Risk and Risk Management:
Risk can be defined as the combination of probability of an event and its consequences (ISO/IEC Guide 73). There are opportunities for benefit (upside) and threats to succeed (downside) in all types of undertaking which are the results of potential for events and consequences. Risk management is increasingly being considered from both positive and negative perspectives. In this first part of the article, we are going to look at the general background of risk, risk assessment which includes risk analysis and evaluation.
The central part of any organisation’s strategic management is risk management. It is the process of methodically addressing the risks attached to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities. Identification and treatment of these risks is the result of a good risk management. The goal is to add value (sustainable) to all activities the organisation undertakes. Risk management should also be a continuous and developing exercise running through the organisation’s strategy to the implementation of that strategy. It must also be embedded and integrated into the culture of the organisation through an effective policy and/or programme led by the most senior management. The risks facing an organisation and its operations can be categorised into factors both external and internal to the organisation.
Another method of classification is to reflect broad business functions, groupings risks relating to production, information technology, finance and so on. However, directors also have to ensure that there is effective management of both the few risks that are fundamental to the organisation’s continued existence and prosperity, and the many risks that impact on day-to-day activities, and have a shorter time frame compared with longer-term strategic risks. These two types of risk can be categorised as strategic and operational respectively.
Risk Assessment – Analysis and Evaluation
The risk management process itself starts with the organisation’s strategic objectives, and continues with risk assessment, analysis and evaluation. Risk reporting, decision, risk treatment, residual risk reporting, monitoring. Risk assessment is the overall process of risk analysis and risk evaluation (ISO/IEC Guide 73). Analysing risk starts with risk identification. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environments in which it exist plus a sound understanding of its strategic and operational goals including factors critical to its success and the threats and opportunities related to the achievement of these goals.
Within risk identification is risk description which aim to display the identified risks in a structured format. The design of well structure would ensure a comprehensive risk identification, description and assessment. This includes consideration of the consequences and probabilities of each risk; and prioritising and categorising them according to business activity. Estimating risk can be quantitative, semi-quantitative or qualitative in terms of probability of occurrence and possible consequences. Risk is analysed using a range of techniques which are specific to upside or downside risk. The end results are a risk profile that gives a significant rating to each risk and provides a tool for prioritising risk treatment effort. A comparison of the estimated risk against the risk criteria which the organisation has established is risk evaluation. This criterion may include associated costs and benefits, legal requirements, socio-economic and environmental factors, concerns of stakeholders, etc. Risk evaluation is therefore used to make decisions about the significance of risks to the organisation and whether each specific risk should be accepted or treated.