Risk management is a structured approach to managing uncertainty related to a threat, through a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.
The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.
Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death and lawsuits). www.whatisriskmanagement.net/ Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments.
The objective of risk management is to reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. On the other hand it involves all means available for humans, or in particular, for a risk management entity (person, staff, and organization).
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.
Intangible risk management identifies a new type of risk - a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability.
www.marquette.edu/riskunit/riskmanagement/whatis.shtml For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.
Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending while maximizing the reduction of the negative effects of risks.
Question: How risk management affects different business functions
Business risk management can become a strategic competitive advantage if it is used to identify specific action steps that enhance performance and optimize risk.
It can also influence business strategy by identifying potential adjustments related to previously unidentified opportunities and risks. Used appropriately, ERM thus becomes a means of helping the organization shift its focus from crisis response and compliance to evaluating risks in business strategies proactively, to enhancing investment decision-making and to improving shareholder value. Organizations that develop an ERM framework for linking critical risks with business strategies can become highly formidable competitors in the quest to add value for shareholders.
Disaster Planning in the Private Sector: A Look at the State of Business Continuity in the U.S.2005. http://www.att.com/presskit/_business_continuity
As business leaders seek new ways to build shareholder value, they have begun to think in new ways about how risk management is tied to value creation. Across industries and organizations, many are recognizing that risks are no longer merely hazards to be avoided but, in many cases, opportunities to be embraced. "Risk in itself is not bad," asserts Suzanne Lafarge, chief risk officer at Royal Bank of Canada. "What is bad is risk that is mismanaged, misunderstood, mispriced, or unintended."1 Indeed, many are realizing that risk creates opportunity, that opportunity creates value, and that value ultimately creates shareholder wealth.
How best it is to manage the risk to derive that value has become the critical question:
In this context, business risk management has emerged as an important new business trend. BRM is a structured and disciplined approach aligning strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing the uncertainties the business faces as it creates value. "Business-wide" means the removal of traditional functional, divisional, departmental, or cultural barriers. A truly holistic, integrated, future-focused, and process-oriented approach helps an organization manage all key business risks and opportunities with the intent of maximizing shareholder value for the business as a whole.
Leaders face a variety of new challenges in their drive to maximize value. Globalization, e-business, new organizational partnerships, and the increasing speed of business activity are rapidly changing and expanding the risks organizations face. One significant result is that risk management must now extend well beyond traditional financial and insurable hazards to encompass a wide variety of strategic, operational, reputation, regulatory, and information risks. As a means of identifying, prioritizing, and managing such risks across a business or division and linking them to value creation BRM has the potential to provide organizations with a new competitive advantage.
Most organizations, however, are uncertain about how, exactly, to translate the concept of BRM into concrete action steps that will help them enhance shareholder value. Leaders agree that as important as BRM might be in theory, it will never be valuable in practice unless it enables organizations to use risk information to drive business value in a way they could not do otherwise.
Figure 10
ASIS Business Continuity Framework
ASIS International Web Site Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery. http://www.asisonline.org/guidelines/guidelines.htm
Business Impact Analysis - Applying the results of the risk assessment to the business area analysis to analyze the potential consequences/impacts of identified risks on the business and to identify preventive, preparedness, response, recovery, continuity and restoration controls to protect the business in the event of business disruption. Business impact analysis requires consideration of the following questions:
1. How do potential hazards impact business functions, sub-functions and processes?
2. What controls are currently in place?
Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan.
The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is
http://www.pwc.com/en_US/us/risk-performance/assets/pwc-risk-performance-2009.pdf
Question: Evaluation of methods of assessing risk in business
Management can derive considerable power from augmenting its knowledge about risk likelihood and impact. Through this process they will make judgments on the likelihood and impact of various risks, creating an analysis such as that depicted above. Once such an analysis is done, some risks will require no action, but when a risk has a potentially high likelihood and substantial impact (such as those in the upper right quadrant), management should take action to move that risk into an acceptable range or even eliminate it altogether, based on a risk/return analysis of the effects of such action on the entire organization. Risks in the lower left quadrant may be candidates for reduced controls.
Strategic Risk
Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organization's strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. www.strategic-risk.eu/ The resources needed to carry out business strategies are both tangible and intangible
Operational Risk
Operational risk encompasses a wide range of risks that can interfere with achieving business objectives.
It often stems from deep within the heart of the business, in its systems, procedures, or management controls and practices. In simple words, operational risk is the risk of doing the right things the wrong way.
http://www.deloitte.com/view/en_GR/gr/services/enterprise-risk-services/risk-consulting-services/operational-risk-assessment/index.htm
Reputation Risk
Reputational risk, often called reputation risk, is a type of risk related to the trustworthiness of business. Damage to a firm's reputation can result in lost revenue or destruction of shareholder value, even if the company is not found guilty of a crime. Reputational risk can be a matter of corporate trust, but serves also as a tool in crisis prevention
http://en.wikipedia.org/wiki/Reputational_risk
Regulatory or Contractual Risk
Regulatory risk differentiation is the process used by a regulatory authority (the regulator) to systemically treat entities differently based on the regulator's assessment of the risks of the entity's non-compliance.
Financial Risk
The possibility that shareholders will lose money when they invest in a company that has debt, if the company's cash flow proves inadequate to meet its financial obligations. When a company uses debt financing, its creditors will be repaid before its shareholders if the company becomes insolvent.
http://www.investopedia.com/terms/f/financialrisk.asp#axzz2JKzi92hw
Financial risk also refers to the possibility of a corporation or government defaulting on its bonds, which would cause those bondholders to lose money.
Market Risk
This is the risk which results from adverse movements in the prices of interest rate instruments, stock indices, commodities, currencies, etc.
Interest rate risk arises when the income of a company is sensitive to interest rate fluctuations. Consider a company which is going to be in need of funds, a few months from now. If interest rates go up in the intervening period, the firm will be at a disadvantage. Similarly, if the company is going to have surplus funds, a couple of months from now and interest rates fall, the firm will incur a loss.
Currency risk is the uncertainty about the value of foreign currency assets, liabilities and operating incomes due to fluctuations in exchange rates. Consider an Indian importer who has to make a dollar payment a few weeks from now. If the dollar appreciates during the intervening period, the importer will incur a loss.
Commodity risk is the uncertainty about the value of widely used commodities such as gold, silver, etc. Equity risk is the uncertainty about the value of the ownership stakes, a firm has in other companies, real estate, etc
Question: evaluation of approaches to managing risk in business
Once risks have been identified and assessed, all approaches to manage the risk fall into one or more of these four major categories:
• Avoidance (elimination)
• Reduction (mitigation)
• Retention (acceptance)
• Transfer (buying insurance)
Ideal use of these strategies may not be possible. http://en.wikipedia.org/wiki/Risk_management Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions
Risk avoidance
Includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the liability that comes with it. Another would be not flying in order to not take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.
Risk reduction
Involves methods that reduce the severity of the loss or the likelihood of the loss from occurring. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable.
Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a single iteration.
Risk retention
Involves accepting the loss when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. http://en.wikipedia.org/wiki/Risk_management All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.
Risk transfer
Means causing another party to accept the risk, typically by contract or by hedging. Insurance is one type of risk transfer that uses contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. Liability among construction or other contractors is very often transferred this way. On the other hand, taking offsetting positions in derivatives is typically how firms use hedging to financially manage risk.
http://en.wikipedia.org/wiki/Risk_management
