Risk
1 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
Risk Management F o r M B A / M .C .C o m /B B A S t u d e n t s
By: Prof. Asif Masood Ahmad MBA , CMA, GCMA GCMA
[email protected] 0321-9842495
2 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
What is Risk? Introduction Every business faces risks that could present threats to its success. Risk is defined as the probability of an event and its consequences. Risk management is the practice of using processes, methods and tools for managing these risks. Risk management focuses on identifying what could go wrong, evaluating which risks should be dealt with and implementing strategies to deal with those risks. Businesses that have identified the risks will be better prepared and have a more cost-effective way of dealing with them. This guide sets out how to identify the risks your business may face. It also looks at how to implement an effective risk management policy and program which can increase your business' chances of success and reduce the possibility of failure.
What is Risk Management? Risk management is the identification, assessment, assessm ent, and prioritization of risks of risks followed by
coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. unpredictable root-cause. In USA several risk management standards management standards have been developed including the Project the Project Management Institute, the Institute, the National National Institute of Standards and Technology, actuarial Technology, actuarial societies, and ISO standards. standard s. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, security, engineering, industrial industrial processes, financial processes, financial portfolios, actuarial assessments, or public health and safety.
Risk Management Strategies? The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).
The types of risk your business faces The commonly described main categories of risk to consider are:
marke t Strategic, for example a competitor coming on to the market
Compliance, for example responding to the introduction of new health and safety
legislation
2 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
What is Risk? Introduction Every business faces risks that could present threats to its success. Risk is defined as the probability of an event and its consequences. Risk management is the practice of using processes, methods and tools for managing these risks. Risk management focuses on identifying what could go wrong, evaluating which risks should be dealt with and implementing strategies to deal with those risks. Businesses that have identified the risks will be better prepared and have a more cost-effective way of dealing with them. This guide sets out how to identify the risks your business may face. It also looks at how to implement an effective risk management policy and program which can increase your business' chances of success and reduce the possibility of failure.
What is Risk Management? Risk management is the identification, assessment, assessm ent, and prioritization of risks of risks followed by
coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. unpredictable root-cause. In USA several risk management standards management standards have been developed including the Project the Project Management Institute, the Institute, the National National Institute of Standards and Technology, actuarial Technology, actuarial societies, and ISO standards. standard s. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, security, engineering, industrial industrial processes, financial processes, financial portfolios, actuarial assessments, or public health and safety.
Risk Management Strategies? The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).
The types of risk your business faces The commonly described main categories of risk to consider are:
marke t Strategic, for example a competitor coming on to the market
Compliance, for example responding to the introduction of new health and safety
legislation
3 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
Financial, for example non-payment by a customer or increased interest charges on a
business loan
Operational, for example the breakdown or theft of key equipment Others, for example natural disaster (floods) and others depend upon the nature and scale
of the industry. These categories are not rigid and some parts of your business may fall into more than one category. The risks attached to data protection, for example, could be considered when reviewing both your operations and your business' compliance.
Strategic risks Strategic risks are those risks associated with operating in a particular industry. They include risks arising from:
merger and acquisition activity
changes among customers or in demand
industry changes
research and development
For example you might consider the strategic risks of the possibility of a US company buying one of your European competitors. This could give the US Company a distribution arm in the UK. In this situation you might want to consider:
whether there are any US companies which have the cash/share price to do this whether there are any European competitors who could be a takeover target, perhaps because of financial difficulties whether the US company would lower prices or invest more in research and development
Where there's a strong possibility of this happening, you should prepare some sort of response.
Compliance risk Compliance risks are those associated with the need to comply with laws and regulations. They also apply to the need to act in a manner which investors and customers expect, for example, by ensuring proper corporate governance. You may need to consider whether employment or health and safety legislation could add to your overheads or force changes in your established ways of working. For advice on how to manage health and safety risks, read our guide on how to set up a health and safety management system. You may also want to consider legislative risks to your business. You should ask yourself whether the products or services you offer could be made less marketable by legislation or taxation - as
4 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
has happened with tobacco and asbestos products. For example, concerns about the increase in obesity may prompt tougher food labeling regulations, which may push up costs or reduce the appeal of certain types of food.
Financial risks Financial risks are associated with your business' financial structure and systems and the transactions your business makes. Identifying financial risk involves examining your daily financial operations, especially cash-flow . If your business is too dependent on a single customer and they became unable to pay you, this could have serious implications for your business' viability. See our guide on how to identify potential cash-flow problems. You might examine:
how you extend credit to customers
who owes you money
how you can recover it
insurance to cover large or doubtful debts
Financial risk assessment should take into account external factors such as interest rates and foreign exchange rates. Rate changes will affect your debt repayments and the competitiveness of your goods and services compared with those produced abroad. If you are involved in international trade, you will be exposed to even greater financial risks. It can be more difficult to assess the creditworthiness of an overseas client and to recoup unpaid debts. You may also be adversely affected by movements in the currency markets. In addition, depending on the trading terms you choose, it may take longer to receive payment when compared with a UK client. For more information on managing the financial implications of international trade see our guides on getting paid when selling overseas and foreign currency and exchange risks.
Operational risks Operational risks are associated with your business' operational and administrative procedures. These include:
recruitment
supply chain
transportation
accounting controls
IT systems
regulations
5 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
board composition
You should examine these operations in turn, prioritize the risks and make necessary provisions. For example, if you rely on one supplier for a key component you could source other suppliers to help you minimize the risk. If your business makes and receives regular deliveries, consider drawing up a continuity plan to help you maintain operations in the event of a fuel strike or shortage. IT risk and data protection are increasingly important to business. If hackers break into your IT systems, they could steal valuable data and even money from your bank account which at best would be embarrassing and at worst could put you out of business. A secure IT system employing encryption will safeguard commercial and customer information.
Other risks Other risks include:
environmental risks, including natural disasters employee risk management, such as maintaining sufficient staff numbers and cover, employee safety and up-to-date skills
political and economic instability in any foreign markets you export goods to
health and safety risks
commercial risks, including the failure of key suppliers or customers
Risk Management Process Businesses face many risks; therefore risk management should be a central part of any business' strategic management. Risk management helps you to identify and address the risks facing your business and in doing so increase the likelihood of successfully achieving your businesses objectives. A risk management process involves:
methodically identifying the risks surrounding your business activities
assessing the likelihood of an event occurring
understanding how to respond to these events
putting systems in place to deal with the consequences
monitoring the effectiveness of your risk management approaches and controls
As a result, the process of risk management:
improves decision-making, planning and prioritization
helps you allocate capital and resources more efficiently
6 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
allows you to anticipate what may go wrong, minimizing the amount of fire-fighting you have to do or, in a worst-case scenario, preventing a disaster or serious financial loss
significantly improves the probability that you will deliver your business plan on time and to budget
Risk management becomes even more important if your business decides to try something new, for example launch a new product or enter new markets. Competitors following you into these markets, or breakthroughs in technology which make your product redundant, are two risks you may want to consider in cases such as these.
Risk Management Process Flowchart
1. Risk Identification 1. Introduction Risk identification is a deliberate and systematic effort to identify and document the Institution’s key risks. The objective of risk identification is to understand what is at risk within the context of the Institution’s explicit and implicit objectives and to generate a comprehensive inventory of risks based on the threats and events that might prevent, degrade, delay or enhance the achievement of the objectives. This necessitated the development of risk identification guidelines to ensure that Institutions manage risk effectively and efficiently.
