RISK MANAGEMENT

Introduction

Every business and organization faces the risk of unexpected, harmful events that can cost the
company money or cause it to permanently close. Risk management allows organizations to
attempt to prepare for the unexpected by minimizing risks and extra costs before they happen.
Risk management is the process of identifying, assessing and controlling threats to an
organization's capital and earnings. These threats, or risks, could stem from a wide variety of
sources, including financial uncertainty, legal liabilities, strategic management errors,
accidents and natural disasters

Understanding risk involves the governance function of risk management. Risk management
means reducing the threats posed by known hazards, whilst simultaneously accepting
unmanageable risks, and maximising any related benefits. Organisations face different types
of risks in a specific and unconnected manner. There are methods of “definition and control”,
which are collected in a systematic approach known as “Risk Management”, which provides
reasonable defence against the possible verification of harmful events.

Meaning of Risk Management

Risk management basically means the identification and mitigation of losses. It is a systematic
process by which an organization identifies, analyzes, prepares and reduces losses.

Apart from that, it also focuses on helping a business find profitable opportunities. Every
business organization faces an unavoidable influence from its external and
internal environments.

Management of risks reduces the chances of such factors affecting an organization

negatively. Managers can either avoid or reduce risk or even transfer it to another entity.
Management of risks has, these days, become an inherent part of decision making and planning.
Employees at all levels, from top management to lower levels, have to deal with risks.

This, in turn, implies that risks can affect all aspects of an organization’s management. Hence,
knowledge of risk management is crucial for every organization.

Risk management is a process that identifies loss exposures faced by an organization and
selects the most appropriate techniques for treating such exposures. Because the term
risk is ambiguous and has different meanings, many risk managers use the term‗loss
exposure‘ to identify potential losses.
A loss exposure is any situation or circumstance in which a loss is possible, regardless of
whether a loss occurs.
Risk Management can therefore be defined as “a group of actions that are integrated

1
within the wider context of a company organisation, which are directed toward assessing
and measuring possible risk situations as well as elaborating the strategies necessary for
managing them”.
• It is also defined as “The process of analyzing exposure to risk and determining how to
best handle such exposure.”

According to Mark S. Dorfman, ―Risk Management is a logical approach to solving

those problems a business faces because it is expected to the possibility of loss.‖

According to Jain and Jain, ―Risk Management is a systematic process of identifying

and assessing company‘s risks and taking actions to protect a company against them.‖
Risk Management is the process used to systematically manage exposures to risk. The
risk management approach encourages management to put exposures to loss in a broad
perspective, in which insurance is just one of the several possible solutions to
theproblem. . Risk Management is best used as a preventive measure rather than as a
reactive measure.

Characteristics of Risk Management

Risk management is a systematic process that deals with the problem of uncertainty. It is an
important discipline under the broad subject of management.

Secondly, one can also refer to it for responding to undesirable events. In this regard, it helps in
preparing for worst-case scenarios.

Lastly, it is also a system that helps in making choices. It provides various alternatives and
approaches to help managers select one that has minimum chances of losses.

Evaluation of Risk Management

Risk evaluation attempts to define what the estimated risk actually means to people
concerned with or affected by the risk. A large part of this evaluation will be the
consideration of how people perceive risks.

Initial risk management plans will never be perfect. Practice, experience, and actual loss
results will necessitate changes in the plan and contribute information to allow possible
different decisions to be made in dealing with the risks being faced.

Risk analysis results and management plans should be updated periodically. There are
2
 two primary reasons for this:

1. To evaluate whether the previously selected security controls are still applicable and
effective, and

2. To evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of rapidly changing business environment.
A risk management plan can never be perfect. However, the degree of its success depends upon risk analysis, management
policies, planning and activities. A well-defined management plan can be successful only if risks are properly accessed. And if
not, the main objective of risk management plan itself is defeated. Critical evaluation of a risk management plan at every
stage is very necessary especially at an early stage. It will allow companies to discover the flaws before it gets into the action.
Once you’re through the process, you can address the issues and then introduce it.

The below mentioned steps can help in analyzing and evaluating a risk management plan:

 Problem Analysis: Keep a note of all the events and activities of a risk management plan. Check out the problems
arising from their implementation and assess if they have a serious impact on the whole process. Make a note of
those that have serious implications.
 Match the Outcomes of a Risk Management Plans with its Objectives: STRATEGIC Ends justify means. Check if the possible
outcomes of a risk management plan are in tandem with its pre-defined objectives. It plays a vital role in analyzing
if the plan in action is perfect. If it produces desired results, it does not need to be changed. But if it fails to produce
what is required can be a really serious issue. After all, an organization deploys its resources including time, money
and human capital and above all, the main aim of the organization is also defeated.
 Evaluate If All the Activities in the Plan are Effective: It requires a thorough investigation of each activity of a
risk management plan. Checking out the efficiency of all the activities and discovering the flaws in their
implementation allow you to analyze the whole plan systematically.
 Evaluate the Business Environment: A thorough study and critical evaluation of business environment where a
risk management plan is to be implemented is essential. Take time to assess, analyze and decide what exactly is
required.
 Make Possible Changes in Faulty Activities: After evaluating the effectiveness and efficiency of all the activities,
try to make possible changes in the action plan to get desired results. It may be very time consuming but is
necessary for successful implementation of your risk management plan.
 Review the Changed Activities: After making changes in already existing activities and events of a risk
management plan, go for a final review. Try to note down the possible outcomes of the changed activity and match
them with the main objectives of the risk management plan. Go ahead in case they are in line with them.

Evaluating a risk management plan sometimes can be very frustrating. It is definitely a time consuming process and also
requires more of human efforts. Therefore, it is always better to analyze and evaluate a plan at every stage otherwise it will
result in wastage of time, finances and efforts. In order to keep a check on it, specialized teams of risk managers can be
appointed. The whole event can be outsourced to a risk management firm. The professionals at the firm can help you design,
develop, implement and evaluate a risk management plan for your company.

