1' Risk

1
1. Risk

• Risk is defined as??????????????????????????????
  ??????????????????????combination of the
  probability of an event and its consequences
• ??????????????????????????????????????????????????
  ?There is the potential for events and
  consequences that constitute opportunities for
  benefit (upside) or threats to success (downside)

2
2. Risk Management

• ??????????????????????????????????????????????????
  ??????????????????????????????????????????????????
  ??????????????????????????
• process whereby organizations methodically
  address the risks attaching to their activities
  with the goal of achieving sustained benefit
  within each activity and across the range of all
  activities.

3
Risk Management Process

• Organizations objectives
• Risk assessment
• Risk analysis
• Risk identification
• Risk description
• Risk estimation
• Risk evaluation
• Risk reporting
• Decision
• Risk treatment
• Residual risk reporting
• Monitoring

4
STRATEGIC RISKS COMPETITION CUSTOMER
CHANGES INDUSTRY CHANGES CUSTOMER DEMAND
FINANCIAL RISKS INTEREST RATES FOREIGN
EXCHANGE CREDIT
RESEARCH DEVELOPMENT INTELLECTUAL CAPITAL
LIQUIDITY CASH FLOW
EXTERNALY DRIVEN
INTERNALY DRIVEN
EXTERNALY DRIVEN
RECRUITMENT SUPPLY CHAIN
PUBLIC ACCESS EMPLOYEE PROPERTIES PRODUCTS
SERVICES
REGULATIONS CULTURES BOARD COMPOSITION OPERAT
IONAL RISKS
NATURAL EVENTS CONTRACTS SUPPLIERS ENVIRONMENT
HAZARD RISKS
EXAMPLES OF DRIVERS OF KEY RISKS
5
The Organizations Strategic Objectives
Risk Assessment

• Risk Analysis
• Risk Identification
• Risk Description
• Risk Estimation

Risk Evaluation
MODIFICATION
FORMAL AUDIT
Risk Reporting Threats and Opportunities
Decision
Risk Treatment
Residual Risk Reporting
Monitoring
Risk Management Process
6
3. Risk Assessment

• Risk analysis and risk evaluation

7
4. Risk Analysis
8
4.1 Risk Identification

• Risk identification is a process to identify an
  organizations exposure to uncertainty.
• This requires an intimate knowledge of
• the organization
• the market in which it operates
• its legal, social, political and cultural
  environment
• its strategic and operational objectives
• factors critical to its success
• threats and opportunities
• Risk identification should be approached in a
  methodical way
• all significant activities within the
  organization have been identified
• all the risks flowing from these activities are
  defined.
• All associated volatility related to these
  activities should be identified and categorized.

9
Examples of business activities and decisions

• Strategic
• Long-term strategic objectives
• Can be affected by such areas as
• capital availability
• sovereign and political risks
• legal and regulatory changes
• reputation
• changes in the physical environment.

10
Examples of business activities and decisions

• Operational
• Day-to-day issues of the organization to deliver
  its strategic objectives.

11
Examples of business activities and decisions

• Financial
• Management and control of the finances of the
  organization
• Effects of external factors such as
• availability of credit
• foreign exchange rates
• interest rate movement
• other market exposures.

12
Examples of business activities and decisions

• Knowledge management
• Effective management and control of the knowledge
  resources, the production, protection and
  communication thereof
• External factors might include unauthorized use
  or abuse of
• intellectual property
• area power failures
• competitive technology.
• Internal factors might be system malfunction or
  loss of key staff.

13
Examples of business activities and decisions

• Compliance
• Issues such as
• health safety
• environment trade descriptions
• consumer protection
• data protection
• employment practices
• regulatory issues.

14
4.2 Risk Description

• The objective is to display the identified risks
  in a structured format, e.g., by using a table.
• The risk description table can be used to
  facilitate the description and assessment of
  risks.
• The use of a well designed structure is necessary
  to ensure a comprehensive risk identification,
  description and assessment process.

15
4.2 Risk Description

• By considering the consequence and probability of
  each of the risks set out in the table, it should
  be possible to prioritize the key risks that need
  to be analyzed in more detail.

16
4.2 Risk Description

• Identification of the risks associated with
  business activities and decision making may be
  categorized as
• strategic
• project/tactical
• operational
• It is important to incorporate risk management at
  the conceptual stage of projects as well as
  throughout the life of a specific project.