2. The risk identification process
7 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
Comprehensive identification and recording of risks is critical, because a risk that is not identified at this stage may be excluded from further analysis. In order to manage risks effectively, Institutions have to know what risks they are faced with. The risk identification process should cover all risks, regardless of whether or not such risks are within the direct control of the Institution. Institutions should adopt a rigorous and on-going process of risk identification that also includes mechanisms to identify new and emerging risks timeously. Risk identification should be inclusive, not overly rely on the inputs of a few senior officials and should also draw as much as possible on unbiased independent sources, including the perspectives of important stakeholders. 2 .1 R is k w o r k s h o p s a n d i n t e r v i e w s
Risk workshops and interviews are useful for identifying, filtering and screening risks but it is important that these judgment based techniques be supplemented by more robust and sophisticated methods where possible, including quantitative techniques. Risk identification should be strengthened by supplementing Management’s perceptions of risks, inter alia, with:
review of external and internal audit reports; review of the reports of the Standing Committee on Public Accounts and the relevant Parliamentary Committee(s); financial analyses; historic data analyses; actual loss data; interrogation of trends in key performance indicators; benchmarking against peer group or quasi peer group; market and sector information; scenario analyses; and Forecasting and stress testing.
2 .2 F o c u s p o i n t s o f r i s k i d e n t i f i c a t i o n
To ensure comprehensiveness of risk identification the Institution should identify risk factors through considering both internal and external factors, through appropriate processes of: 2.2.1 Strategic risk iden tification
Strategic risk identification to identify risks emanating from the strategic choices made by the Institution, specifically with regard to whether such choices weaken or strengthen the Institution's ability to execute its Constitutional mandate: strategic risk identification should precede the finalization of strategic choices to ensure that potential risk issues are factored into the decision making process for selecting the strategic options; risks inherent to the selected strategic choices should be documented, assessed and managed through the normal functioning of the system of risk management; and Strategic risks should be formally reviewed concurrently with changes in strategy, or at
8 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
least once a year to consider new and emerging risks. 2.2.2 Operational risk ident ification
Operational risk identification to identify risks concerned with the Institution’s operations:
operational risk identification should seek to establish vulnerabilities introduced by employees, internal processes and systems, contractors, regulatory authorities and external events; operational risk identification should be an embedded continuous process to identify new and emerging risks and consider shifts in known risks through mechanisms such as management and committee meetings, environmental scanning, process reviews and the like; and Operational risk identification should be repeated when changes occur, or at least once a year, to identify new and emerging risks.
2.2.3 Project risk identific ation
Project risk identification to identify risks inherent to particular projects: project risks should be identified for all major projects, covering the whole lifecycle; and for long term projects, the project risk register should be reviewed at least once a year to identify new and emerging risks.
3. Risk Identification Methods - 12 Types 3 .1 B r a i n s t o r m i n g is a technique that is best accomplished when the approach is unstructured
(the facilitator encourages random inputs from the group). Group members verbally identify risks that provide the opportunity to build on others’ ideas. To achieve the desired outcome, it is essential to select participants that are familiar with the topics discussed, relevant documentation is provided and a facilitator that knows the risk process leads the group. A note-taker should be appointed to capture the ideas that are being discussed. A structured brainstorming session, where each group member presents an idea in turn, may be used where not all group members are participating. Structured brainstorming ensures participation by all group members. Brainstorming can also be used during planning to generate a list of migration strategies, possible causes for the risk, or other areas of impact. It is not intended for an in-depth risk analysis of risk. 3.2 Surveys are a technique where lists of questions are developed to seek out risk in a particular
area. A limitation of this method is that people inherently don't like to complete surveys and may not provide accurate information. The value of the surveys may be difficult to determine due to subjectivity in the answers or because of the focus of the questions themselves. 3.3 Interviews are an effective way to identify risk areas. Group interviews can assist in
identifying the baseline of risk on a project. The interview process is essentially a questioning process. It is limited by the effectiveness of the facilitator and the questions that are being asked. The interview can be conducted before or after the brainstorming session. However if it is accomplished before the brainstorming session, the results should be shared with the group after
Risk
9 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
they have provided their input to the risk list. If the interview(s) are completed after the brainstorming session has been completed, the list of risks should be provided to all participants for comment before they are added to the risk list. 3 .4 W o r k i n g G r o u p s are great way to analyze a particular area or topic in a discussion process to
identify risks that may not be obvious to the risk identification group. The working group is usually a separate group of people working a particular area within the project that is conducting the risk identification. 3.5 Experiential Know ledge is the collection of information that a person has obtained through
their experience. Caution must be used when using any knowledge based information to ensure it is relevant and applicable to the current situation. 3 .6 D o c u m e n t e d Knowledge is the collection of information or data that has been documented
about a particular subject. This is a source of information that provides insight into the risks in a particular area of concern. Caution must be used when using any knowledge based information to ensure it is relevant and applicable to the current situation 3.7 Risk List s are usually lists of risks that have been found in similar municipalities and/or similar
situations. Caution must be used when using this type of information to ensure it is relevant and applicable to the current situation. 3.8 Risk Trigg er Question s are lists of situations or events in a particular area of a municipality
that can lead to risk identification. These are situations or areas where risks have been discovered within the organization. These trigger questions may be grouped by areas such as performance, cost, schedule, software, etc. 3.9 Lesson s Learned is experiential knowledge that has been organized into information that
may be relevant to the different areas within the organization. This source of information may guide you in identifying risk in your municipality. Caution must be used when using this type of information to ensure it is relevant and applicable to the current situation. - There are various types of risk oriented 3 .1 0 O u t p u t s f r o m R i s k -O r i e n t ed A n a l y s i s
analysis. Two such techniques are fault tree analysis and event tree analysis. These are top down analysis approaches that attempt to determine what events, conditions, or faults could lead to a specific top level undesirable event. This event with the associated consequence could be a risk for your program. 3.11 Histor ical Info rmatio n is basically the same as documented knowledge. The difference is
that historical information is usually widely accepted as fact. 3.12 Engineering Templates are a set of flow charts for various aspects of the development
process. These templates are preliminary in nature and are intended as general guidance to accomplish a top down assessment of activities.
4. How to perform risk identification It is crucial to have knowledge of the business before commencing with risk identification process. It is also important to learn from both past experience and experience of others when considering the risks to which an Institution may be exposed and the best strategy available for responding to
Risk
10 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
those risks. Risk identification starts with understanding the Institutional objectives, both implicit and explicit. The risk identification process must identify unwanted events, undesirable outcomes, emerging threats, as well as existing and emerging opportunities. By virtue of an Institution's existence, risks will always prevail, whether the Institution has controls or not. When identifying risks, it is also important to bear in mind that "risk" also has an opportunity component. This means that there should also be a deliberate attention to identifying potential opportunities that could be exploited to improve Institutional performance. In identifying risks, consideration should be given to risks associated with not pursuing an opportunity, e.g. failure to implement an IT system to collect municipal rates. Risk identification exercise should not get bogged down in conceptual or theoretical detail. It should also not limit itself to a fixed list of risk categories, although such a list may be helpful. The following are key steps necessary to effectively identify risks from across the Institution:
Understand what to consider when identifying risks; Gather information from different sources to identify risks; Apply risk identification tools and techniques; Document the risks; Document the risk identification process; and Assess the effectiveness of the risk identification process.