ENTERPRISE

3
 OPERATIONS FINANCIAL KNOWLEDGE

PROCESS CAPITAL STAKE INTELECTUAL

STRUCTURE HOLDERS PROPERTY

PHYSICAL REPORTING GOVERNANCE INFORMATIO

ASSETS N

PEOPLE CREDIT AND SYSTEMS

LIQUIDITY

LEGAL MARKET

Principles of Risk Management

There are risk management principles by International standardisation Organisation and
by Project Management Body of Knowledge. A combined view of principles identified
by ISO and PMBK is as follows
• Organisational Context: Every organisation is affected to varying degrees by various
factors in its environment (Political, Social, Legal, and Technological, Societal etc). For
example, an organisation may be immune to change in import duty whereas a different
organisation operating in the same industry and environment may be at a severe risk.
There are also marked differences in communication channels, internal culture and risk
management procedures. The risk management should therefore be able to add value and
be an integral part of the organisational process.
• Involvement of Stakeholders: The risk management process should involve the
stakeholders at each and every step of decision making. They should remain aware of
even the smallest decision made. It is further in the interest of the organisation to
understand the role the stakeholders can play at each step.
• Organisational Objectives: When dealing with a risk it is important to keep the
organisational objectives in mind. The risk management process should explicitly
address the uncertainty. This calls for being systematic and structured and keeping the
big picture in mind.
• Reporting: In risk management communication is the key. The authenticity of the

4
 information has to be ascertained. Decisions should be made on best available
information and there should be transparency and visibility regarding the same.
• Roles and Responsibilities: Risk Management has to be transparent and inclusive. It
should take into account the human factors and ensure that each one knows it roles at
each stage of the risk management process.
• Support Structure: Support structure underlines the importance of the risk management
team. The team members have to be dynamic, diligent and responsive to change. Each
and every member should understand his intervention at each stage of the project
management lifecycle.
• Early Warning Indicators: Keep track of early signs of a risk translating into an active
problem. This is achieved through continual communication by one and all at each level.
It is also important to enable and empower each to deal with the threat at his/her level.
• Review Cycle: Keep evaluating inputs at each step of the risk management process -
Identify, assess, respond and review. The observations are markedly different in each
cycle. Identify reasonable interventions and remove unnecessary ones.
• Supportive Culture: Brainstorm and enable a culture of questioning, discussing. This
will motivate people to participate more.
• Continual Improvement: Be capable of improving and enhancing your risk
management strategies and tactics. Use your learning’s to access the way you look at and
manage ongoing risk.

Objectives of Risk Management

1. Initial Investment and Underwriting

Investment decisions are supported by appropriately documented research and analysis

and made in accordance with company and client guidelines and objectives. Appropriate
recommendations and approvals are obtained to authorize investment decisions. Legal
and credit documentation is complete, adequately safeguarded, and filed in an organized
manner. Private investments are appropriately categorized and rated.

2. Credit Monitoring

Investment agreement terms and covenants are monitored for adherence and reported on

5
 an ongoing basis. Changes to investment terms, if any, are approved in accordance with
documented limits. Credit risk and investment quality is timely monitored, appropriately
categorized, and rated. Periodic reviews, including collateral security reviews, are
performed timely, appropriately documented, and results are reported. Remedial action
or restricting plans for loans identified as Especially Mentioned or Watch List are
appropriate, timely developed, authorized, and reported to the Quarterly Loan Review
Committee.

3. Investment Portfolio Monitoring

Investment positions and transactions are monitored against company policies and limits
and client investment guidelines and objectives. Exceptions of noncompliance are
properly reported, escalated to senior management, and the resolution is properly
authorized. Third-party investments acquired are allocated to investment accounts on a
reasonable and fair basis.

4. Trading

Trading transactions for publics are accurate, complete, and properly authorized.

5. Valuation and Pricing

Publics – Portfolios are accurately valued using independent sources on a timely basis
and reported to senior management. Discrepancies are researched and resolved timely.
Valuation of private investments is appropriate and documented.

6
6. Performance Monitoring

Performance measurement, ranking, and attribution analysis is regularly performed,

reviewed, reported, and approved.

7. Initial Disbursements

Funding disbursements are authorized, accurately recorded, timely, and supported by

appropriate contractual agreements and evidence of security.

8. Separation of Duties and Privacy

Effective organizational, logical, and physical security exists and is monitored to ensure
separation of mismatched functions and privacy over confidential client data.

9. Regulatory Compliance

Regulatory requirements are identified and compliance is achieved, monitored, and

reported.

10. Strategy and Direction

Business objectives and plans are clearly established and communicated. Associated
risks are identified, documented, and regularly assessed.

11. Policies, procedures, Authorities, and Responsibilities

Policies, procedures, authorities, and responsibilities are clearly defined and

communicated. Employees have the necessary knowledge, information, and tools to
manage relevant risks and support the achievement of the business unit‘s objectives.

12. Management Information

Management information is sufficient and timely. Performance is monitored against

targets and indicators. Follow-up procedures are established and performed.

Other Important Objectives

Risk management has important objectives. Baron and Thomas have classified these
objectives as follows:-

1. Pre-loss Objectives
7
2. Post-loss Objectives

1. Pre-loss Objectives: - Important objectives before a loss occurs include

economy, reduction of anxiety and meeting legal obligations.

a) The first objective means that the firm should prepare for potential losses in the most
economical way. This preparation involves an analysis of the cost of safety
programmers, insurance premiums paid, and the costs associated with the different
techniques for handling losses.

b) The second objective is the reduction of anxiety. Certain loss exposures can cause greater
worry and fear for the risk manager and key executives. For example, the threat of a
catastrophic lawsuit from a defective product can cause greater anxiety than a small loss
from a minor fire.

c) The Final objective is to meet any legal obligations. For example, government regulation
may require a firm to install safety devices to protect workers from harm, to dispose of
hazardous waste materials properly, and to label consumer products appropriately. The
risk manager must see that these legal obligations are met.

2. Post- loss Objectives: - Risk management also has certain objectives after a
loss occurs. These objectives include survival, continued operation, stability of earnings,
continued growth, and social responsibility.

a) The most important post-loss objectives are survival of the firm. Survival means that after
a loss occurs, the firm can resume at least particle operations within some reasonable
time period.

b) The second post-loss objective is to continue operating. For some firms, the ability to
operate after a loss is extremely important. For example, a public utility firm must
continue to provide service. Banks, bakeries, dairies and other competitive firms must
continue to operate after a loss. Otherwise, business will be lost to competitors.

8
c) The third post-loss objective is stability of earnings. Earnings per share can be maintained
if the firm continues to operate. However, a firm may incur substantial additional
expenses to achieve this goal, and perfect stability of earnings may not be attained.

d) The fourth post-loss objective is continued growth of the firm. A company can grow by
developing new products and markets or by acquiring or merging with other companies.
This risk manager must therefore consider the effect that a loss will have on the firm‘s
ability to grow.

e) Finally, the objective of social responsibility is to minimize the effects that a loss will have
on other persons and on society. A firm loss can adversely affect employees, suppliers,
creditors, and the community in general.

9
 Pre-loss Objectives

1. Post-loss Objectives

1. Pre-loss Objectives: - Important objectives before a loss occurs include

economy, reduction of anxiety and meeting legal obligations.

a) The first objective means that the firm should prepare for potential losses in the most
economical way. This preparation involves an analysis of the cost of safety
programmers, insurance premiums paid, and the costs associated with the different
techniques for handling losses.

b) The second objective is the reduction of anxiety. Certain loss exposures can cause greater
worry and fear for the risk manager and key executives. For example, the threat of a
catastrophic lawsuit from a defective product can cause greater anxiety than a small loss
from a minor fire.

c) The Final objective is to meet any legal obligations. For example, government regulation
may require a firm to install safety devices to protect workers from harm, to dispose of
hazardous waste materials properly, and to label consumer products appropriately. The
risk manager must see that these legal obligations are met.

