4
FUNDAMENTALS OF MANAGING RISKS www.pecb.com When Recognition Matters
FUNDAMENTALS OF MANAGING RISKS
www.pecb.com
When Recognition Matters
To understand the nature of risk, first we must begin with an understanding of its definition. Even though there are many ways to define the term risk, it can be identified as the product of the probability of an event and its consequences or costs (ISO/IEC Guide 73:2009). Essentially risk is the effect of uncertainty on objectives. This effect represents a deviation from expectations and can be either positive or negative; hence risk has an upside, gain or opportunity, and a downside or the possibility of loss. Moreover, ISO 31000 states that organizations of all types and sizes face internal and external factors and influences that make them uncertain whether and when they will achieve their objectives. The effect of this uncertainty on an organization's objectives is risk.
Risk is capable of, and may affect an organization in the short, medium and long term. Generally, risks are inherently related to operations, plans and strategies, respectively. Accordingly, risk management is a vital element of the strategic management of any business or organization. It is the process whereby organizations systematically approach the risks germane to their activities. Risk management also increases the probability of success and accomplishments, and reduces both the level of uncertainty and the probability of failure.
The initial step towards producing an effective and value added risk management system is to recognize the different types of risks that organizations face. These risks can be classified into three categories, each of which requires a particular risk-management approach.
CATEGORY I: PREVENTABLE RISKS
Preventable risks, also known as internal risks, originate inside the company or organization and usually can be managed cost effectively. Some examples are the risks from unauthorized managers, employee fraud, illegal and unethical activities, inappropriate actions and the risks from possible interruptions in daily operational processes. These risks are best handled by active and ongoing prevention such as keeping track of operational processes, having meticulous employee recruitment and selection system, educating and managing employees’ performance.
Some of the companies which have failed into controlling preventable risks include: Siemens Bribery and Corruption Scandal: 2007-09, Société Générale- The Jérôme Kerviel Affair; Atlanta Public School System; BP in its 2010 Deepwater Horizon accident in the Gulf of Mexico.
//////////////////////////////////////////////////////////////////////////////////////////////////////
FUNDAMENTALS OF MANAGING RISKS2 FEBRUARY 2016FEBRUARY 2016
FUNDAMENTALS OF MANAGING RISKS
CATEGORY II: STRATEGY RISKS
With the aim of making higher returns from the chosen strategy, companies willingly recognize and allow some risks, depending on their risk appetite or tolerance for risk taking. Such risks are called strategy risks and differ relatively from preventable risks since they are not intrinsically uninvited. The strategies with high estimated returns usually involve the company embracing considerable risks, and the decision to undertake these risks is usually a key indication of the possible earning or potential gains. Strategy risks may be caused from outside or inside the company; they are not inherent but arise because of the entity’s decision to pursue a certain path. Once they are recognized and comprehended, the company can devise and conceive an efficient strategic risk mitigation plan. Recently, a major change and continually increasing trend is the number of companies that are adding strategy risk analysis into their whole business strategy and planning processes. This approach is paying off as companies benefit from significantly improved risk management.
CATEGORY III: EXTERNAL RISKS
The three most common external risks comprise economic, political and natural factors. There are risks that cannot be controlled and are caused from events outside the company. Therefore, a different and special approach, focusing on identification and mitigation is needed. Even though forecasting these risks is very hard and often impossible, the management of the company or organization should pay attention to recognize and/or predict these risks. Furthermore, they should have a plan or strategy to minimize or avoid the impacts as much as possible. Usually, external risks directly threaten the processes, and project managers can be caught unprepared if external threats analysis is deficient.
Taking into consideration the three risk categories, companies or organizations should manage risks by identifying, assessing, evaluating and prioritizing them. Concrete plans to support this process should come from the top management. These plans should include, balancing a) risk and benefit and b) risk and cost. At this point, a useful and proven scheme for effectively managing many risks may be applied in combination. Such a solution involves embracing internationally recognized standards such as ISO 31000, which represents best-practice scenarios from organizations worldwide.
ISO 31000 explains the mechanism of risk management implementation. It provides a framework for implementing risk management, rather than a framework for supporting the risk management process and is therefore not prescriptive. Moreover, with due cognizance of its own internal and external contexts, an organization must recognize the applicable and relevant laws and should put into practice a system of controls to attain compliance. Additionally, ISO 31000 distinguishes the significance of feedback by means of two mechanisms; communicating and consulting and the monitoring and reviewing of performance. Communicating and consulting ensures the engagement of relevant internal and external stakeholders while monitoring and reviewing guarantee that the organization observes risk performance, thereby gaining knowledge from experience and practices.
3
//////////////////////////////////////////////////////////////////////////////////////////////////////
FEBRUARY 2016
//////////////////////////////////////////////////////////////////////////////////////////////////////
PECB is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including ISO 31000 courses.
For further information, please visit: https://pecb.com/iso-31000-training-courses
ABOUT THE AUTHORS
Jacob McLean is a PECB Certified trainer and partner. He is principal consultant and managing director of Kaizen Training & Management Consultants Limited, a premier provider of consultancy and training services in Health & Safety, Environment, Enterprise Risk Management and Management Systems.If you have any questions, please do not hesitate to contact: [email protected]
Alba Keqa is an Account Manager for Risk & Management at PECB. She is in charge of conducting market research while developing and providing information related to Risk and Management standards. If you have any questions, please do not hesitate to contact: [email protected].
FUNDAMENTALS OF MANAGING RISKS FEBRUARY 20164 FEBRUARY 2016