4 .1 U n d e r s t an d w h a t t o c o n s i d e r w h e n i d e n t i f y i n g r i s k s
In order to develop a comprehensive list of risks, a systematic process should be used that starts with defining objectives and key success factors for their achievement. This can help provide confidence that the process of risk identification is complete and major issues have not been missed. 4 .2 G at h e r i n f o r m a t i o n f r o m d i f f e re n t s o u r c e s t o i d e n t i f y r i s k s
Good quality information is important in identifying risks. The starting point for risk identification may be historical information about this or similar Institutions and then discussions with a wide range of stakeholders about historical, current and evolving issues, data analysis, review of performance indicators, economic information, loss data, scenario planning and the like can produce important risk information. Furthermore, processes used during strategic planning like Strength Weakness Opportunity and Threat SWOT Analysis, Political Economic Social Technological Environment & Legal. PEST (EL) Analysis and benchmarking will have revealed important risks and oppor tunities that should not be ignored, i.e. they should be included in the risk register. Certain disciplines like IT, Strategic Management, Health and Safety etc. already have in place established risk identification methodologies as informed by their professional norms and standards. The risk identification process should recognize and utilize the outputs of these techniques in order not to "re-invent the wheel".
11 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
4 .3 A p p l y r i s k i d e n t i f i c at i o n t o o l s a n d t e c h n i q u e s
An Institution should apply a set of risk identification tools and techniques that are suited to its objectives and capabilities, and to the risk the Institution faces. Relevant and up-to-date information is important in identifying risks. This should include suitable background information where possible. People with appropriate knowledge should be involved in identifying risks. Approaches used to identify risks could include the use of checklists, judgments based on experience and records, flow charts, brainstorming, systems analysis, scenario analysis, and system engineering techniques. The approach used will depend on the nature of the activities under review, types of risks, the Institutional context, and the purpose of the risk management exercise. Team-based brainstorming for example, where facilitated workshops is a preferred approach as it encourages commitment, considers different perspectives and incorporates differing experiences. Structured techniques such as flow charting, system design review, systems analysis, Hazard and Operability (HAZOP) studies and operational modeling should be used where the potential consequences are catastrophic and the use of such intensive techniques are cost effective. Since risk workshops are useful only for filtering and screening of possible risks, it is important that the workshops are supplemented by more sophisticated or structured techniques described above. For less clearly defined situations, such as the identification of strategic risks, processes with a more general structure, such as 'what-if' and scenario analysis could be used. Where resources available for risk identification and analysis are constrained, the structure and approach may have to be adapted to achieve efficient outcomes within budget limitations. For example, where less time is available, a smaller number of key elements may be considered at a higher level, or a checklist may be used.
4 .4 D o c u m e n t t h e r i s k s i d e n t i f i ed
The risks identified during the risk identification are typically documented in a risk register that, includes (at this stage):
risk description; how and why the risk can happen (i.e. causes and consequences); and the existing internal controls that may reduce the likelihood or consequences of the risks. It is essential when identifying a risk to consider the following three elements: description/event - an occurrence or a particular set of circumstances; causes - the factors that may contribute to a risk occurring or increase; the likelihood of a risk occurring; and consequences - the outcome(s) or impact(s) of an event.
It is the combination of these elements that make up a risk and this level of detail will enable an Institution to better understand its risks. 4 .5 D o c u m e n t y o u r r i s k i d e n t i f i c a t i o n p r o c e s s
12 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
In addition to documenting identified risks, it is also necessary to document the risk identification process to help guide future risk identification exercises and to ensure good practices are maintained by drawing on lessons learned through previous exercises. Documentation of this step should include:
the approach or method used for identifying risks; the scope covered by the identification; and the participants in the risk identification and the information sources consulted.
Experience has shown that management often disregards well controlled risks when documenting the risk profile of the Institution. It is stressed that a well-controlled risk must still be recorded in the risk profile of the Institution. The reason for this logic is that the processes for identifying risks should ignore at that point any mitigating factors (these will be considered when the risk is being assessed).
5. The outputs of risk identification The document in which the risks are recorded is known as the "risk register" and it is the main output of a risk identification exercise. A risk register is a comprehensive record of all risks across the Institution or project depending on the purpose/context of the register. There is no single blueprint for the format of a risk register and Institutions have a great degree of flexibility regarding how they lay out their documents. The risk register serves three main purposes
It is a source of information to report the key risks throughout the Institution, as well as to key stakeholders.
Management uses the risk register to focus their priorities risks.
It is to help the auditors to focus their plans on the Institution's top risks.
As a minimum, the risks register records: the risk; risk category; how and why the risk can happen "cause of risk"; how will the risk impact the Institution if it materializes "impact on Institution"; the qualitative and / or quantitative cost should the risk materialize; the likelihood and consequences of the risk to the Institution; the existing internal controls that may minimize the likelihood of the risk occurring; a risk level rating based on pre-established criteria; framework, including an assessment of whether the risk is acceptable or whether it needs to be treated; a clear prioritization of risks (risk profile); accountability for risk treatment (may be part of the risk treatment plan); and Timeframe for risk treatment.
Once the risks have been identified and existing control have been assessed and it is has been established that controls are inadequate, an assessment of whether the risk is acceptable or
Risk
13 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
whether it needs to be treated needs to be performed.
2. Risk assessment Businesses face many risks; therefore risk management should be a central part of any business' strategic management. Risk management helps you to identify and address the risks facing your business and in doing so increase the likelihood of successfully achieving your businesses objectives. A risk management process involves:
methodically identifying the risks surrounding your business activities
assessing the likelihood of an event occurring
understanding how to respond to these events
putting systems in place to deal with the consequences
monitoring the effectiveness of your risk management approaches and controls As a result, the process of risk management:
improves decision-making, planning and prioritization
helps you allocate capital and resources more efficiently
allows you to anticipate what may go wrong, minimizing the amount of fire -fighting you have to do or, in a worst-case scenario, preventing a disaster or serious financial loss significantly improves the probability that you will deliver your business plan on time and to budget Risk management becomes even more important if your business decides to try something new, for example launch a new product or enter new markets. Competitors following you into these markets, or breakthroughs in technology which make your product redundant, are two risks you may want to consider in cases such as these.
Risk assessment – Definition Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R), the magnitude of the potential loss (L), and the probability (P) that the loss will occur. Acceptable risk is a risk that is
understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss. In all types of engineering of complex systems sophisticated risk assessments are often made within Safety engineering and Reliability engineering when it concerns threats to life, environment or machine functioning. The nuclear, aerospace, oil, rail and military industries have a long history of dealing with risk assessment. Also, medical, hospital, social service and food
Risk
14 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
industries control risks and perform risk assessments on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to general financial decisions or environmental, ecological, or public health risk assessment.
Explanation Risk assessment consists of an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty in risk management is that measurement of both of the quantities in which risk assessment is concerned – potential loss and probability of occurrence – can be very difficult to measure. The chance of error in measuring these two concepts is high. Risk with a large potential loss and a low probability of occurrence, is often treated differently from one with a low potential loss and a high likelihood of occurrence. In theory, both are of near equal priority, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process. Expressed mathematically,
Risk assessment from a financial point of view. Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, loss can be quantified in a common metric such as a country's currency or some numerical measure of a location's quality of life. For public health and environmental decisions, loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects. In that case, the "risk" is expressed as
If the risk estimate takes into account information on the number of individuals exposed, it is termed a "population risk" and is in units of expected increased cases per a time period. If the risk
15 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
estimate does not take into account the number of individuals exposed, it is termed an "individual risk" and is in units of incidence rate per a time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are "acceptable".