2. Post- loss Objectives: - Risk management also has certain objectives after a
loss occurs. These objectives include survival, continued operation, stability of earnings,
continued growth, and social responsibility.

a) The most important post-loss objectives are survival of the firm. Survival means that after
a loss occurs, the firm can resume at least particle operations within some reasonable
time period.

b) The second post-loss objective is to continue operating. For some firms, the ability to
operate after a loss is extremely important. For example, a public utility firm must
continue to provide service. Banks, bakeries, dairies and other competitive firms must
continue to operate after a loss. Otherwise, business will be lost to competitors.

10
c) The third post-loss objective is stability of earnings. Earnings per share can be maintained
if the firm continues to operate. However, a firm may incur substantial additional
expenses to achieve this goal, and perfect stability of earnings may not be attained.

d) The fourth post-loss objective is continued growth of the firm. A company can grow by
developing new products and markets or by acquiring or merging with other companies.
This risk manager must therefore consider the effect that a loss will have on the firm‘s
ability to grow.

e) Finally, the objective of social responsibility is to minimize the effects that a loss will have
on other persons and on society. A firm loss can adversely affect employees, suppliers,
creditors, and the community in general.

Importance of Risk Management

Risks management is an important process because it empowers a business with the necessary
tools so that it can adequately identify and deal with potential risks. Once a risk’s been
identified, it is then easy to mitigate it. In addition, risk management provides a business with
a basis upon which it can undertake sound decision-making.

For a business, assessment and management of risks is the best way to prepare for
eventualities that may come in the way of progress and growth. When a business evaluates its
plan for handling potential threats and then develops structures to address them, it improves
its odds of becoming a successful entity.

The practice of risk intelligence and risk management is becoming more of an issue and more
important in many industries because:

a) Management is more cautious after learning from past mistakes

b) Legislation is more strict and extensive
c) Insurance coverage isn’t as comprehensive
d) The public is more critical
e) Customers are more prone to litigation

Risk Management Process

Implementing a risk management process is vital for any organization. Good risk
management doesn’t have to be resource intensive or difficult for organizations to undertake
or insurance brokers to provide to their clients. With a little formalization, structure, and a
strong understanding of the organization, the risk management process can be rewarding.

11
 The risk management process is a framework for the actions that need to be taken. There
are five basic steps that are taken to manage risk; these steps are referred to as the risk
management process. It begins with identifying risks, goes on to analyze risks, then the
risk is prioritized, a solution is implemented, and finally, the risk is monitored. In manual
systems, each step involves a lot of documentation and administration.

Step 1: Identify the Risk

Before dealing with risks, managers must be able to understand and identify them clearly. In order
to do this, they first need to comprehend the context in which the risks arise.

In other words, managers need to figure which environment their business functions in and what
risks may arise therein. They should also be aware of their organization’s functions, goals and
core activities.

The first step is to identify the risks that the business is exposed to in its operating
environment. There are many different types of risks – legal risks, environmental risks,
market risks, regulatory risks, and much more. It is important to identify as many of
these risk factors as possible. In a manual environment, these risks are noted down
manually. If the organization has a risk management solution employed all this
information is inserted directly into the system. The advantage of this approach is that

12
 these risks are now visible to every stakeholder in the organization with access to the
system. Instead of this vital information being locked away in a report which has to be
requested via email, anyone who wants to see which risks have been identified can
access the information in the risk management system.
Step 2: Analyze the Risk

After understanding the context, managers should list down all possible risks that may arise. This
will depend on the nature of the organization’s business, its environment, etc. For example, a
company manufacturing chemicals may face the risk of leakage from its production units.

Risks can be of four types.

Firstly, physical risks are those which involve an organization’s physical (tangible) assets and
environmental factors.

Secondly, Financial risks include the likes of insurance costs, payment of damages, loans, taxes,
etc.

Thirdly, risks may also be ethical if they involve harm in the nature of one’s beliefs or reputation.

Finally, there can also be legal risks which arise from laws and regulations.

Once a risk has been identified it needs to be analyzed. The scope of the risk must be
determined. It is also important to understand the link between the risk and different
factors within the organization. To determine the severity and seriousness of the risk it is
necessary to see how many business functions the risk affects. There are risks that can
bring the whole business to a standstill if actualized, while there are risks that will only
be minor inconveniences in the analysis. In a manual risk management environment, this
analysis must be done manually. When a risk management solution is implemented one
of the most important basic steps is to map risks to different documents, policies,
procedures, and business processes. This means that the system will already have a
mapped risk framework that will evaluate risks and let you know the far-reaching effects
of each risk.
Step 3: Evaluate or Rank the Risk

Every organization faces several kinds of risks but the chances of them occurring differ in every
case. Managers should analyze each possible risk individually and evaluate the chances of it
happening. This is because they have to accord more importance to serious risks than less serious
ones.

13
A business often incurs financial expenses for mitigating risks. For example, payment of insurance
premium, costs of hiring security personnel, etc.

The greater the chances of a risk occurring, the greater will be its cost of mitigation. Analysis of
risks, thus, helps in realizing how expensive it will be to prepare for a risk.

Managers can take the help of a ‘likelihood scale’ to fix the chances of risks occurring. This scale
basically ranks risks on the likelihood of them causing losses. They can even rank risks in terms of
priorities for this purpose.

Risks need to be ranked and prioritized. Most risk management solutions have different
categories of risks, depending on the severity of the risk. A risk that may cause some
inconvenience is rated lowly, risks that can result in catastrophic loss are rated the highest. It
is important to rank risks because it allows the organization to gain a holistic view of the risk
exposure of the whole organization. The business may be vulnerable to several low-level
risks, but it may not require upper management intervention. On the other hand, just one of
the highest-rated risks is enough to require immediate intervention.

Step 4: Treat the Risk

After identifying and analyzing risks, managers next have to treat them. This process can include
avoiding risks altogether. Alternatively, it is also possible to reduce the possible impact of a risk.

For example, a factory can deploy safety measures and equipment to prevent injuries to its workers.

One can even transfer risks to other entities. This process includes the use of contracts and notices
to shift any possible liability on others.

For example, shopping malls often shift the responsibilities of parked vehicles on their owners in
case any damage occurs.

Every risk needs to be eliminated or contained as much as possible. This is done by

connecting with the experts of the field to which the risk belongs. In a manual environment,
this entails contacting each and every stakeholder and then setting up meetings so everyone
can talk and discuss the issues. The problem is that the discussion is broken into many
different email threads, across different documents and spreadsheets, and many different
phone calls. In a risk management solution, all the relevant stakeholders can be sent
notifications from within the system. The discussion regarding the risk and its possible
solution can take place from within the system. Upper management can also keep a close eye
on the solutions being suggested and the progress being made within the system. Instead of
everyone contacting each other to get updates, everyone can get updates directly from within
the risk management solution.

