Introduction to Risk Management Process
There are methods of “Risk definition and control”, which are documented in a systematic approach known as “Risk Management Process”. This Risk Management Process provides a reasonable defense mechanism against the potential risk that an organization is about to face. Risk Management training can, therefore, be defined as “a group of actions that are integrated within the wider context of a company organization, which are directed toward assessing and measuring possible risk management techniques.
There is eight major and minor risks management process in the above picture. Try to spot them if you can! (Answer at the end)
From the picture, we can infer that Walters Inc. has to implement the Risk Management process at the earliest. So let’s try to understand this risk management process as well as the phase involved in it.
The Story of Risk Management Process
Each organization has a “mission” and a “vision” for its formation. And therefore, in general terms, it must address the problem of protecting itself against events that bring potential risk management strategies to the organization as a whole. Earlier, companies faced different types of risk management strategies in a specific or unconnected manner. But today, It also elaborates on the risk management strategies necessary for managing the same. Company risks are normally classified into three broad categories:
1. Risks inherent to the external context
- The emergence of unfavorable laws and regulations
- Absurd changes in market conditions
- Technological innovations that favor competitors
2. Risks inherent to operative management
- Noncompliance with contractual requirements
- Possible loss of market share
- Possible loss of skills
- Possible physical damage to personnel
- Possible environmental pollution
3. Risks inherent to financial management
- Difficulty in collecting accounts receivables
- Unfavorable changes in exchange rates
- Imbalances in liquidity
Each of these risks management processes may lead to direct or indirect damage to the organization, with economic implications in the short, medium, and long term. From this point of view, therefore, the attention given to Risk Management techniques, in terms of the quality and quantity of allocated resources, must be consistent. This not only stands true for the type of risk management strategies but also for the potential negative event that could occur and the gravity of its consequences.
A complete risk management process aims to protect:
# Value already created by the organization
# Future opportunities
Phases of Risk Management Process
Generally, the risk management process is strongly connected to one another. Hence they cannot be taken care of in a fragmented manner. At the same time nor they can be taken care of by an individual department of an organization. by independent functions and/or departments, but a dedicated process is necessary that requires a structured organization and effective communication mechanisms. Traditionally, the phases of a Risk Management process are as follows:
- context definition
- risk identification
- risk assessment
- risk control
- checking and supervision
- process review
To be effective, each of these phases must be fully integrated within the company organization.
1. Context definition
Context definition stresses the following important things:
- The first and foremost thing is identifying the areas of risk. Risks may arise due to a specific combination of market, product or service, manufacturing or distribution process, as well as other external factors.
- The next thing is to identify and define an assessment activity schedule.
- Based on that, it becomes necessary to organize resources and also to define duties and responsibilities.
2. Risk identification
The next phase of the Risk management process is the risk Identification Process; it is important to identify the potential risks and then give their detailed description. Hence all possible sources of risk management training such as the positions of the stakeholders, market changes, manufacturing errors or work accidents should be thoroughly analyzed. The process of identifying potential risks management techniques must include:
- Objectives that the organization has set.
- Scenarios that the organization may face in carrying out its business.
- Procedures that the organization adopts for its management and operational purposes.
Effective risk identification finally requires the support of reasonable confirmations, which states if the analysis about the risk has been correct or not. These confirmations may be:
- A confirmation stating that the event has already occurred (Direct confirmation)
- A confirmation stating that the event has already occurred in a similar situation. (Indirect confirmation)
- A confirmation stating the cause-effect relationships stressing on the probability of the event. (Deductive nature)
In this way, a “risk profile” is outlined that is specific to each organization.
3. Risk assessment
When the risks have been identified, they must be assessed based on the following parameters:
- The probability that the negative event will occur;
- The seriousness of the direct or indirect consequences of the event itself.
The assessment made in such cases is largely dependent upon
- Criticality of the situation,
- Relevance, availability of statistical data
- Confirmed analysis procedures.
The other important job in this step of the risk management process is to assess the level of risks. This step helps in making the action plan in the context of that particular risk.