17
(No Transcript)
18
4.3 Risk Estimation

• Risk estimation can be quantitative,
  semi-quantitative or qualitative in terms of the
  probability of occurrence and the possible
  consequence.

19
CONSEQUENCES OF THREATS
HIGH
Financial impact is likely to exceed
X Significant impact on the strategies and
activities Significant stakeholder concern
MEDIUM
Financial impact is likely to be between X and
Y Moderate impact on the strategies and
activities Moderate stakeholder concern
LOW
Financial impact is likely to be less than X Low
impact on the strategies and activities Low
stakeholder concern
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
4.4 Risk Identification Techniques

• Examples
• Brainstorming
• Questionnaires
• Business studies which look at each business
  process and describe both the internal processes
  and external factors which can influence those
  processes
• Industry benchmarking
• Scenario analysis
• Risk assessment workshops
• Incident investigation
• Auditing and inspection
• HAZOP (Hazard Operability Studies)

24
Risk Analysis Methods and Techniques

• Market survey
• Prospecting
• Test marketing
• Research and Development
• Business impact analysis

25
Risk Analysis Methods and Techniques

• Threat analysis
• Fault tree analysis
• FMEA (Failure Mode Effect Analysis)

26
Risk Analysis Methods and Techniques

• Both
• Dependency modelling
• SWOT analysis (Strengths, Weaknesses,
  Opportunities, Threats)
• Event tree analysis
• Business continuity planning
• BPEST (Business, Political, Economic,
  Social,Technological) analysis
• Real Option Modeling
• Decision taking under conditions of risk and
  uncertainty
• Statistical inference
• Measures of central tendency and dispersion
• PESTLE (Political Economic Social Technical Legal
  Environmental)

27
5. Risk Evaluation

• To compare the estimated risks against risk
  criteria which the organization has established.
• Risk criteria may include associated costs and
  benefits, legal requirements, socioeconomic and
  environmental factors, concerns of stakeholders,
  etc.
• To make decisions about the significance of risks
  to the organization and whether each specific
  risk should be accepted or treated.

28
6. Risk Reporting and Communication

• Internal reporting
• Different levels within an organization need
  different information from the risk management
  process.
• External reporting
• An enterprise needs to report to its stakeholders
  on a regular basis setting out its risk
  management policies and the effectiveness in
  achieving its objectives.

29
The Board of Directors should

• know about the most significant risks facing the
  organization
• know the possible effects on stakeholder
• ensure appropriate levels of awareness throughout
• know how the organization will manage a crisis
• know the importance of stakeholder confidence
• know how to manage communications with the
  community
• be assured that the risk management process is
  working effectively
• publish a clear risk management policy covering
  risk management philosophy and responsibilities

30
Business Units should

• be aware of risks which fall into their area of
  responsibility, the possible impacts these may
  have on other areas and the consequences other
  areas may have on them
• have performance indicators which allow them to
  monitor the key business and financial
  activities, progress towards objectives and
  identify developments which require intervention
  (e.g. forecasts and budgets)
• have systems which communicate variances in
  budgets and forecasts at appropriate frequency to
  allow action to be taken
• report systematically and promptly to senior
  management any perceived new risks or failures of
  existing control measures

31
Individuals should

• understand their accountability for individual
  risks
• understand how they can enable continuous
  improvement of risk management response
• understand that risk management and risk
  awareness are a key part of the organizations
  culture
• report systematically and promptly to senior
  management any perceived new risks or failures of
  existing control measures

32
Formal reporting should address

• the control methods particularly management
  responsibilities for risk management
• the processes used to identify risks and how they
  are addressed by the risk management systems
• the primary control systems in place to manage
  significant risks
• the monitoring and review system in place

33
7. Risk Treatment

• the process of selecting and implementing
  measures to modify the risk.
• Risk treatment includes
• Risk control
• Risk mitigation
• Risk avoidance
• Risk transfer

34
8. Monitoring and Review

• Any monitoring and review process should
  determine whether
• the measures adopted resulted in what was
  intended
• the procedures adopted and information gathered
  for undertaking the assessment were appropriate
• improved knowledge would have helped to reach
  better decisions and identify what lessons could
  be learned for future assessments and management
  of risks

35
Questions and Answers