Step 5: Monitor and Review the Risk

14
Monitoring and reviewing of risks is a continuous process. Managers need to keep
checking the likelihood of risks occurring. They must also regularly follow up on their risk
prevention strategies. This step is important because risks are inevitable and they never
remain static.

Not all risks can be eliminated – some risks are always present. Market risks and
environmental risks are just two examples of risks that always need to be monitored.
Under manual systems monitoring happens through diligent employees. These
professionals must make sure that they keep a close watch on all risk factors. Under a
digital environment, the risk management system monitors the entire risk framework of
the organization. If any factor or risk changes, it is immediately visible to everyone.
Computers are also much better at continuously monitoring risks than people.
Monitoring risks also allows your business to ensure continuity. We can tell you How
you can create a risk management plan to monitor and review the risk.

Risk Identification
Risk identification is the process of determining risks that could potentially prevent the
program, enterprise, or investment from achieving its objectives. It includes documenting
and communicating the concern.
The objective of risk identification is the early and continuous identification of events
that, if they occur, will have negative impacts on the project's ability to achieve
performance or capability outcome goals. They may come from within the project or
from external sources. Risk identification is the first step towards risk management. The
main objective of this step is early identification of events that can occur in the future
and can have negative impacts on a project or an organization and affect the achievement
of goals.
Risk identification enables businesses to develop plans to minimize harmful events before
they arise. The objective of this step is to identify all possible risks that could harm company
operations, such as lawsuits, theft, technology breaches, business downturns, or even a
Category 5 hurricane.
Safety management professionals must understand that risk identification is not a one-time
process. Instead, the process should be rigorous, thoughtful, and ongoing.

Ways to Identify Risks

There are many ways to identify an organization’s risks, however, some of the more common
examples include brainstorming, thinking pessimistically, and seeking employee feedback.

15
1. Brainstorming: Brainstorming combines a relaxed, informal approach to problem solving
with lateral thinking. It encourages people to come up with thoughts and ideas that can, at
first, seem a bit crazy. Some of these ideas can be crafted into original, creative solutions to a
problem, while others can spark even more ideas. Risk managers may find that
brainstorming the probability of various catastrophic events with other company stakeholders,
such as managers and certain C-level staff, can help identify new threats.
2. Thinking Pessimistically: Careers in safety management often entail planning for the worst
while expecting the best. Although pessimism isn’t often encouraged in the workplace, taking
time to ponder “what is the worst possible thing that could happen to the company” may be
helpful in identifying risks.
3. Seek Employee Feedback: Upper-level management’s perspective of an organization’s risks
can be starkly different from the perspective that employees hold. Employees may encounter
new risks in their day-to-day activities that may not have otherwise been encountered. For
example, insufficient training on a piece of operating equipment may be placing staff at risk
of injury. As such, employees are an invaluable source of first-hand information.

Risk Evaluation
Risk Evaluation is the process used to compare the estimated risk against the
given risk criteria so as to determine the significance of the risk.

When the risk analysis process has been completed, it is necessary to compare the estimated
risks against risk criteria which the organisation has established. The risk criteria may include
associated costs and benefits, legal requirements, socio-economic and environmental factors,
concerns of stakeholders, etc. Risk evaluation therefore, is used to make decisions about the
significance of risks to the organisation and whether each specific risk should be accepted or
treated.

Risk evaluation deals with estimating probability and impact of individual risks, taking into
account any interdependencies or other factors outside the immediate scope under
investigation.

Probability is the evaluated likelihood of a particular outcome actually happening (including

a consideration of the frequency with which the outcome may arise). For example, major
damage to a building is relatively unlikely to happen, but would have enormous impact on
business continuity. Conversely, occasional personal computer system failure is fairly likely
to happen, but would not usually have a major impact on the business

• Impact is the evaluated effect or result of a particular outcome actually happening.

• Impact should ideally be considered under the elements of: ‚ time ‚ quality ‚ benefit
‚ people/resource

• Some risks, such as financial risk, can be evaluated in numerical terms.

• Others, such as adverse publicity, can only be evaluated in subjective ways.

• There is a need for some framework for categorising risks, for example, high, medium and
low.

16
• When considering a risk’s probability, another aspect is when the risk might occur.

• Some risks will be predicted to be further away in time than others and so attention can be
focused on the more immediate ones.

Risk Management Techniques — methods for treating risks. Traditional risk

management techniques for handling event risks include risk retention, contractual or
noninsurance risk transfer, risk control, risk avoidance, and insurance transfer. Other
techniques used for other types of risk (e.g., credit, operational, interest rate risks)
include financial tools such as hedges, swaps, and derivatives.

Select the appropriate techniques for treating the loss exposures :-

The third step in the risk management process is to select the most appropriate technique,
or combination of techniques, for treating the loss exposures. These techniques can be
classified broadly as either risk control or risk financing.

Risk control refers to techniques that reduce the frequency and severity of losses. Risk
financing refers to techniques that provide for the funding of losses. Many risk managers
use a combination of techniques for treating each loss exposures.

17
A. Risk Control

As noted above, risk control is a generic term to describe techniques for reducing the frequency or
severity of losses. Major risk control techniques include the following:

I. Avoidance
II. Loss Prevention
III. Loss reduction

I. Avoidance

Avoidance means a certain loss exposure is never acquired, or an existing loss exposure is abandoned.
For example, flood losses can be avoided by not building a new plant in a floodplain. A pharmaceutical
firm that markets a drug with dangerous side effects can withdraw the drug from the market.

The major advantage of avoidance is the change of loss is reduced to zero if the loss exposure is never
acquired. In addition, if an existing loss exposure is neglected the chance of loss is reduced or eliminated
because the activity or product that could produce a loss has been abandoned. Abandonment, however,
may still leave the firm with a residual liability exposure from the sale of previous products.

Avoidance, however, has two major disadvantages. First the firm may not be able to avoid all losses. For
example, a company may not be able to avoid the premature death of a key executive. Second, it may
not be feasible or practical to avoid the exposure. For example, a paint factory can avoid losses arising
from the production of paint. Without paint production, however, the firm will not be in business.

Avoidance is one method of handling risk. For example, you can avoid the risk of being
mugged in a high-crime rate area by staying out of the area; you can avoid the risk of
divorce by not marrying; and a business firm can avoid the risk of being sued for a

defective product by not producing the product. Not all risks should be avoided, however.
For example, you can avoid the risk of death or disability in a plane crash by refusing to fly.
But is this choice practical or desirable? The alternatives driving or taking a bus or train
often are not appealing. Although the risk of a plane crash is present, the safety record of
commercial airlines is excellent, and flying is a reasonable risk to assume.