Risk Assessment? Essential steps for performing a risk assessment
How to evaluate risks? Risk evaluation allows you to determine the significance of risks to the business and decide to accept the specific risk or take action to prevent or minimize it. To evaluate risks, it is worthwhile ranking these risks once you have identified them. This can be done by considering the consequence and probability of each risk. Many businesses find that assessing consequence and probability as high, medium or low is adequate for their needs. These can then be compared with your business plan - to determine which risks may affect your objectives - and evaluated in the light of legal requirements, costs and investor concerns. In some cases, the cost of mitigating a potential risk may be so high that doing nothing makes more business sense. There are some tools you can use to help evaluate risks. You can plot on a risk map the significance and likelihood of the risk occurring. Each risk is rated on a scale of one to ten. If a risk is rated ten this means it is of major importance to the company. One is the least significant. The map allows you to visualize risks in relation to each other, gauge their extent and plan what type of controls should be implemented to mitigate the risks. Prioritizing risks, however you do this, allows you to direct time and money toward the most important risks. You can put systems and controls in place to deal with the consequences of an event. This could involve defining a decision process and escalation procedures that your company would follow if an event occurred.
Types of Risk assessment Risk assessment can therefore be conducted at various levels of the organization. The objectives and events under consideration determine the scope of the risk assessment to be undertaken. Examples of frequently performed risk assessments include: • Strategic risk assessment. Evaluation of risks relating to the organization’s mission and
strategic objectives, typically performed by senior management teams in strategic planning meetings, with varying degrees of formality.
16 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
• Operational risk assessment. Evaluation of the risk of loss (including risks to financial
performance and condition) resulting from inadequate or failed internal processes, people, and systems, or from external events. In certain industries, regulators have imposed the requirement that companies regularly identify and quantify their exposure to such risks. While responsibility for managing the risk lies with the business, an independent function often acts in an advisory capacity to help assess these risks. • Compliance risk assessment. Evaluation of risk factors relative to the organization’s
compliance obligations, considering laws and regulations, policies and procedures, ethics and business conduct standards, and contracts, as well as strategic voluntary standards and best practices to which the organization has committed. This type of assessment is typically performed by the compliance function with input from business areas. • Internal audit risk assessment. Evaluation of risks related to the value drivers of the
organization, covering strategic, financial, operational, and compliance objectives. The assessment considers the impact of risks to shareholder value as a basis to define the audit plan and monitor key risks. This top-down approach enables the coverage of internal audit activities to be driven by issues that directly impact shareholder and customer value, with clear and explicit linkage to strategic drivers for the organization. • Financial statement risk assessment. Evaluation of risks related to a material misstatement of the organization’s fi nancial statements through input from various parties such as the controller,
internal audit, and operations. This evaluation, typically performed by the finance function, considers the characteristics of the financial reporting elements (e.g., materiality and susceptibility of the underlying accounts, transactions, or related support to material misstatement) and the effectiveness of the key controls (e.g., likelihood that a control might fail to operate as intended, and the resultant impact). • Fraud risk ass e s s m e n t . Evaluation of potential instances of fraud that could impact the organization’s ethics and compliance standards, business practice requirements, financial
reporting integrity, and other objectives. This is typically performed as part of Sarbanes-Oxley compliance or during a broader organization-wide risk assessment, and involves subject matter experts from key business functions where fraud could occur (e.g., procurement, accounting, and sales) as well as forensic specialists. • Market risk assessm e n t . Evaluation of market movements that could affect the organization’s
performance or risk exposure, considering interest rate risk, currency risk, option risk, and commodity risk. This is typically performed by market risk specialists. • Credit risk ass e s s m e n t . Evaluation of the potential that a borrower or counterparty will fail to
meet its obligations in accordance with agreed terms. This considers credit risk inherent to the entire portfolio as well as the risk in individual credits or transactions, and is typically performed by credit risk specialists. • Customer risk assessment. Evaluation of the risk profile of customers that could potentially impact the o rganization’s reputation and fi nancial position. This assessment weighs the customer’s intent, creditworthiness, affiliations, and other relevant factors. This is typically
performed by account managers, using a common set of criteria and a central repository for the assessment data.
17 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
• Supply chain risk assessment. Evaluation of the risks associated with identifying the inputs
and logistics needed to support the creation of products and services, including selection and management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing quality assurance reviews to assess any changes that could impact the achievement of the organization’s business objectives).
How risk is determined In the estimation of risks, three or more steps are involved that require the inputs of different disciplines: 1. Hazard Identification aims to determine the qualitative nature of the potential adverse consequences of the contaminant (chemical, radiation, noise, etc.) and the strength of the evidence it can have that effect. This is done, for chemical hazards, by drawing from the results of the sciences of toxicology and epidemiology. For other kinds of hazard, engineering or other disciplines are involved. 2. Dose-Response Analysis is determining the relationship between dose and the probability or the incidence of effect (dose-response assessment). The complexity of this step in many contexts derives mainly from the need to extrapolate results from experimental animals (e.g. mouse, rat) to humans, and/or from high to lower doses. In addition, the differences between individuals due to genetics or other factors mean that the hazard may be higher for particular groups, called susceptible populations. An alternative to dose-response estimation is to determine a concentration unlikely to yield observable effects, that is, a no effect concentration. In developing such a dose, to account for the largely unknown effects of animal to human extrapolations, increased variability in humans, or missing data, a prudent approach is often adopted by including safety factors in the estimate of the "safe" dose, typically a factor of 10 for each unknown step. 3. Exposure Quantification aims to determine the amount of a contaminant (dose) that individuals and populations will receive. This is done by examining the results of the discipline of exposure assessment. As different location, lifestyles and other factors likely influence the amount of contaminant that is received, a range or distribution of possible values is generated in this step. Particular care is taken to determine the exposure of the susceptible population(s). Finally, the results of the three steps above are then combined to produce an estimate of risk. Because of the different susceptibilities and exposures, this risk will vary within a population.
Small sub-populations When risks apply mainly to small sub-populations, there is uncertainty at which point intervention is necessary. For example, there may be a risk that is very low for everyone, other than 0.1% of the population. It is necessary to determine whether this 0.1% is represented by:
all infants younger than X days or
recreational users of a particular product.
18 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
If the risk is higher for a particular sub-population because of abnormal exposure rather than susceptibility, strategies to further reduce the exposure of that subgroup are considered. If an identifiable sub-population is more susceptible due to inherent genetic or other factors, public policy choices must be made. The choices are:
to set policies for protecting the general population that are protective of such groups, e.g. for children when data exists, the Clean Air Act for populations such as asthmatics or not to set policies, because the group is too small, or the costs too high.
Acceptable risk criteria The idea of not increasing lifetime risk by more than one in a million has become commonplace in public health discourse and policy. It is a heuristic measure. It provides a numerical basis for establishing a negligible increase in risk. Environmental decision making allows some discretion for deeming individual risks potentially "acceptable" if less than one in ten thousand chance of increased lifetime risk. Low risk criteria such as these provide some protection for a case where individuals may be exposed to multiple chemicals e.g. pollutants, food additives or other chemicals. In practice, a true zero-risk is possible only with the suppression of the risk-causing activity. Stringent requirements of 1 in a million may not be technologically feasible or may be so prohibitively expensive as to render the risk-causing activity unsustainable, resulting in the optimal degree of intervention being a balance between risks vs. benefit. For example, emissions from hospital incinerators result in a certain number of deaths per year. However, this risk must be balanced against the alternatives. There are public health risks, as well as economic costs, associated with all options. The risk associated with no incineration is potential spread of infectious diseases, or even no hospitals. Further investigation identifies options such as separating noninfectious from infectious wastes, or air pollution controls on a medical incinerator. Intelligent thought about a reasonably full set of options is essential. Thus, it is not unusual for there to be an iterative process between analyses, consideration of options, and follow up analysis.
