RISK MANAGEMENT PROCESS
The future is largely unknown. Most business decision-making takes place on the basic of expectations about the future. Making a decision on the basis of assumptions, expectations, estimates and forecasts of future events involves taking risks. Risk has been described as the “sugar and salt of life”. This implies that risk can have an upside as well downside. People take risk in order to achieve some goal they would otherwise not have reached without taking that risk.
On the other hand, risk can mean that some danger or loss may be involved in carrying out an activity and therefore, care has to be taken to avoid that loss. This is where Risk Management is important, in that it can be used to protect against loss or danger arising from a risky activity.
Risk management process is an integrated process of delineating specific areas or risk, developing a comprehensive plan, integrating the plan, and conducting ongoing evaluation.
The risk management process involves the following logical steps:
STEP 1: RISK MANAGEMENT PROCESS: CONTEXT DEFINED
The first step is to define context of risk management process. This step helps identifying the areas of risk that need to be managed. It also provides a base on which further steps are taken. If this base is not proper then all the steps in this process my yield accurate results. This step further identifies the resources required to start the process. It also defines the limit on the basis of potential risk involved in a particular organisation on all levels and the worst consequences in case these risks are not managed properly and timely.
STEP 2: RISK MANAGEMENT PROCESS: RISK IDENTIFICATION
The next step or phase of risk management process is to identify all possible sources and the source of risk can be identified only when one has proper knowledge of the organisation, market in which operate financial strengths and weaknesses etc. The weak spots or areas of weak should be identified. The identification of such areas will help in curbing weak spots will the areas of risk that were taken into consideration when defining the context.
There are different sources of potential risk such as market preferences, seasonal business cycles, competition, technology, lack of knowledge, political ideology etc. Diff sources may generate different type of risks. The risk may differ from organisation due to different objectives, types of products and services provided by organisations, the scenarios in which organisation is working, type of market in which the organisation is competing with its competitors. It is essential to study all the aspects to identify the risk the organisation can get exposed to.
The risk managers must create a list of weaknesses (vulnerabilities) along with the list of sources of risk to identify all the possibilities of risk on the basis of past events that has already occurred, Financial Statements, Risk analysis questionnaires and events of similar nature etc. Thus, risk managers will be able to build a risk profile of the organisation.
Techniques of Risk Identification
- Project review: The risk manager reviews the project, its plans and assumptions in detail before accepting or rejecting a particular project.
- Information gathering: The next technique in risk identification is to collect the information with brainstorming Delphi; interviewing and strengths, weaknesses opportunities, and threats (SWOT) analysis etc.
- Brainstorming: Brainstorming helps in collecting information by potting down the list of ideas given by the members of the group. This process helps in finding conclusion to a specific problem. The group members list all types of risks involved in a particular project and then steps are taken to manage any kind as well as source of risk.
- Delphi technique: This technique helps in solving the problem with the help of questionnaire and this process is done anonymously to avoid any kind of biases. The experts then review these questionnaires and try to solicit the ideas about the source and type of risk involved in a particular project.
- Interviewing: This is one of the best techniques of risk identification as the experienced project managers are interviewed to reach at the conclusion. As there is face to face interaction, this technique is better than other techniques but it may lead to biasness. They can identify risks on the basis of project information and their experience.
- SWOT analysis: Each project is analysed through SWOT Analysis. This analysis helps in identifying strengths, weakness, opportunities and threats that a project can face in future.
STEP 3: RISK MANAGEMENT PROCESS: RISK ASSESSMENT
After identifying different type of risk that an organisation can face, the next step in risk management process is to assess those risks. Risk Assessment is also known as risk measurement. It is an important step in risk management. The manager will depend upon historical data and post experience while measuring risk. Such an exercise will help in ascertaining the estimated loss in the occurrence of adverse situations in future. This may help in determining the volume of insurance, premium amount.
Risk Assessment is based on:
– the chance of loss or probability that determine the chance of occurring an event;
– the impact of the event on the organisation.
It is not easy to assess the probability and impact of risk on organisation and it is must to have an unbiased analysis of the situation or event that must have occurred in past. The data must be analysed with the help of appropriate statistical tools depending on the circumstances and type of risk.
There are two elements which an organisation must study for risk assessment:
1. Probabilities: It refers to the likelihood or chance of occurring an event or lose t an organisation. Sometimes it is easy to predict probability by studying historical data objectively but in some cases it becomes difficult to estimate probability subjectively.
2. Variability of outcomes: It leads to risk, and higher the variability the more the risk. Variation in outcome can be measured by range, standard deviation etc. The highest and lowest values can give the limit within which the variation lies. It can be used with other statistical tools to arrive at conclusion.
Each potential risk must, however, be perceived with greater or less intensity, with regard to the real risk content, based upon the “force” with which the relevant information is made available, especially when there are specific sensibilities. Therefore, the assessment process requires a constant engagement directed toward the objectivity of the judgments, in fact, if the risks are assessed in an irrational manner and their corresponding priority is assigned in an improper manner, there could be a lack of coverage and/or defence and useful resources could be wasted that, if better applied, could lead to more effective management.
Once probability and consequences have been established, a “risk matrix” is usually prepared that relates to the “risk profile” created in the previous phase.
STEP 4: RISK MANAGEMENT PROCESS: RISK TREATMENT
The analysis of risk will help in deciding that risks are to be shifted and what risks are to be retained. When one wants to shift risks then insurance comes into picture. Risk Treatment is next step of risk management process which involves decision making processes. Different risk must be tackled differently.