18
II. Loss prevention

Loss prevention refers to measures that reduce the frequency of a particular loss. For example, measures
that reduce truck accidents include driver examinations, zero tolerance for alcohol or drug abuse, and
strict enforcement of safety rules. Measures that reduce lawsuits from detective products include
installation of safety features on hazardous products, placement of warning labels on dangerous
products, and institution of quality control checks.
Loss prevention aims at reducing the probability of loss so that the frequency of losses is
reduced. Several examples of personal loss prevention can be given. Auto accidents can be
reduced if motorists take a safe-driving course and drive defensively. The number of heart
attacks can be reduced if individuals control their weight, give up smoking, and eat healthy
diets.
Loss prevention is also important for business firms. For example, strict security measures at
airports and aboard commercial flights can reduce hijacking by terrorists. Boiler explosions can
be prevented by periodic inspections by safety engineers; occupational accidents can be reduced
by the elimination of unsafe working conditions and by strong enforcement of safety rules; and
fires can be prevented by forbidding workers to smoke in a building where highly flammable
materials are used. In short, the goal of loss prevention is to prevent the loss from occurring.

III. Loss reduction

Loss reduction refers to measures that reduce the severity of a loss after it occurs. Examples include
installation of an automatic sprinkler system that promptly extinguishes a fire, segregation of exposure
units so that a single loss cannot simultaneously damage all exposure units, such as having warehouses
with inventories at different locations, rehabilitation of workers with job- related injuries and limiting
the amount of cash on the premises.
Strict loss-prevention efforts can reduce the frequency of losses, yet some losses will
inevitably occur. Thus, the second objective of loss control is to reduce the severity of a loss
after it occurs. For example, a department store can install a sprinkler system so that a fire will
be promptly extinguished, thereby reducing the loss; a plant can be constructed with fire-
19
 resistant materials to minimize fire damage; fire doors and fire walls can be used to prevent a
fire from spreading; and a community warning system can reduce the number of injuries and
deaths from an approaching tornado.
From the viewpoint of society, loss control is highly desirable for two reasons. First, the
indirect costs of losses may be large, and in some instances can easily exceed the direct costs.
For example, a worker may be injured on the job. In addition to being responsible for the
worker’s medical expenses and a certain percentage of earnings (direct costs), the firm may
incur sizable

indirect costs: a machine may be damaged and must be repaired; the assembly line may have to
be shut down; costs are incurred in training a new worker to replace the injured worker; and a
contract may be canceled because goods are not shipped on time. By preventing the loss from
occurring, both indirect costs and direct costs are reduced.

Second, the social costs of losses are reduced. For example, assume that the worker in the
preceding example dies from the accident. Society is deprived forever of the goods and services
the deceased worker could have produced. The worker’s family loses its share of the worker’s
earnings and may experience considerable grief and financial insecurity. And the worker may
personally experience great pain and suffering before dying. In short, these social costs can be
reduced through an effective loss control program.

20
 In conclusion, effective risk control techniques can reduce significantly the frequency and severity of claims

How is loss prevention different from loss reduction? Give some example of each.
Risk management purpose is to prevent and reduce the frequency and severity of potential losses. Loss
prevention programs promote avoidance of losses, measuring the loss frequency. Some examples are safety
programs implemented to prevent workplace injuries, fire detectors, burglar alarms, and other protective
devices to prevent losses caused by fire and theft. Insurance companies offer discounts to organization or
individuals taking loss prevention measures as incentive for their participation.
While, in loss reduction the scope of the programs limit the extent of losses, when they do happen. Decreasing
the severity, helps to minimize the impact of the loss in the organization. Examples, clear procedures and
warning signs postings, airbags in the vehicle, firewalls and fire doors.
Both risk controls are only justified when savings exceed loss..

B. Risk Financing

Risk financing is the determination of how an organization will pay for loss events in the most effective
and least costly way possible. Risk financing involves the identification of risks, determining how to
finance the risk, and monitoring the effectiveness of the financing technique that is chosen.Risk
financing refer to techniques that provide for the funding of losses after they occur. Major risk-financing
techniques include the following:-

 Retention

 Non-insurance transfers

 Commercial insurance

 Retention

Retention means that, all of the losses that can result from a given loss. An individual or a business firm
retains all or part of a given risk.
Retention can be either active or passive.
Active risk retention means that the firms aware of the loss exposure and plans to retain part or
all of it, such as collision losses to a fleet of company cars. Active risk retention means that an

21
individual is consciously aware of the risk and deliberately plans to retain all or part of it. For
example, a motorist may wish to retain the risk of a small collision loss by purchasing an auto
insurance policy with a $250 or higher deductible. A homeowner may retain a small part of the
risk of damage to the home by purchasing a homeowners policy with a substantial deductible. A
business firm may deliberately retain the risk of petty thefts by employees, shoplifting, or the
spoilage of perishable goods. In these cases, a conscious decision is made to retain part or all of
a given risk.

Active risk retention is used for two major reasons. First, it can save money. Insurance may not
be purchased at all, or it may be purchased with a deductible; either way, there is often a
substantial saving in the cost of insurance. Second, the risk may be deliberately retained
because commercial insurance is either unavailable or unaffordable.

Passive retention, however, is the failure to identify a loss exposure, failure to act, or forgetting to act.
For example, a risk manger may fail to identify all company assets that could be damaged in an
earthquake.

Risk can also be retained passively. Certain risks may be unknowingly retained because of
ignorance, indifference, or laziness. Passive retention is very dangerous if the risk retained has
the potential for destroying you financially. For example, many workers with earned incomes
are not insured against the risk of total and permanent disability under either an individual or
group disability income plan. However, the adverse financial consequences of total and
permanent disability generally are more severe than the financial consequences of premature
death. Therefore, people who are not insured against this risk are using the technique of risk
retention in a most dangerous and inappropriate manner.

In summary, risk retention is an important technique for handling risk, especially in a modern
corporate risk management program, however, is appropriate primarily for high-frequency, low-
severity risks where potential losses are relatively small. Except under unusual circumstances,
risk retention should not be used to retain low frequency, high-severity risks, such as the risk of
catastrophic medical expenses, long-term disability, or legal liability.

22
individual or group disability income plan. However, the adverse financial consequences of
total and permanent disability generally are more severe than the financial consequences of
premature death. Therefore, people who are not insured against this risk are using the technique
of risk retention in a most dangerous and inappropriate manner.

 Noninsurance Transfers: - Noninsurance transfers are another technique for handling

risk. The risk is transferred to a party other than an insurance company. A risk can be
transferred by several methods, among which are the following:
 Transfer of risk by contracts
 Hedging price risks
 Incorporation of a business firm
 Transfer of Risk by Contracts: Unwanted risks can be transferred by contracts. For
example, the risk of a defective television or stereo set can be transferred to the retailer by
purchasing a service contract, which makes the retailer responsible for all repairs after the
warranty expires. The risk of a rent increase can be transferred to the landlord by a long-term
lease. The risk of a price increase in construction costs can be transferred to the builder by
having a fixed price in the contract.
Finally, a risk can be transferred by a hold harmless clause. For example, if a manufacturer of
scaffolds inserts a hold-harmless clause in a contract with a retailer, the retailer agrees to hold
the manufacturer harmless in case a scaffold collapses and someone is injured.