Risk Assessment in Various Sectors In public health In the context of public health, risk assessment is the process of quantifying the probability of a harmful effect to individuals or populations from certain human ac tivities. In most countries the use of specific chemicals or the operations of specific facilities (e.g. power plants, manufacturing plants) is not allowed unless it can be shown that they do not increase the risk of death or illness above a specific threshold. For example, the American Food and Drug Administration (FDA) regulate food safety through risk assessment. The FDA required in 1973 that cancer-causing compounds must not be present in meat at concentrations that would cause a cancer risk greater
19 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
than 1 in a million over a lifetime. The US Environmental Protection Agency provides basic information about environmental risk assessments for the public via its risk assessment portal. The Stockholm Convention on persistent organic pollutants (POPs) supports a qualitative risk framework for public health protection from chemicals that display environmental and biological persistence, bioaccumulation, toxicity (PBT) and long range transport; most global chemicals that meet this criteria have been previously assessed quantitatively by national and international health agencies.
In auditing For audits performed by an outside audit firm, risk assessment is a very crucial stage before accepting an audit engagement. According to ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement , "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control. Evidence relating to the auditor’s risk assessment of a material misstatement in the client’s financial statements. Then, the auditor obtains initial evidence regarding the classes of transactions at the client and the operating effectiveness of the client’s internal contro ls. In auditing, audit risk is defined as the risk that the auditor will issue a clean unmodified opinion regarding the financial statements, when in fact the financial statements are materially misstated, and therefor do not qualify for a clean unmodified opinion. As a formula, audit risk is the product of two other risks: Risk of Material Misstatement and Detection risk. This formula can be further broken down as follows: (inherent risk X control risk X detection risk).
Human health There are many resources that provide health risk information. The National Library of Medicine provides risk assessment and regulation information tools for a varied audience. These include:
TOXNET (databases on hazardous chemicals, environmental health, and toxic releases) the Household Products Database (potential health effects of chemicals in over 10,000 common household products). TOXMAP (maps of the U.S. Environmental Protection Agency Superfund and Toxics Release Inventory data).
The United States Environmental Protection Agency provides basic information about environmental risk assessments for the public.
In information security IT risk assessment can be performed by a qualitative or quantitative approach, following different methodologies.
20 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
In project management In project management, risk assessment is an integral part of the risk management plan, studying the probability, the impact, and the effect of every known risk on the project, as well as the corrective action to take should that risk occur. Of special consideration in this area is the relevant codes of practice that are enforce in the specific jurisdiction. Understanding the regime of regulations that risk management must abide by is integral to formulating safe and compliant risk assessment practices.
For megaprojects Megaprojects (sometimes also called "major programs") are extremely large-scale investment projects, typically costing more than US$1 billion per project. Megaprojects include bridges, tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal flood protection, oil and natural gas extraction projects, public buildings, information technology systems, aerospace projects, and defence systems. Megaprojects have been shown to be particularly risky in terms of finance, safety, and social and environmental impacts.
Quantitative risk assessment Quantitative risk assessments include a calculation of the single loss expectancy (SLE) of an asset. The single loss expectancy can be defined as the loss of value to asset based on a single security incident. The team then calculates the Annualized Rate of Occurrence (ARO) of the threat to the asset. The ARO is an estimate based on the data of how often a threat would be successful in exploiting vulnerability. From this information, the Annualized Loss Expectancy (ALE) can be calculated. The annualized loss expectancy is a calculation of the single loss expectancy multiplied by the annual rate of occurrence, or how much an organization could estimate to lose from an asset based on the risks, threats, and vulnerabilities. It then becomes possible from a financial perspective to justify expenditures to implement countermeasures to protect the asset.
In software evolution Studies have shown that early parts of the system development cycle such as requirements and design specifications are especially prone to error. This effect is particularly notorious in projects involving multiple stakeholders with different points of view. Evolutionary software processes offer an iterative approach to requirement engineering to alleviate the problems of uncertainty, ambiguity and inconsistency inherent in software developments.
In shipping industry In July 2010, shipping companies agreed to use standardized procedures in order to assess risk in key shipboard operations. These procedures were implemented as part of the amended ISM code.
3. Risk Prioritization
Risk
21 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
Risk analysis and evaluation criteria to prioritize risk The next step is to evaluate the risk arising from each hazard. This can be done by considering:
how likely it is that a hazard will cause harm (e.g. whether it is improbable, possible but not
very likely, probable, or inevitable over time)
how serious that harm is likely to be (e.g. resulting in minor damage, a non-injury incident,
a minor injury (bruise, laceration), a serious injury (fracture, amputation, chronic ill-health), a fatality, or a multiple-fatality)
How often (and how many) workers are exposed.
A straightforward process based on judgment and requiring no specialist skills or complicated techniques could be sufficient for many workplace hazards or activities. These include activities with hazards of low concern, or workplaces where risks are well known or readily identified and where a means of control is readily available. This is probably the case for most businesses (mainly small and medium-sized enterprises – SMEs). In some other cases it may not be possible to identify the hazards and evaluate risks without professional knowledge, support and advice. This may arise in respect of the more complex processes and technologies in the workplace, or hazards, such as those related to health, which may not be readily or easily identifiable, and may require analysis and measurements.
Evaluate Risk In the risk analysis stage, each risk has been assigned a level based on likelihood and consequences. The purpose of evaluation is to compare the levels of risk and decide whether the level of each risk is acceptable or not. There may also be a number of risks that fall into the same level where each of them would not be treated equally. In determining whether a risk is acceptable or not, the evaluation would take into account a number of factors: How does the level of each risk (from the analysis step in 'Analyse risks') stand up against the level of acceptable risk in 'About establishing the context'? Is the level of the risk so low that treatment is not appropriate? (As Low As Reasonably Practicable - ALARP) Do the opportunities outweigh the threats to such a degree that the risk is justified? Is the cost excessive compared to the benefit? Is there no treatment available?
If risk criteria were established when setting the context, the level of risk would now be compared against this criteria in order to determine whether the risk is acceptable. If acceptable, there would be no further action taken. The justification for this would be documented and the risk monitored to ensure that no factors arise that would require assessment of the risk to be reviewed.
Risk
22 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
If the risk is not acceptable, then the risk assessment process would continue to determine appropriate treatment options in order that the risk is reduced to As Low as Reasonably Practicable (ALARP). Level of risk
Sample response expectations
Severe risk
must be managed by senior management with a detailed plan
High risk
detailed research and management planning required at senior levels
Major risk
senior management attention is needed
Significant risk management responsibility must be specified Moderate risk
manage by specific monitoring or response procedures
Low risk
manage by routine procedures
Trivial risk
unlikely to need specific application of resources
As Low As Reasonably Practicable (ALARP)
In general two criteria can be defined using the ALARP concept: risk is negligible and can be accepted without specific treatment other than monitoring risk is intolerable and the activity must cease, unless risk can be reduced.
Between these levels is a region where costs and benefits are taken into account. When risk is close to the intolerable level the expectation is that risk will be reduced unless the cost of reducing the risk is grossly disproportionate to the benefits gained. Where risks are close to the negligible level then action may only be taken to reduce risk where benefits exceed the costs of reduction.
23 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
Prioritizing Risk Once the level of risk has been determined for each risk, this information can be entered onto a risk register showing the level of risks. The evaluation will decide the risk priority, showing which risk must be managed first in order to reduce the exposure of the organisation to serious loss. Of course, small or insignificant risks might be treated immediately where it would be quick and / or low cost to do so. Once the priority is determined and risks are to be treated, those will then be included on a risk treatment schedule where they can be tracked until the risks are treated.
