Uncertainty evolving in the global village over the past few years has had a major effect on how organisations as well as individuals relate and operate these days. Organisations that used to operate smoothly with the help of forecasts and projections now refrain from making business judgments solely based on the tools. The focus now is to clothe all these practices with well-defined management of risk.
Risks are the main cause of uncertainty in any organisation, thus, companies increasingly focus more on identifying risks and managing them before they affect their business. Risks are managed even when they are directly not related to an organisation such as in supply chain risk management. The ability to manage risks will help companies act more confidently on future business decisions and more so effective knowledge of such risks will give organisations various options on how to deal with potential problems.
Risk management is closely linked to an organisation objectives setting. Objectives relate to the future which has uncertainties that can favorably or unfavorably affect their achievements. When an organisation define its objectives without taking these future uncertainties into consideration, chances are that direction may be lost leading to failure.
In recent years, many organisations have therefore added risk management departments in their organisation structure. The role of this department is to identify risks, come up with strategies to guard against such risks, execute risk strategies, and create an organisation culture that is responsive to these risks.
ISO 31000(2018) defines risk as an effect of uncertainty on objectives. This brings it out that risks are uncertain since they relate to the future that lacks adequate knowledge and understanding of to the possible future event, the resulting consequence or the likelihood of such an event happening.
As with many disciplines in practice, risks need to be managed and hence the term risk management which is coordinated activities to direct and control an organization with regard to risk.
Risk management in normal business operations require to be integrated throughout an organization: upwards, downwards and across the organization. This leads to enterprise risk management; a strategic business discipline that supports the achievement of organization objectives by addressing the full spectrum of its risks and managing a combined impact of those risks as interrelated risk portfolios.
There is no globally acceptable single classification of risks. Risks have been classified as internal or external, short term, medium-term or long term risks depending on the time period in which they occur. Risks can also be classified as follows:
These are risks that have negative outcomes and organisations will try to minimize their occurrence to acceptable tolerance levels. The focus of hazard risks is mitigating the potential of an impact. In doing so, preventive controls are put in place such as maintenance testing programs for life support machines in hospitals. In the same way response controls are established to warn of such negative impacts should they occur. An alarm system in an elevator is a good control measure, alerting should the elevator stall several floors up from the ground of a building.
Control risks give rise to uncertainty of an outcome and their quantification are in most cases difficult. Control risks will be undertaken to ensure that the outcome from certain activities falls within the desired range. Control risks are usually found in project management. They assist to ensure that these projects are completed to specifications, within the stipulated time and at the budgeted amounts.
Organisations will take opportunity risks in an attempt to achieve expected favorable outcomes. Opportunity risks are speculative in nature and are driven by the appetite for seizing business opportunities and the willingness to invest in them with the hope of good returns. Opportunity risks can have either favorable or unfavorable outcomes.
Compliance risks vary according to business sectors and regulation requirements. Unlike the hazard, control and opportunity risks, it’s possible to have zero risk in compliance risks. Most financial institutions, insurance and gambling organisations operate under highly regulated environment and hence compliance risk management is critical.
Risk management follows a general approach towards achieving the objectives set. It can easily be seen through a systematic series of questions and in an attempt to answer them, risk is managed.
Q1 The first question is to ask what is it that needs to be achieved. This question enables the objectives to be set. It’s worth noting that it’s unlikely to have risk management without knowing what an organization is trying to achieve. Thus the organization needs to establish the risk context by defining the external context, internal context, risk management context, and the risk criteria.
Q2 The second question is to determine what can affect the achievement of the objectives established in the first question. In other words this is the risk identification stage in the risk management process. There is no risk management without first identifying what risks can affect the objectives set. Risk identification together with risk analysis and risk evaluation form the risk assessment part of risk management.
Q3 The third question is that out of the identified causes that can affect the achievement of the objectives, which would be the big ones? thus bringing out risk prioritization since not all risks that are identified are important or have material effects on the achievement of objectives. This is the risk analysis stage in the risk management process. The question also tries to classify these possible causes in terms of severity, which is the analysis of likelihood and the resulting impact.
Q4 The fourth question is what should be done. This is where risks are managed by creating effective responses. There are five risk responses that can be taken. These are commonly known as the 5Ts.
T1 Tolerate. This is to accept the exposure with no further action required due to the set tolerance levels or cost-benefit analysis of carrying out that specific risk. In some cases, risk treatment is conducted without reference to cost-benefit analysis such as when a government spends resources to prevent risks whose cost outweigh the benefits. However, there needs to be in place measures that trigger risks that surpass the set tolerance levels. Organisations will tolerate risk if both the likelihood and impact is low.
T2 Treat. Identified risks are treated to acceptable levels through controls. This happens as the organization continues with the activity that could give rise to this risk. Risk treatment is common where the risk likelihood is high and the impact is low.
T3 Transfer. Possible risks are transferred to other parties that take them up in exchange for premium payments. These are in most cases insurance arrangements and in some cases in forward contract arrangements and guarantees. It’s worth noting that even though a third party takes up the risk, there are some that cannot be transferred such as reputation risk. Transfer occurs mostly where the impact is high but the likelihood is low
T4 Terminate. These are risks that can only be treated by termination. The activity that gives rise to this risk is stopped. Termination is common where the likelihood of occurrence and the resulting impact are both high
T5 Take the opportunity. Taking opportunity risk is not an alternative to the other 4Ts but rather a consideration when addressing them. This is the upside of risk and is important when considering investment options.
Q5 The fifth question to ask is whether the risk assessment and risk review worked to the acceptable levels done through the risk review and measure the outcomes with the desired outcomes. The effectiveness of risk management is determined here and corrective measures taken.
Q6 The sixth question is to ask who to communicate to. Effective risk management is one that embraces good reporting depending on the organization structure. Such reporting would be to the board, audit committee, executive committee, risk management committee, disclosures committee and divisional management. Internal audit as the third line of defense is also an important risk reporting unit in an organization.
Q7 The seventh question to ask is about what could have changed. This involves updating the current risks since some risks would have been managed and cease to exist. Some could have changed in terms of likelihood and impact or from short term to long term. Yet still, new ones could have emerged. Risk updates can effectively be done through risk register reviews on regular basis.
In conclusion, risk management has become a core component of every organization management. Global complexities, increased technological paces and competition are key drivers that make risk management critical to every organization that wants to remain competitive in the dynamic global market.
“A ship in harbor is safe, but that is not what ships are built for, (William Shedd)”.