 Hedging Price Risks: - Hedging price risks is another example of risk transfer.
Hedging is a technique for transferring the risk of unfavorable price fluctuations to a
speculator by purchasing and selling futures contracts on an organized exchange, such as the
Chicago Board of Trade or New York Stock Exchange.
 Incorporation of a Business Firm: - Incorporation is another example of risk transfer.
If a firm is a sole proprietorship, the owner’s personal assets can be attached by creditors for
satisfaction of debts. If a firm incorporates, personal assets cannot be attached by creditors for
payment of the firm’s debts. In essence, by incorporation, the liability of the stockholders is
limited, and the risk of the firm having insufficient assets to pay business debts is shifted to
the creditors.

23
 Insurance: - For most people, insurance is the most practical method for handling a major risk.
Although private insurance has several characteristics, three major characteristics should be
emphasized. First, risk transfer is used because a pure risk is transferred to the insurer. Second,
the pooling technique is used to spread the losses of the few over the entire group so that
average loss is substituted for actual loss. Finally, the risk may be reduced by application of the
law of large numbers by which an insurer can predict future loss experience with greater
accuracy.

Describe the advantages and disadvantages of using insurance as a loss-financing techniques.

Insurance use as a loss-financial technique provide financial advantage. Business write the insurance premiums
cost as a tax deduction expense. As long as the premiums are fix for the duration of the policy the budget is not. In
addition, when the organization loss frequency is low and severity probability is high, insurance provide the
require funds in case if loss. Which, will be impossible for some individuals and organization to provide on their
own.
For the contrary the loading change (fee to cover the incurred administrative expenses) can be expensive. Also,
the insurance sometime fails to meet demand providing limited protection, this insurance shortage can lead to
ineffective insurance regulations. As well as, for consumer with minimum loss experience, their premium will be
high, because their probability of loss is high.

24
 CHANGING TOOLS OF RISK MANAGEMENT

The changing tools in risk management are as under:

1. Risk management information systems (RMIS)

2. Risk management intranets and web sites
3. Risk maps, and
4. Value at risk (VAR) analysis.

1. Risk Management Information Systems (RMIS)

A key concern for risk managers is accurate and accessible risk management data. A risk
management information system (RMIS) is a computerized database that permits the risk
management to store and analyses risk management data and to use such data
to predict and attempt to control future loss levels. Risk management information
systems may be of great assistance to risk management in decision making.

2. Risk Management Intranets And Websites

An intranet is a website with search capabilities designed for a limited, internal audience.
For example, a software company that sponsors trade shows at numerous venues each
year might use a risk management intranet to made information available to interested
parties within the company. Through the intranet employees can obtain a list of
procedures to follow along with a set of forms that must be signed and filed before the
event can be held.

3. Risk Maps

Risk maps are grids detailing the potential frequency and severity of risks faced by the
organization. Construction of maps requires risk managers to analyze each risk that the
organization faces before plotting it on the map.

4. Value At Risk (VAR) Analysis

VAR is the worst probable loss likely to occur in a given time period under regular
market conditions at some level of confidence. The concept is often applied to portfolio
of assets, such as mutual fund, or a pension fund, and is similar to the concepts of
25
 ‗maximum probable loss‘, in traditional property and liability risk management. For
example, a mutual fund may have the Following VAR characteristics: there is a 5 percent
probability that the value of the portfolio may decline by Rs. 50,000 in a single trading
day. In this case, the most probable loss is Rs. 50,000, the time period is on trading day,
and the level of confidence is 95 percent. Based on a VAR estimate, the risk level could
be increased or decreased, depending on risk tolerance. Value at risk can also be
employed to examine the risk of insolvency for insurance.

Risk Management Tools & Techniques

The following are some of the best risk management tools and techniques that professional project
managers use to manage their projects against the inevitable risks, issues and changes.

1. Root Cause Analysis

The root cause is another way to say the essence of something. Therefore, root cause analysis is a
systematic process used to identify the fundamental risks that are embedded in the project. This is a tool
that says good management is not only responsive but preventative.

Often root cause analysis is used after a problem has already come up. It seeks to address causes rather
than symptoms. But it can be applied to assessing risk by going through the goals of any root cause
analysis, which ask: What happened? How did it happen? Why did it happen? Once those questions are
addressed, develop a plan of action to prevent it from happening again.

2. SWOT
SWOT, or strengths, weaknesses, opportunities, threats, is another tool to help with identifying risks. To
apply this tool, go through the acronym.

Begin with strengths and determine what those are as related to the project (though this can work on an
organization-level, too). Next, list the weaknesses or things that could be improved or are missing from
the project. This is where the likelihood of negative risk will raise its head, while positive risk come from
the identification of strengths. Opportunities are another way of referring to positive risks and threats are
negative risks.

26
Risk Register
Similar to the risk assessment template for IT is a risk register. Basically, what a risk register does is
identify and describe the list. It then will provide space to explain the potential impact on the project and
what the planned response is for dealing with the risk, if it occurs. Furthermore, the risk register allows a
project manager to prioritize the risk, assign an owner responsible for resolving it and gives a place to
add notes as needed.

The risk register is a strategic tool to control risk in a project. It works to gather the data on what risks the
team expects and then a way to respond proactively if they do show up in the project. It has already
mapped out a path forward to keep the project from falling behind schedule or going over budget. Pick
up a free risk register template here.

5. Probability and Impact Matrix

Another tool for project managers is the probability and impact matrix. It helps prioritize risk, which is
important, as you don’t want to waste time chasing a small risk and exhaust your resources. This
technique combines the probability and impact scores of individual risks and then ranks them in terms of
their severity. This way each risk is understood in context to the larger project, so if one does occur,
there’s a plan in place to respond or not.

6. Risk Data Quality Assessment

With a risk data quality assessment technique, project managers use data that has been collated for the
risks they’ve identified. This is used to then find the level to which information about the risk is relevant
to the project manager. It helps the project manager understand the accuracy, reliability, quality and
integrity of the risk as related to the collected data about it.

For each risk listed, the risk data quality assessment requires that the project manager determine the
extent of the understanding of the risk, collect what data is available, what the quality and reliability is
for that data and its integrity. It is only by examining these parameters of the risk can an accurate
assessment be reached.

7. Brainstorming
To begin the brainstorming process, you must assess the risks that could impact your project. This starts
with reviewing the project documentation, looking over historic data and lessons learned from similar
projects, reading over articles and organizational process assets. Anything that can provide insight into
issues that might occur during the execution of the project. Once you’ve done your research, start
brainstorming with anyone who might have insight.
27
 A variant of this is the Delphi technique, which is when a request is sent to experts and they reply
anonymously. Or the project manager can interview experts, team members, stakeholders and others with
experience in similar projects.