|Extreme / High-Risk||Serious danger. Immediate action is required in this type of risk. Identify and implement controls to reduce risk to as low as reasonably practical. The controls can be temporary or permanent.|
|Medium Risk||Moderate danger. Action as soon as possible to implement controls to reduce the risk to as low as reasonably practical. Actions can be for the long & short term.|
|Low Risk||It may range from Minor to negligible danger. Assess if further action can be taken. Steps should be taken to monitor the controls so the hazard is maintained as “low ” (If the hazard cannot be eliminated completely).|
# Likelihood Scale
|4||Very likely||It happens more than once a year in this industry|
|3||Likely||It happens about once a year in this industry|
|2||Unlikely||It happens every 10 years or more in this industry|
|1||Very unlikely||It has only happened once in this industry|
# Consequence scale
|4||Severe||Financial losses greater than $50,000|
|3||High||Financial losses between $10,000 and $50,000|
|2||Moderate||Financial losses between $1000 and $10,000|
|1||Low||Financial losses less than $1000|
The following formula is used to calculate risk rating: Likelihood x Consequences = Risk rating; for example, you may decide the likelihood of a fire is ‘unlikely’ (a score of 2), but the consequences are ‘severe’ (a score of 4). Then using the tables above, a fire, therefore, has a risk rating of 8 (i.e. 2 x 4 = 8).
# Risk rating table
|12-16||Severe||Needs immediate corrective action|
|8-12||High||Needs corrective action within 1 month|
|4-8||Moderate||Needs corrective action within 3 months|
|1-4||Low||It does not currently require corrective action|
Example- Crack in the Pathway of a company main office
The assessor rates the likelihood as high (likely). The reasons for the same are:
The path is frequently used by employees and visitors daily. Therefore there is a high probability that someone will be exposed to the hazard. The assessor rates consequences of a trip in this section of a path as moderate, with a sprain or break as the worst-case scenarios. Therefore the risk management process rating for this particular hazard was assessed as high. Your risk evaluation should consider:
- the importance of the activity to your business
- the amount of control you have over the risk
- potential losses to your business
- any benefits or opportunities presented by the risk.
4. Risk Control
In this phase of the risk management process, the decision-making process becomes particularly important. It includes one or more of the following conditions:
- Transfer of the risk
- Exclusion of the risk
- Reduction of the risk
- Acceptance of the risk or an amount of the risk
The selected one of the options from the above conditions will depend on the specific company situation. Also, it should consider the cost-benefit analysis. It can stress the quantitative aspects in reference to short, medium, and long-term periods.
Here the company transfers the risk to another party that is ready to accept the risk. This generally includes the risk management process insurance companies that are ready to take up the risk management techniques. But in such a case, risks such as liabilities of a criminal nature cannot be transferred.
This condition foresees the non-execution of the activity that involves a risk that cannot be transferred and/or is considered to be unacceptable. Naturally, the result is a loss of opportunity that the activity at risk management training would have represented in any case.
Risk reduction takes into account the managerial, technological, and behavioral action that lowers the probability of risk. This, in turn, reduces the seriousness of its consequences.
Acceptance of an amount of the risk
Some risks that are not transferred or not excluded are accepted. The acceptance applies when the risk has:
- Low probability of the event
- Consequences are of little relevance
- Great benefits if successful
Communication of risk is another important step in the risk management process. In this step, the following things must be properly documented in detail in a Risk Management Report:
- The profile
- The matrix
- The risk treatment
- The control planning
The above things must be presented to all personnel who are involved in any manner. If required, targeted training courses should be developed, making the Risk Management training Report an effective management instrument. The Risk Management Report establishes the document of reference for the entire Risk Management process.
The Planning step defines the risk control methods, that is:
- Interpretation, sending, or storing of incoming data for the control process;
- Appropriate level and localization for the decisions and actions of the operative procedures and/or practice;
- Control instruments
- Interpretation, sending, or storing of output data from the control process.
The planning activity is documented in the Risk Management strategies Plan. As the planning step is mainly directed toward coordinating all activities and their communication, it is recommended that the position of a Risk Manager is created.
7. Checking and Supervision
One time plan is not enough in the risk management process. It is important that Checking and supervision are carried out time and again. The checking and supervision results must always be documented, evaluated, and recorded.
8. Process review
The Risk Management Process is not a one-time but a dynamic process. And that is why it must be reviewed in a sufficiently frequent manner. It must be based upon the experience gathered in a direct manner (w.r.t the organization) or indirectly (outside of the organization. The purpose of such an activity should be:
- Evaluating possible evolutions that concern any phase of the process
- Evaluating the efficiency and effectiveness of the adopted Risk Management Plan
- Evaluating the checking and supervising results.
If revisions are made, another Risk Management process Report must be created, which is updated with respect to the changes that were made.
This is all about the Risk Management process. The picture below gives the answers to spot the risks in Walters Inc.
Spot the Risks Answers!
If you find other risks involved in this picture, please feel free to mention them in the comments below so that you can have your own share in improving Walter’s Inc.
This has been a guide to the risk management process; here, we have discussed the different phases of risks that are involved in our day-to-day life in your working environment. You may also learn more about the risk management process from the following articles.