Risk Register Risk Register Definition
A Risk Register, also referred to as a Risk Log, is a master document which is created during the early stages of your project. It is a tool that plays an important part in your Risk Management Plan, helping you to track issues and address problems as they arise. The Risk Register will generally be shared between project stakeholders, allowing those involved in the project to be kept aware of issues and providing a means of tracking the response to issues. It can be used to flag new project risks and to make suggestions on what course of action to take to resolve any issues. All corporate and organizational projects face risk at one time or another. Having a Risk Register in place simply provides a better means of responding to problems as they arise. The Risk Register is there to help with the decisions making process and enables managers and project stakeholders to handle risk in the most appropriate way. A risk needn't be a threat to your project, it is simply an issue that can arise during the project; if effectively managed, it shouldn't prevent your project from attaining its goals and objectives. The Risk Register is a document that contains information about identified project risks, analysis of risk severity and evaluations of the possible solutions to be applied.
Risk
24 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
Presenting this in a spreadsheet if often the easiest way to manage things, so that key information can be found and applied quickly and easily.
How Risk Register is created?
If you're going to create a Risk Register and the following is a brief guide on how to get started in just a few steps: 1. Create the Risk Register - this step will be undertaken when the project plan is approved and the Risk Section of the project plan should serve as the basis for the document. 2. Record active risks - keep track of active risks by recording them in the Risk Register along with the date identified, date updated, target date and closure date. Other useful information to include is the risk identification number, a description of the risk, type and severity of risk, its impact, possible response action and the current status of risk. 3. Assign a unique number to each risk element - this will help to identify each unique risk, so that you know if that risk eventuates during the project and what the status of the risk is at any given time. Keeping this number consistent throughout the project will make it easy to see how this risk links in to the Project Status Report, Risk Identification and Risk Impact Form. 4. The risk register addresses risk management in four key steps: (1) identifying the risk, (2) evaluating the severity of any identified risks,
Risk
25 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
(3) applying possible solutions to those risks and (4) monitoring and analysing the effectiveness of any subsequent steps taken. 5. By learning how to create a Risk Register, you can be proactive about managing your projects and handling any risks associated with them. Any issues that are likely to impact upon the success of your project and the speedy completion of the project is categorised as risk. Implementing strategies to handle this, such as a risk register, will help to prevent risk from becoming an issue that may cause significant delays or even lead to the project failing. RISK REGISTER TEMPLATE Risk Identification
Qualitative Rating
Risk
Probability Impact
Risk Category
Risk Response Risk Score
Risk Ranking
Risk Response
Trigger
Risk Owner
Example of a risk register The risk: what can happen and how it can happen
Injury caused by falling tree branch
Consequences of an event Serious injury happening Likelihood of an event Rare, trees are not in happening immediate vicinity Adequacy of current controls Adequate Consequence rating 3 Likelihood rating D Level of risk M
Moderate risk Risk priority Accept and monitor Not possible within context to treat the trees.
River could be polluted by waste from festival grounds Non-toxic waste, cost of clean-up Likely to be some rubbish blown in by wind Adequate 1 C L Low risk Manage Easy and cheap to control. Low cost placement of bins and staff to pick up rubbish.
Risk Matrix A Risk Matrix is a matrix that is used during Risk Assessment to define the various levels of risk as the product of the harm probability categories and harm severity categories. This is a simple mechanism to increase visibility of risks and assist management decision making. Although many standard risk matrices exist in different contexts (US DoD, NASA, ISO), individual projects and organizations may need to create their own or tailor an existing risk matrix.
Risk Management
26 | Page
Superior University, Lahore
by: Asif Masood Ahmad
The matrix below is adapted from the Risk Management Standard. It can be used to record a priority rating for each risk identified in the risk audit. Each risk identified must be evaluated in terms of:
The probability of occurrence (the likelihood). The severity of the consequence should the risk actually occur.
A risk exposure that has both a high likelihood and a high severity of consequence should be given the greatest consideration for elimination or control. A risk that is both low in likelihood and low in severity can easily be retained and self-funded. If an evaluation of a risk gives rise to a rating of "Extreme", it must be dealt with straight away.
Legend
E
Extreme Risk
Immediate action required
H
High Risk
Senior management attention needed
M
Moderate Risk
Management responsibility must be specified
Low Risk
Manage by routine procedures
L
Here are few other of the examples of Risk Matrix:
27 | Page
Superior University, Lahore
4.
Risk
Management
by: Asif Masood Ahmad
Risk Mitigation Planning and Implementation
D e f i n i t i o n : Risk mitigation planning is the process of developing options and actions to enhance
opportunities and reduce threats to project objectives. Risk mitigation implementation is the process of executing risk mitigation actions. Risk mitigation progress monitoring includes tracking
Risk
28 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
identified risks, identifying new risks, and evaluating risk process effectiveness throughout the project.
Background Risk mitigation planning, implementation, and progress monitoring are depicted in Figure 1. As part of an iterative process, the risk tracking tool is used to record the results of risk prioritization analysis (step 3) that provides input to both risk mitigation (step 4) and risk impact assessment (step 2).
Figure 1. Risk Management: Fundamental Steps [3]
The risk mitigation step involves development of mitigation plans designed to manage, eliminate, or reduce risk to an acceptable level. Once a plan is implemented, it is continually monitored to assess its efficacy with the intent of revising the course-of-action if needed. Risk Mitigation Strategies General guidelines for applying risk mitigation handling options are shown in Figure 2. These options are based on the assessed combination of the probability of occurrence and severity of the consequence for an identified risk. These guidelines are appropriate for many, but not all, projects and programs.
Risk Management
29 | Page
Superior University, Lahore
by: Asif Masood Ahmad
Figure 2. Risk Mitigation Handling Options [3]
Risk mitigation handling options include: Assume/Accept: Acknowledge the existence of a particular risk, and make a deliberate decision to accept it without engaging in special efforts to control it. Approval of project or program leaders is required. Avoid: Adjust program requirements or constraints to eliminate or reduce the risk. This adjustment could be accommodated by a change in funding, schedule, or technical requirements. Control: Implement actions to minimize the impact or likelihood of the risk. Transfer: Reassign organizational accountability, responsibility, and authority to another stakeholder willing to accept the risk. Watch/Monitor: Monitor the environment for changes that affect the nature and/or the impact of the risk.
Each of these options requires developing a plan that is implemented and monitored for effectiveness. More information on handling options is discussed under best practices and lessons learned below. From a systems engineering perspective, common methods of risk reduction or mitigation with identified program risks include the following, listed in order of increasing seriousness of the risk: 1. 2. 3. 4. 5. 6.
Intensified technical and management reviews of the engineering process Special oversight of designated component engineering Special analysis and testing of critical design items Rapid prototyping and test feedback Consideration of relieving critical design requirements Initiation of fallback parallel developments
Risk
30 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
When determining the method for risk mitigation, the MITRE SE can help the customer assess the performance, schedule, and cost impacts of one mitigation strategy over another. For something like "parallel" development mitigation, MITRE SEs could help the government determine whether the cost could more than double, while time might not be extended by much (e.g., double the cost for parallel effort, but also added cost for additional program office and user engagement). For conducting rapid prototyping or changing operational requirements, MITRE SEs can use knowledge in creating prototypes and using prototyping and experimenting (see SE Guide article on Special Considerations for Conditions of Uncertainty: Prototyping and Experimentation and the Requirements Engineering topic) for projecting the cost and time to conduct a prototype to help mitigate particular risks (e.g., requirements). Implementing more engineering reviews and special oversight and testing may require changes to contractual agreements. MITRE systems engineers can help the government assess these (schedule and cost) by helping determine the basis of estimates for additional contractor efforts and providing a reality check for these estimates. MITRE's CASA [Center for Acquisition and Systems Analysis] and the CCG [Center for Connected Government] Investment Management practice department have experience and a knowledge base in many development activities across a wide spectrum of methods and can help with realistic assessments of mitigation alternatives. For related information, refer to the other articles in this Risk Management topic area of the SE Guide. Best Practices and Lessons Learned
What actions are needed? When must actions be completed?