Failure of risk management system

Risk management has gained increased attention and interest in recent years,
both from industry professionals and academics. The main focus of thorough
risk management is the continuous identification and treatment of the
potential risks. Its objective is to add maximum continual value to all the
activities within the organization. In addition, in developed and emergent
countries, capital markets have become more significant and as a result,
nonfinancial corporations and banks have recognized that the number, type
and extent of their threat landscape and inherent risks have increased
significantly. Finally, a wave of unpredictable payment-related enhancements
can be considered both a source of risk and a method to mitigate.

Risk management has also gained attention considering the ongoing and
widely publicized failures having roots in its erroneous implementation. Risk
management failures prohibit organizations from meeting their goals, thus
determining repetitive – and sometimes of exponential magnitude – business
and project failures. Although the risk management approach varies among
firms, enterprise risk management is an organizational pivot point in
achieving corporate goals. Risk and performance are inevitably connected. By
establishing a reliable and controlled process for managing risks,
organizations can determine the predictability of their outcome. Enterprise
risk management enables enhanced decision-making, consequently enabling
significant cost savings. Additionally, if properly implemented, risk
management connects risks across various levels in the organization and, in
leveraging other processes such as program management, enables threat-to-
opportunity conversion.

While considering the valuable role of risk management, it is also essential to

understand the many circumstances in which risk management failures may
occur.

Enterprise risk management can adjust with the business hypothesis and
intensively help in overcoming potential business failures. In the risk
management failures and challenges literature, authors Matei et al. (2012)
emphasize that organizations fail because of unexpected losses created by
three main factors:

1. insufficient capital,
28
2. model errors and
3. risk ignorance.
Consequently, management system and risk mitigation may be unsuccessful
for more delicate and indirect reasons. At this point, there are three other
well-known reasons why risk management fails:

4. agency risk,
5. shifts or changes in the threat landscape and inherently in the
form of risk and
6. incremental failure.
Agency risk refers to the risk that a manager or employee, unintentionally or
decisively, does not succeed to pursue procedures intended to manage and
moderate risks. Next, there is often an affinity for risk to shift or change form.
Although an organization may moderate its risk by acquiring insurance, these
proceedings do not decrease systematic risk in the economy. Furthermore,
there is a tendency for risk management process to fail incrementally across a
long period of time. The incremental failure is frequently caused by an
extensive incubator duration coming from an evenly degradation of the risk
management processes that gather over a long period of time.

Once risks are identified and quantified, they must be inferred at the
organizational upper-management level. Inability to properly communicate
risks to the top management may cause overall risk management failure.
These failures are an indicator of unnecessary risk acceptance and/or
exposure. In the risk management failure literature, Stulz (2008) showed that
failures in risk management can be divided into six classes:

7. mismeasurement of known risks,

8. failure to take risks into account,
9. failure to communicate risks to top management,
10. failure to monitor risks,
11. failure to manage risks and
12. failure to use appropriate risk metrics or measurement
systems.
Risk management failures can be caused by the use of improper risk metrics,
which induces inaccurate measurements. A practical example is weather
forecasting. The most common risk metrics in modern risk management is
“Value at Risk” (VaR). Despite the fact that VaR has been proven to be a

29
quintessential risk measure, meaningfulness is directly dependent on the
quality of the associated answer and inherent question.

Taking into account the factors that may be accountable for risk management
failure, it is consequently appropriate to affirm that operators and operational
failure are the two main groups into which risk management failures may fall.

How to Avoid or Overcome these Failures

As discussed above, risk management failures can cause consequences for the
organization in both time and costs. Therefore, understanding the strategy of
how the organization is making profits and the risks inherent in the business
model is essential in order to avoid such failures. Subsequently, top
management must recognize empower and manage positions of trust; the
employees whose activities can subject the organization to considerable or
significant risk events must be carefully selected, trained and continuously
evaluated. Establishing responsibility for outcomes and building a procedure
for timely escalation – in addition to building a common risk language, shared
definitions, a common culture of risk awareness and comprehensible
procedures for measuring, monitoring, communicating and dealing with risks
– are some of the main things an organization should consider when targeting
a mature risk management approach.

Communication is another key process within any organization.

Communicate regularly about risks that are more complex to measure and for
which results cannot be forecasted with minimal confidence. Available,
defined and detailed risk appetite is vital when defining unacceptable risk
exposures.

Taking into consideration risk management failures, organizations should

consistently manage risks by identifying, assessing, evaluating, prioritizing
and monitoring them, continuously looking for opportunities to improve their
risk stance. Concrete plans to support these processes should be enforced top-
down.

30
POOLING OF RISK
A risk pool is one of the forms of risk management mostly practiced
by insurance companies. Under this system, insurance companies come together to form a
pool, which can provide protection to insurance companies against catastrophic risks such
as floods or earthquakes. The term is also used to describe the pooling of similar risks
that underlies the concept of insurance. It is basically like more than one insurance
companies coming together to form one. In insurance, the term "risk pooling" refers to
the spreading of financial risks evenly among a large number of contributors to the
program. Insurance is the transference of risks from individuals or corporations who
cannot bear a possible unplanned financial catastrophe to the capital markets, which can
bear them easily – at least in theory.
For any type of insurance coverage, some people and businesses are more likely to file
a claim at some point during the policy’s term. Whether the policy covers health care,
professional malpractice or loss of any other type, there will be some insured people
who are at a greater risk of needing that coverage. One definition of risk pooling could
be "a group formed by insurance companies to provide catastrophic coverage by sharing
costs and potential exposure." Risk pools help insurance companies offer coverage to
both high- and low-risk customers. They also lessen the risk borne by any single
insurance company by spreading it among many.

Risk pooling in insurance

Risk pooling in insurance means that there are many contributors to help spread the
financial risks from expensive claims more evenly.

Risk pooling is essential to the concept of insurance. The earliest known insurance policies
were written some 5,000 years ago, to protect shippers against the loss of their cargo and
crews at sea. Any one of them would be devastated by the loss of a ship. But by pooling
their resources, these ancient businessmen were able to spread the risks more evenly among
their numbers, so each paid a relatively small amount. Under the Babylonians, those
receiving a loan to fund a shipment would pay an additional amount in exchange for a rider
cancelling the loan if a shipment should be lost at sea.

The insurance industry grew enormously, as individuals and businesses sought to protect
themselves from economic catastrophe by transferring their risks to an insurance pool. We
still have commercial shipping insurance – just as we did in the ancient world – and we also

31
 insure against such diverse risks as fires, floods, theft, auto accidents, kidnap and ransom
schemes, defaults on the part of our debtors, lawsuits and judgments, dying too early and
even against the risk of living too long.