After identification and evaluation of different types of risk, the risk manager must make proper decision to mitigate risk. The risk manager will have to decide whether they want to transfer, exclude, reduce or accept the risk. These alternatives are evaluated properly with reference to risk profile and risk matrix. After proper evaluation the risk manager can adopt either one or in combination different alternatives to control the risk.
Alternatives for Risk Treatment
These alternatives are: Risk Transfer, Risk Avoidance, risk reduction and risk acceptance.
Risk transfer: This is a treatment for insurable risks. Those risks which can be transferred on other party through contract is called risk transfer. Generally, insurance companies work on this concept. The risk is transferred on number of persons thereby reducing the impact of loss. There are two parties to this contract. The first party is insurer (insurance company) and the other party is insured (who is getting his property or life insured). In this case risk is transferred and the insured can get protection from various types of property, fire, theft risk etc.
Risk avoidance: This is applicable when the risk cannot be transferred or reduced. In this case it is better to avoid a situation which can lead to loss in future. For example: one can avoid risk of damage in earthquake prone area by not building premises in earthquake prone area.
One of the benefits of this method is that by avoiding the risk, the risk can be reduced to zero but it is not possible to avoid the risk every time. Sometimes it is essential to take risk to earn profit. It may lead to loss of opportunity that would have generated revenue for the company. Thus, risk avoidance is not possible in all the circumstances.
Risk reduction: This alternative helps in reducing the risk by adopting various precautionary measures. This will reduce the impact or severity of loss. In this various managerial, technological and behavioural actions are taken that lower the probability of risk and/or the seriousness of the possible loss. In this case also the risk cannot be eliminated completely. Some part of risk cannot be avoided due to the circumstances which are beyond control of human beings.
Risk Acceptance: Some of the risks which cannot be avoided or reduced have to be accepted or retained in the organisation deliberately. It can be active or passive acceptance. Active acceptance means accepting the risk consciously and deliberately. Passive acceptance is due to laziness or ignorance. It is generally accepted when the probability of loss is less or it will generate great benefits if successful.
Risk treatment thus helps in risk control. Right treatment at right time can generate benefits.
STEP 5: RISK MANAGEMENT PROCESS: PLANNING
The fifth step in risk management process is planning. Planning defines the risk control methods, that is:
- The acquisition, interpretation, sending and/or storing of incoming data for the control process;
- The appropriate level and localisation for the decisions and actions connected to each type and condition of risk;
- The operative procedures and/or practice;
- The control instruments
- The acquisition interpretation, sending and/or storing of output data from the control process.
If the control plan is sufficiently broad and complex, it is recommended that the position of a Risk Manager is created, as it is an important position that is mainly directed toward coordinating all activities and their communication, although it does not have any direct responsibility for the risk itself. The planning activity is documented and collected in a risk management plan.
A meaningful goal is specific, measurable, attainable, challenging but realistic, time specific, written, and performance based. If one achieves all conditions of a specific measurable goal, confidence increases and satisfaction results. If a measurable goal is not attained, objective analysis can occur and adjustments can be made to improve the likelihood of success.
There are beneficial reasons to set goals:
1. To reflect the values, interests, resources and capabilities of everyone involved in the business
2. To provide a basis for all business and family decisions;
3. To set priorities for the allocation of scarce resources; and,
4. To measure progress.
STEP 6: RISK MANAGEMENT PROCESS: COMMUNICATION
The profile, the matrix, the risk treatment (including the cost-benefit analysis) and the control planning must be documented in detail in a Risk Management Report, which must be presented to all personnel that are involved in any manner and who must not only acknowledge it, but must also share in the approach and evolution, each for his or her own area of interest and according to each person’s level of responsibility.
If information only should not be enough targeted training courses should be developed with the purpose of making the Risk Management Report an effective management instrument.
STEP 7: RISK MANAGEMENT PROCESS: CHECKING AND SUPERVISION
The seventh step in the risk management process is checking and supervision. Checking and supervision over time concerns (whenever applicable and possible) all control instruments (technical and managerial, preventive and supervisory, evasive and reactive, etc.) that were implemented, or planned to be implemented, in compliance with the risk management plan, in order verify its efficiency and effectiveness.
The checking and supervision results must be documented, evaluated and recorded.
STEP 8: RISK MANAGEMENT PROCESS: REVIEW AND FEEDBACK
The last step in risk management process is to review the risk management plan and to provide the feedback for the risk management plan. Risk management process is a dynamic process and should be done on a continuous basis. It should be reviewed and feedback must be taken frequently and directly from within the organisation and outside the organisation with the objective of:
- Evaluating all the phases of the risk management process and if there is any deviations, it must be reported immediately to the top management. These deviations can be due to changes to the risk profile, matrix or treatment or both;
- Checking the performance of the risk management plan in order to protect the organisation from all kinds of risks.
If changes are required, another Risk Management Report must be created in order to update the plan with regard to the changes that were made.
Risk management strategies are also affected by an individual’s capacity or ability to bear (or to take) risk. Financially, risk bearing capacity is directly related to the solvency and liquidity of one’s financial position.
Risk bearing ability is also affected by cash flow requirements. This includes the obligations for cash costs, taxes, loan repayment, and family living expenses that must be met each year. The higher these obligations are as a percentage of total cash flow, the less able the business is to assume risk.
The best source of historical production and marketing information is the records maintained for the business. The records may be supplemented and complemented by information from outside sources. But there is no substitute for actual historical data.