Handling Options
Assume/Accept. Collaborate with the operational users to create a collective understanding of risks and their implications. Risks can be characterized as impacting traditional cost, schedule, and performance parameters. Risks should also be characterized as impact to mission performance resulting from reduced technical performance or capability. Develop an understanding of all these impacts. Bringing users into the mission impact characterization is particularly important to selecting which "assume/accept" option is ultimately chosen. Users will decide whether accepting the consequences of a risk is acceptable. Provide the users with the vulnerabilities affecting a risk, countermeasures that can be performed, and residual risk that may occur. Help the users understand the costs in terms of time and money. Avoid. Again, work with users to achieve a collective understanding of the implications of risks. Provide users with projections of schedule adjustments needed to reduce risk associated with technology maturity or additional development to improve performance. Identify capabilities that will be delayed and any impacts resulting from dependencies on other efforts. This information better enables users to interpret the operational implications of an "avoid" option. Control. Help control risks by performing analyses of various mitigation options. For example, one option is to use a commercially available capability instead of a contractor developed one. In developing options for controlling risk in o
o
o
Risk
31 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
your program, seek out potential solutions from similar risk situations of other MITRE customers, industry, and academia. When considering a solution from another organization, take special care in assessing any architectural changes needed and their implications. Transfer. Reassigning accountability, responsibility, or authority for a risk area to another organization can be a double-edged sword. It may make sense when the risk involves a narrow specialized area of expertise not normally found in program offices. But, transferring a risk to another organization can result in dependencies and loss of control that may have their own complications. Position yourself and your customer to consider a transfer option by acquiring and maintaining awareness of organizations within your customer space that focus on specialized needs and their solutions. Acquire this awareness as early in the program acquisition cycle as possible, when transfer options are more easily implemented. Watch/Monitor. Once a risk has been identified and a plan put in place to manage it, there can be a tendency to adopt a "heads down" attitude, particularly if the execution of the mitigation appears to be operating on "cruise control." Resist that inclination. Periodically revisit the basic assumptions and p remises of the risk. Scan the environment to see whether the situation has changed in a way that affects the nature or impact of the risk. The risk may have changed sufficiently so that the current mitigation is ineffective and needs to be scrapped in favor of a different one. On the other hand, the risk may have diminished in a way that allows resources devoted to it to be redirected. o
o
Determining Mitigation Plans
Understand the users and their needs. The users/operational decision makers will be the decision authority for accepting and avoiding risks. Maintain a close relationship with the user community throughout the system engineering life cycle. Realize that mission accomplishment is paramount to the user community and acceptance of residual risk should be firmly rooted in a mission decision. Seek out the experts and use them. Seek out the experts within and outside MITRE. MITRE's technical centers exist to provide support in their specialty areas. They understand what's feasible, what's worked and been implemented, what's easy, and what's hard. They have the knowledge and experience essential to risk assessment in their area of expertise. Know our internal centers of excellence, cultivate relationships with them, and know when and how to use them. Recognize risks that recur. Identify and maintain awareness of the risks that are "always there" — interfaces, dependencies, changes in needs, environment and requirements, information security, and gaps or holes in contractor and program office skill sets. Help create an acceptance by the government that these risks will occur and recur and that plans for mitigation are needed up front. Recommend various mitigation approaches — including adoption of an evolution strategy, prototyping, experimentation, engagement with broader stakeholder community, and the like. Encourage risk taking. Given all that has been said in this article and its companions, this may appear to be an odd piece of advice. The point is that there are consequences of not taking risks, some of which may be negative. Help the customer and users understand that reality and the potential consequences of being o
o
o
o
Risk
32 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
overly timid and not taking certain risks in your program. An example of a negative consequence for not taking a risk when delivering a full capability is that an adversary might realize a gain against our operational users. Risks are not defeats, but simply bumps in the road that need to be anticipated and dealt with. Recognize opportunities. Help the government understand and see opportunities that may arise from a risk. When considering alternatives for managing a particular risk, be sure to assess whether they provide an opportunistic advantage by improving performance, capacity, flexibility, or desirable attributes in other areas not directly associated with the risk. Encourage deliberate consideration of mitigation options. This piece of advice is good anytime, but particularly when supporting a fast-paced, quick reaction government program that is juggling many competing priorities. Carefully analyze mitigation options and encourage thorough discussion by the program team. This is the form of the wisdom "go slow to go fast." Not all risks require mitigation plans. Risk events assessed as medium or high criticality should go into risk mitigation planning and implementation. On the other hand, consider whether some low criticality risks might just be tracked and monitored on a watch list. Husband your risk-related resources. o
o
o
Mitigation Plan Content
Determine the appropriate risk manager. The risk manager is responsible for identifying and implementing the risk mitigation plan. He or she must have the knowledge, authority, and resources to implement the plan. Risk mitigation activities will not be effective without an engaged risk manager. It may be necessary to engage higher levels in the customer organization to ensure the need for the risk manager is addressed. This can be difficult and usually involves engaging more senior levels of the MITRE team as well. Develop a high-level mitigation strategy. This is an overall approach to reduce the risk impact severity and/or probability of occurrence. It could affect a number of risks and include, for example, increasing staffing or reducing scope. Identify actions and steps needed to implement the mitigation strategy. Ask these key questions: o
o
o
What actions are needed?
Make sure you have the right exit criteria for each. For example, appropriate decisions, agreements, and actions resulting from a meeting would be required for exit, not merely the fact that the meeting was held. Look for evaluation, proof, and validation of met criteria. Consider, for example, metrics or test events. Include only and all stakeholders relevant to the step, action, or decisions. o
o
o
When must actions be completed?
Backward Planning: Evaluate the risk impact and schedule of need for the successful completion of the program and evaluate test events, design considerations, and more. Forward Planning: Determine the time needed to complete each action step and when the expected completion date should be. Evaluate key decision points and determine when a move to a contingency plan should be taken. o
o
o
Risk
33 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
Who is the responsible action owner? What resources are required? Consider, for example, additional funding or collaboration. How will this action reduce the probability or severity of impact?
Develop a contingency plan ("fall back, plan B") for any high risk. Are cues and triggers identified to activate contingency plans and risk reviews? Include decision point dates to move to fallback plans. The date to move must allow time to execute the contingency plan. Evaluate the status of each action. Determine when each action is expected to be completed successfully. Integrate plans into IMS and program management baselines. Risk plans are integral to the program, not something apart from it.
o
o
5. Risk Monitoring, Review & Reporting
Risk Monitoring Definition
The ongoing and systematic tracking and evaluating of risk management decisions and actions against strategies, risk appetite, policies, limits and key risk indicato rs. Risk monitoring incorporates a feedback loop into the other components of the risk management process, namely risk identification, measurement/assessment, management and/or reporting.
34 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
Monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. The results should be recorded and reported externally and internally, as appropriate. The results should also be an input to the review and continuous improvement of the firm's risk management framework. Responsibilities for monitoring and review should be clearly defined. The firm's monitoring and review processes should encompass all aspects of the risk management process for the purposes of: Ensuring that controls are effective and efficient in both design and operation Obtaining further information to improve risk assessment Analysing and learning lessons from risk events, including near-misses, changes, trends, successes and failures Detecting changes in the external and internal context, including changes to risk criteria and to the risks, which may require revision of risk treatments and priorities Identifying emerging risks. As part of the monitoring process, the thresholds for the risk criteria should be reviewed at the commencement of each risk assessment cycle to identify the processes that may be subject to increased risks and, as such, would derive the greatest value from the risk assessment.