Benefits of Risk Pooling in Insurance

Individuals and businesses generally purchase insurance policies to protect themselves

against unusual but potentially costly damages and losses. The losses may be more or less
unlikely from a statistical perspective, but if the unfortunate event does occur, it could have
the potential to be financially catastrophic for the business or person in question. Some
types of insurance are required. For example, state governments require all drivers to
maintain adequate car insurance.

By creating risk pools, insurance companies help spread the risk and avoid the type of
massive payout required after a catastrophic loss. It is a form of risk management for
insurance companies. If a claim is made for reimbursement due to that catastrophic loss, the
participating insurance companies spread the loss among themselves. This helps protect
smaller claimants from being left uncovered due to their insurance company’s bankruptcy or
closure.

Transferring of risks:

A transfer of risk is a business agreement in which one party pays another to take
responsibility for mitigating specific losses that may or may not occur. This is the underlying
tenet of the insurance industry.

Risks may be transferred between individuals, from individuals to insurance companies, or

from insurers to reinsurers. When homeowners purchase property insurance, they are paying
an insurance company to assume various specific risks associated with homeownership.

When purchasing insurance, the insurer agrees to indemnify, or compensate, the policyholder
up to a certain amount for a specified loss or losses in exchange for payment.

 A transfer of risk shifts responsibility for losses from one party to another in return for
payment.
 The basic business model of the insurance industry is the acceptance and management of risk.
 This system works because some risks are beyond the resources of most individuals and
businesses.

Risk transfer is a common risk management technique where the potential loss from an
adverse outcome faced by an individual or entity is shifted to a third party. To compensate the
third party for bearing the risk, the individual or entity will generally provide the third party
with periodic payments.

32
 The most common example of risk transfer is insurance. When an individual or entity
purchases insurance, they are insuring against financial risks. For example, an individual who
purchases car insurance is acquiring financial protection against physical damage or bodily
harm that can result from traffic incidents.

 As such, the individual is shifting the risk of having to incur significant financial losses from a
traffic incident to an insurance company. In exchange for bearing such risks, the insurance
company will typically require periodic payments from the individual.

Methods of Risk Transfer

There are two common methods of transferring risk:

1. Insurance policy

As outlined above, purchasing insurance is a common method of transferring risk. When an

individual or entity is purchasing insurance, they are shifting financial risks to the insurance
company. Insurance companies typically charge a fee – an insurance premium – for accepting
such risks.

2. Indemnification clause in contracts

Contracts can also be used to help an individual or entity transfer risk. Contracts can include
an indemnification clause – a clause that ensures potential losses will be compensated by the
opposing party. In simplest terms, an indemnification clause is a clause in which the parties
involved in the contract commit to compensating each other for any harm, liability, or loss
arising out of the contract.

For example, consider a client that signs a contract with an indemnification clause. The
indemnification clause states that the contract writer will indemnify the client against
copyright claims. As such, if the client receives a copyright claim, the contract writer would
(1) be obliged to cover the costs related to defending against the copyright claim, and (2) be
responsible for copyright claim damages if the client is found liable for copyright
infringement.

Risk Transfer by Insurance Companies

Although risk is commonly transferred from individuals and entities to insurance companies,
the insurers are also able to transfer risk. This is done through an insurance policy with
reinsurance companies. Reinsurance companies are companies that provide insurance to

33
 insurance firms. Similar to how individuals or entities purchase insurance from insurance
companies, insurance companies can shift risk by purchasing insurance from reinsurance
companies. In exchange for taking on this risk, reinsurance companies charge the insurance
companies an insurance premium.

Risk Transfer vs. Risk Shifting

Risk transfer is commonly confused with risk shifting. To reiterate, risk transfer is passing on
(“transferring”) risk to a third party. On the other hand, risk shifting involves changing
(“shifting”) the distribution of risky outcomes rather than passing on the risk to a third party.

For example, an insurance policy is a method of risk transfer. Purchasing derivative contracts
is a method of risk shifting.

How does Risk Transfer Work?

1. One of the most common areas where risk transfer takes place is in the case of insurance. An

insurance policy can be defined as a voluntary arrangement between the individual or an

organization (policyholder) and an insurance company. A policyholder gets insured against

potential financial risks by purchasing an insurance policy from the insurance company.

2. The policyholder will need to make regular and periodic payments to the insurance company

for ensuring that his or her insurance policy is not getting lapsed on account of the failure of

making timely payments, i.e., premiums. A policyholder might choose from a variety of

insurance policies offered by various companies.

Summary

Managing your risk constitutes a major element of your financial plan. Risk management is an

important business practice that helps businesses identify, evaluate, track, and improve

the risk mitigation process in the business environment. Risk management is practiced by the

34
 business of all sizes; small businesses do it informally, while enterprises codify it. Businesses

want to ensure stability as they grow. Managing the risks that are affecting the business is a

critical part of this stability. Not knowing about the risks that can affect the business can result

in losses for the organization. Being unaware of a competitive risk can result in loss of market

share, being unaware of financial risk can result in financial losses, being aware of a safety

risk can result in an accident, and so on. Businesses have dedicated risk management

resources; small businesses may have just one risk manager or a small team while enterprises

have a risk management department. People who work in the risk management domain

monitor the organization and its environment. They look at the business processes being

followed within the organization and they look at the external factors which can affect the

organization one way or the other. A business that can predict a risk will always be at an

advantage. A business that can predict a financial risk will limit its investments and focus on

strengthening its finances. A business that can assess the impact of a safety risk can devise a

safe way to work which can be a major competitive advantage. If we think of the business

world as a racecourse then the risks are the potholes which every business on the course must

avoid if they want to win the race. Risk management is the process of identifying all the

potholes, assessing their depth to understand how damaging they can be, and then preparing a

strategy to avoid damages

Risk management standards

Risk Management Standards set out a specific set of strategic processes which start with the

overall aspirations and objectives of an organisation, and intend to help to identify risks and

promote the mitigation of risks through best practice. Standards are often designed and

35
 created by a number of agencies who are working together to promote common goals, to help

to ensure that organisations carry out high-quality risk management processes.

Risk management standards are like a guide to help ensure that risk management is carried out

in a proper way. Standards usually include checkpoints and examples, to make it really easy

for organisations to comply.

The ISO 31000 risk management standards framework includes:

 ISO 31000:2018 - Risk management - Guidelines

 ISO/TR 31004:2013 - Risk management - Guidance for the implementation of ISO 31000
 IEC 31010:2019 - Risk management - Risk assessment techniques
 ISO 31022:2020 - Risk management - Guidelines for the management of legal risk
 IWA 31:2020 - Risk management - Guidelines on using ISO 31000 in management
systems


These ISO standards are designed to help guide organisations with a number of different strands
of risk management.

As well as the popular ISO standards, FERMA has also produced its own risk management
standard, which offers guidance for the whole processes, from identifying risks, right through to
transferring some of that risk to another party.

36
37
38