is.
Risk perception
Board of directors
• The board of directors (BOD) determine the level of risk which the organization can accept in order
to meet its strategic objectives.
• BOD makes sure that the risk management strategy is communicated to the rest of the
organization and integrated with all the other activities.
• It reviews risks and identifies and monitors progress of the risk management plans.
• It will determine which risks will be accepted, which cannot be managed, or which it is not cost-
effective to manage, i.e. residual risk.
Embedding risk
• The aim of embedding risk management is to ensure that it is part of the way in which a business is
done. It includes embedding risk in systems and embedding risk in culture.
• Systems: This refers to ensuring that risk management is included within the control systems of an
organization.
• Culture: Embedding risk into culture and values means that risk management is ‘normal’ for the
organization. Establishing reward systems which recognise that risks have to be taken in practice (e.g.
not having a ‘blame’ culture),
TARA/SARA model
• Transfer/Share – Risks could be transferred wholly or partially to a third party, so that if an adverse
event occurs, the third party suffers all or most of the loss. Eg: Insurance.
• Avoid – This refers to avoiding a risk altogether by not investing or withdrawing from the business
area completely.
• Reduce – This refers to reducing the risk either by limiting exposure in a particular area or decreasing
the adverse effects through use of internal controls.
• Accept – This refers to simply accepting the risk & bearing the consequences it may bring. This is
also called risk retention.