Be Able to Understand the Basics of Risk Management. In this article I will help you to be able to understand the concept of risk, roles and responsibilities for risk management, and risk management tools and models.
The meaning of risk management to an organisation
What is a risk?
The definition of a risk as found in the literature:
- “A risk is an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives.”(Office of Government Commerce, 2009)
- “Uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination-nation of likelihood and impact, including perceived importance.”(HM Treasury, 2004)
- “A risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact.”(Hintzbergen, Hintzbergen, Smulders, & Baars, 2010)
- “The Software Engineering Institute (SEI) defines risk as the possibility of suffering loss.”
- (Williams, Pandelios, & Behrens, 1999)
- “Risk can be defined as the combination of the probability of an event and its consequences” (ISO/IEC Guide 73). (The Institute of Risk Management, 2002)
- “Risk: effect of uncertainty on objectives”(International Organization for Standardization, 2009)
- “Risk: combination of the probability of occurrence of harm and the severity of that harm”(International Organization for Standardization, 2007)
The common definition for a risk based on the literature is:
A risk is something that might happen. It has a probability (or likelihood) of happening and if it does there will be a certain impact (may be positive or negative).
What is risk management?
Risk taking is inevitable for an organization when it wants to achieve her objectives. Effective risk management can improve performance against strategic objectives.
Risk management is a systematic approach to manage risk. The aim is to get a good understanding of individual risks and the overall exposure of the risks.
Risks are not only threats (problems) but also potential opportunities that give a company with a good risk management a competitive advantage.
The increased focus given to corporate governance and internal control, due to high-profile collapses of major organizations, is a major factor towards a more formalized approach of risk management.
The principle of risk management is defined in the UK Corporate Governance Code (The Financial Reporting Council Limited, 2010) as:
“The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.”
Effective risk management contains the following principles:
- Aligns with objectives from the strategic perspective (enabler)
- Fits the external (like sector, markets, locations, technologies, regulatory) and internal (like culture, formal and informal structures, relationships between stakeholders) context (enabler)
- Engages stakeholders (enabler)
- Provides clear guidance (enabler)
- Informs decision making (enabler)
- Facilitates continual improvement (enabler)
- Create a supportive culture (enabler)
- Achieves measurable value (result):
· reduce waste/rework
· increase client/user confidence
· improve regulator performance
The roles and responsibilities for risk management at senior management level
Senior team (the board, executive team, steering group)
Write, own and assures the risk management policy
Defines the overall risk appetite
Reviews risk management strategy
Monitors risk profile
Monitors and acts on escalated risks
Senior Responsible Owner (SRO)
Ensures that appropriate governance and internal controls are in place
Ensures risk management strategy exist
Defines/monitors risk tolerances
Ensures that risk management policy is implemented
Owns and manages escalated risks
Manager (project, operations, line)
Ensures that risk register, risk review process and escalation process are in place
Validates risk assessments
Identifies the need for investment to fund risks
Own individual risks
Escalates or delegates risk
Assures that risk accountability exist
Assures compliance with guidance and internal control
Review progress, plans and results
Participates in the identification, assessment, planning and management of threats and opportunities
Understand the risk management policy and how it affects them
Implements the risk management policy within their areas of responsibility
Escalates risks as necessary
Some risk management models
A risk model is a simplified representation of a real business situation and involves a process where outcomes are explained based on a range of inputs.
Commonly used risk models are:
Monte Carlo simulation
Generates a number at random for each element of the model within the constraints of the probability distribution (commonly triangular, beta, discrete or uniform) and weights this number in accordance with the probability of the risk occurring
Can also be used to model alternative strategies or scenarios
Graphical representations of possible events resulting from various circumstances
Study how varying one input in a model alters the outcome, what if analysis.
What’s your best advice to help to understand the Basics of Risk Management?
Author: Rieco de Jong (All Rights Reserved by the author).
Source: Original text, based upon first hand knowledge and the following bibliography:
· Hintzbergen, J., Hintzbergen, K., Smulders, E., & Baars, H. (2010). Foundations of Information Security. Based on ISO27001 and ISO27002. Zaltbommel: Van Haren Publishing.
· HM Treasury. (2004). The Orange Book. Management of Risk – Principles and Concepts. London: The Stationery Office (TSO).
· International Organization for Standardization. (2007). ISO 14971: Medical devices — Application of risk. Geneva: International Organization for Standardization.
· International Organization for Standardization. (2009). ISO 31000: Risk management — Principles and guidelines. Geneva: International Organization for Standardization.
· Office of Government Commerce. (2009). Managing Successful Projects with PRINCE2 2009 Edition. London: The Stationery Office (TSO).
· The Financial Reporting Council Limited. (2010). The UK corporate governance code. London: The Financial Reporting Council Limited.
· The Institute of Risk Management. (2002). A Risk Management Standard. London: The Institute of Risk Management.
· Williams, R., Pandelios, G., & Behrens, S. (1999). Software Risk Evaluation (SRE) Method Description (Version 2.0). Pittsburgh, PA: Carnegie Mellon University, Software Engineering Institute.