Risk Management

SCRM Lecture 8

Risk and uncertainty

risk is uncertainty that matters.
So how can we decide whether a particular uncertainty
matters or not? The key is to focus on

objectives.

Conversely, poor risk management will reduce the likelihood

of success.

risk is uncertainty that, if it occurs, will affect

achievement of objectives.

Risk and uncertainty (Cont.)

Alignment
Successful
identification and
management of
uncertainties
that matter is
essential for
success across
the business at
every level.
Figure 1.1 Hierarchies of objectives, risks, and risk management

Risk, threat and opportunity

One further key concept arises from the idea that risk is
uncertainty that matters.

Not everything that matters is bad.

In recent years there has been an increasing realization that risk is
a double-sided concept,
with upside and downside risks,
positive and negative impacts,
adverse and beneficial outcomes

(Hillson,2004).
risk is uncertainty that, if it occurs, will have a positive or
negative effect on achievement of objectives.

What is risk management?

ISO 31000 (ISO,
2009a)

Question

OGC M_o_R (OGC,

2010)

IRM Risk Standard

(IRM/ALARM/AIRMIC,
2002)

What are we trying to

achieve?

Establishing the context

Identify context

What could affect us?

Risk identification

Identify risks

Risk identification Risk

description

Which are most

important?

Risk analysis Risk

evaluation

Assess

Risk estimation Risk

evaluation

What shall we do
about them?

Risk treatment

Plan

Risk treatment

Did it work?

Implement

Who shall we tell?

Communication and
consultation

Communicate

Risk reporting

What has changed?

Monitoring and review

Embed and review

Monitoring and review

What did we learn?

Table 1.1 Mapping generic questions to risk management standards

Figure 1.2 Mapping generic questions to ISO 31000:2009 risk process

Why risk management matter?

The reason that risk management matters derives directly from our definition
of risk which links it to objectives. If risk matters because it has the potential
to affect achievement of our objectives (either positively or negatively), then
risk management matters equally.
Our ability to manage those uncertainties that matter will have a direct
bearing on our ability to succeed.
Indeed risk management capability is a key competitive discriminator, since
organizations that are able to recognize and manage risk effectively will have
fewer problems and failures than their less competent rivals, as threats will
have been avoided or minimized before they could impact the business.
The competitive advantage is reinforced when the risk process is used to
identify and capture opportunities proactively,creating additional benefits and
more value than is available to more reactive organizations who are likely to
miss the chance to operate faster, smarter or cheaper.

Enterprise Risk
Management
Enterprise Risk Management (ERM) is an essential tool in
helping to bring more understanding of those risks; it
enables the organization to be more prepared, more
resilient to change and more ready to minimize threats
and to seize opportunities.

Why does Enterprise Risk Management matter?

Survival and uncertainty

The primary objective for most organizations is survival.
survival of businesses is increasingly becoming more affected by uncertainty;
todays global economy has been proven to be vulnerable to the interconnected
globalization that joins businesses and service providers from one end of the world to
another
Goods and services are more and more interdependent
reputations and brands can be destroyed in minutes
our reliance on technology opens businesses to greater dependence and vulnerability
on the net
climate change and resultant lack of land, food and water drive heavier burdens on the
most vulnerable
Each of these uncertainties can bring with them threats as well as opportunities;
threats where the organization is unprepared for the changes that may come about
and opportunities for those who can predict and exploit the results of the uncertainties.

Survival and uncertainty (Cont.)

For organizations across the world, strategic decision
making in the context of all this turmoil is about making
risk decisions

to expand or to contract,
to sell or to buy,
to engage or to release,
to change or to stay the same.
Etc. etc

These decisions all need an understanding of a wide

range of risks and of the capacity of the organization to

Level at which risk is managed

Despite a wide awareness of uncertainty, risk management often
happens so far down the organization that the business leaders rarely
understand it; they do not think it applies to them, nor do they have
mastery over the powerful risk management skills that they could apply
to their everyday jobs. Many of the great failures in business and public
services have happened and continue to happen because of a failure in
senior management and boards to engage in and commit to risk
management.
Enterprise Risk Management needs to be a top-level concern with top
management having ERM skills and risk professionals who are hard-wired
into strategic decision making and planning, advising on the threats and
opportunities to which the business is exposed and alerting top
management when the aggregate or individual risk areas might be
outside the stated risk appetite.

Enterprise risk appetite,

capacity and tolerance
Risk has a different meaning to each organization or
individual because each has a different perception of
the opportunity and the threat depending on their
tendency to take risk or to avoid it.
Risk appetite frame work triggers innovation.
Within a risk appetite framework, an organization needs
to take into consideration aspects of risk seeking versus
risk avoidance.
Capacity- the ultimate ability of the organization to bear
risk
Tolerance - is about preference, the risks that an

What is Enterprise Risk Management?

Rather

than sitting aside from other areas of risk management, ERM should be an overarching
methodology that pulls together and creates intelligence for the organization in order to aid in
strategic decision making.

Top-level engagement
The Risk and Insurance Management Society has identified seven characteristics that
give some insight into their definition of Enterprise Risk Management:
Encompasses all areas of organizational exposure to risk (financial, operational,
reporting, compliance, governance, strategic, reputational, etc.).
Prioritizes and manages those exposures as an interrelated risk portfolio rather than as
individual silos.
Evaluates the risk portfolio in the context of all significant internal and external
environments, systems, circumstances and stakeholders.
Recognizes that individual risks across the organization are interrelated and can create
a combined exposure that differs from the sum of the individual risks.
Provides a structured process for the management of all risks, whether those risks are
primarily quantitative or qualitative in nature.
Views the effective management of risk as a competitive advantage.
Seeks to embed risk management as a component in all critical decisions throughout
the organization.

What is Enterprise Risk

Management? (Cont.)
Managed risk taking
There are two other issues to consider;
the definition of risk in quarters other
than enterprise wide, which tend to
think along lines of ability to control
risk, and for the top management
team to exercise oversight. When we
are looking at risk on an enterprisewide basis, we are looking at the
organizations ability to take managed
risk as opposed to being able to
exercise control (Taylor,2014).

Figure 2.1 Risk taking versus risk control

How is enterprise risk

managed?
Value drivers- knowledge, capital, cash flow and liquidity,
and reputation/goodwill etc.
Design- Understand organizational structure, behavior,
stakeholders, internal & external environment etc.

the organizations overall risk culture;

how risk appetite may have influenced the design of existing tools;
how the organization has reacted to past risk events and issues;
how stakeholders have reacted to past risk events and issues;
the drivers and policies;
other organizational information such as the organizations
performance expectations and actual performance.

How is enterprise risk

managed? (Cont.)
Implementation Plan/Do/Check/Act
Embedding - Embedding
Enterprise Risk Management
requires more than a change of
culture it requires the right
people to take ownership of their
part in the process.
Communication - The
communication of risk is only one
factor in the monitoring of outputs
but is a good driver for a focused

How does Enterprise Risk

Management fit?
an overarching
methodology it could
be seen as the wheel
of a ship (see
Figure 2.3), where
governance and audit
provide the structure
for the framework led
by Enterprise Risk
Management.
Figure 2.3 The hub, spokes and wheel of types of risk
management that make up the Enterprise Risk
Management programme