Step – I M o n i t o r & R e v i ew
Regularly review risks identified in the firm’ s risk register. Document any actions or events that change the status of a risk, for example:
Changes to a risk evaluation as a result of improvements in controls A control breach and near miss should be logged at the time of the event A new risk that has been identified. Partners should review the risk register on a regular basis, such as at a monthly partners’ meeting, to determine if any remedial action needs to be taken immediately.
Step – I I C o n t i n u o u s I m p r o v e m e n t
The effectiveness of the risk management framework implemented needs to be periodically reviewed to ensure continuous improvement of risk management in the firm. The purpose of the framework is to embed a risk aware culture within the firm. This can be evaluated in light of breaches and near misses, the effectiveness of communication, and assessing what lessons have been learned and remedial actions taken. The framework is only effective if the context remains relevant to the firm, as this sets the scope for risk management. Ensure the practice objectives and the internal and external context for risk management are current and accurate. The assessment criteria used in the risk framework also need to be reviewed to ensure they remain relevant to the size and complexity of the practice. Example of Risk Monitoring & Review
The key output from the monitor and review stage of the risk management process is ongoing. An example of how this can be documented in a risk register is shown: RISK IDENTIFICATION
RISK MONITORING & REVIEW
Risk
35 | Page
Superior University, Lahore Event
Management
by: Asif Masood Ahmad Method
Progress and Com pliance Reporting
Status
Failure to meet compliance obligations
Monthly review at Practitioner/Partner meeting
1. Compliance review incomplete 2. Research delayed on potential system/tool
OPEN
Loss of Practitioner
Quarterly review of succession plan
1. Power of attorney in place 2. Documentation of key processes in progress
OPEN
Failure to collect receivables in a timely manner
Report fortnightly on receivables 1. Receivables tracking under review
OPEN
Risk Reporting
The communication of risk information in all phases of the risk management process, namely identification, measurement, management and monitoring. Risk reporting includes at least the reporting of: aggregate exposures against targets/strategies; key issues for the key issues control log; compliance with limit system; key risk indicators; and review findings. Detailed information about the risk at individual level and at portfolio level are required to manage effectively. It is also the task of risk reporting, an independent unit of the market division, to consolidate and process the information related to risk controlling and to aggregate it into a risk report covering the following four areas: 1. The report has to show the development of the total portfolio and sub-portfolios in terms of risk; furthermore, important individual positions have to be elaborated on. 2. The report must foster the need for action, that is mainly risk mitigation measures, resulting from the assessment of future market trends, the coordination with risk-bearing capacity and risk strategy, as well as findings from analyzing the competition 3. The risk report has to explain how the measures will affect the institution’s r isk situation and what the deadline for the implementation of the measures is. 4. The risk report must summarize the efficiency of risk identification, assessment and control, by disclosing weak/problematic points to be processed in the futur e and a short term guideline for concerns to be under the internal audit attention. The risk department/sector prepares the risk report and submits it to the risk committee. The report’s level of detail has to be adapted to the information required by the recipient in e ach case. This would require an analysis as to the needs of the respective decision-making levels, resulting in the preparation of reports in accordance with those needs. In its final version, the credit risk report should contain all levels of detail to ensure that the data communicated within the bank are consistently available for all levels of detail should those data be required in the decision-making process.
Enterprise Risk Management [ERM] Framework
Risk
36 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
ERM frameworks defined There are various important ERM frameworks, each of which describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include: 1. A v o i d a n c e : exiting the activities giving rise to risk
taking action to reduce the likelihood or impact related to the risk 2. R e d u c t i o n : 3. A l t e r n a t i v e A c t i o n s : deciding and considering other feasible steps to minimize risks. 4. Share or Ins ure: transferring or sharing a portion of the risk, to finance it 5. A c c e p t : no action is taken, due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.
Casualty Actuarial Society framework In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders." The CAS conceptualized ERM as proceeding across the two dimensions of risk type and risk management processes. The risk types and examples include:
Strategic risks
Competition, Social trend, Capital availability
Financial risk
Pricing risk, Asset risk, Currency risk, Liquidity risk
Operational risk
Customer satisfaction, Product failure, Integrity, Reputational risk
Hazard risk (Compliance risks + Other risks)
Liability torts, Property damage, Natural catastrophe The risk management process involves: 1. E s t a b l i s h i n g C o n t e x t : This includes an understanding of the current conditions in which
the organization operates on an internal, external and risk management context.
Risk
37 | Page
Superior University, Lahore
Management
by: Asif Masood Ahmad
2. Id e n t i f y i n g R i s k s : This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas that the
organization may exploit for competitive advantage. 3. A n a l y z i n g / Q u an t i f y i n g R i s k s : This includes the calibration and, if possible, creation of
probability distributions of outcomes for each material risk. 4. In t e g r a t i n g R i s k s : This includes the aggregation of all risk distributions, reflecting
correlations and portfolio effects, and the formulation of the results in terms of impact on the organization’s key performance metrics. 5. A s s e s s i n g / P ri o r i t i zi n g R i s k s : This includes the determination of the contribution of each
risk to the aggregate risk profile, and appropriate prioritization. 6. T r ea t i n g /E x p l o i t i n g R i s k s : This includes the development of strategies for controlling and
exploiting the various risks. 7. M o n i t o r i n g a n d R e v i e w i n g : This includes the continual measurement and monitoring of
the risk environment and the performance of the risk management strategies.
RIMS Risk Maturity Model The RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, published in 2008, is an umbrella framework of content and methodology that detail the requirements for sustainable and effective enterprise risk management. The RMM model consists of twenty-five competency drivers for seven attributes that create ERM’s value and utility in an organization. The 7 attributes are:
E R M b a s ed a p p r o a c h
ERM process m anagement
Risk appetite management
Root cause discipline
Uncovering risks
P e r fo r m a n c e m a n a g e m e n t
B u s i n e s s r e s i l i en c y a n d s u s t a i n a b i l i t y
The model was published by the Risk and Insurance Management society and developed with the support of co-developer Steven Minsky, CEO of Logic Manager . The Risk Maturity Model is based on the Capability Maturity Model, a methodology founded by the Carnegie Mellon University Software Engineering Institute (SEI) in the 1980s.
COSO (Committee of Sponsoring Organizations) ERM framework The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as a "… process, effected by an entity's board of directors, management, and other personnel,
38 | Page
Superior University, Lahore
Risk
Management
by: Asif Masood Ahmad
applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components are:
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
The four objectives categories are:
Strategy - high-level goals, aligned with and supporting the organization's mission
Operations - effective and efficient use of resources
Financial Reporting - reliability of operational and financial reporting
Compliance - compliance with applicable laws and regulations
COCO (Criteria of Control) When the CICA's Criteria of Control Board issued Guidance on Control in November 1995, its aim was to provide a modern framework that stakeholders could use to develop, assess and change control.1While there are elements to praise in that and subsequent documents issued by the board, Guidance on Control largely fails to recognize that issues of power are crucial for understanding and designing control systems. Accountants need a more complete view of control. Guidance on Control can be seen as a response from the profession in Canada to recent management trends. First, there are increasing calls for public reporting about the effectiveness of an organization's control systems. Second, control systems in many organizations have changed significantly due to downsizing and increasing global competition. Many organizations have decided to put greater emphasis on informal controls, such as shared values and open communication. These developments led the Criteria of Control Board to conceive control broadly,