CHARTERED INSTITUTE OF LOAN &

RISK MANAGEMENT OF NIGERIA

(CILRMN)
UNDERSTANDING RISK MANAGEMENT

PAPER PRESENTED

By
DR. KENNY M.J. OTEJE (PhD)
FCILRM, FCE, FCEG, FCMA, ACA, ACPA,
CFM, MICA,
DR. ICRMP
 FOOD FOR THOUGHT

Running away will never solve the

problem because they say, “When you
abandon your own hill, the next one
you climb will crumble”
 EXPECTATIONS

• After this training participants should be able

to:
• Understand Risk Management definition
• Understand Risk Management Cycle
• Understand the various principles of Risk
Management
• Understand the Risk Management Processes
• Understand the involvement of HR in Risk issues,
etc.
 PREAMBLE:

Risk management can minimize the chances

and effects of bad outcomes and can
accelerate an organization’s recovery from
disasters. But it doesn’t mean avoiding all
risks. In this training we’ll look at the ins and
outs of risk management—what it is and how
it works.
 What is a risk ?

The likelihood of something happening and the

severity of it’s consequences.

Could it happen and would it hurt ?

The effect of uncertainty on our

objectives.
 What is risk management ?

• Risk Management is about managing threats

• It is about good management:
– Managers being aware of what could stop them achieving their
objectives
– Leadership recognising potential exceptional / unexpected
events that could disrupt activities
• To be effective, it should be at the forefront of daily business
and decision making
• It is also about opportunities
 Risk Management
Risk Management is NOT about eliminating all risks

Risk Management IS about gaining a better understanding of

the nature, scale and potential effects
And then
Taking appropriate action to reduce or mitigate threats and
maximise opportunities

What is the appetite of the organisation towards risk ?

 Risk Management Basics

 Risk (uncertainty) may affect the achievement of objectives.

 Effective mitigation strategies and controls can reduce negative
risks (threats) or increase opportunities.
 Residual risk is the level of risk remaining after applying risk
controls.
 Acceptance and action should be based on residual risk levels.
 Why do we need to manage risks ?

Risk Management protects and adds value to the

organisation and it’s stakeholders through supporting the
organisation’s objectives.
It should be about the management, not avoidance of
risk
It should help to prioritise work in a fast moving
context
RISK MANAGEMENT NEEDS TO BECOME A
STYLE OF THOUGHT, AND SHOULD
DEFINITELY NOT BE A MERE PAPER CHASE
 What could happen if we don’t
manage our risks effectively
High profile case failure
Adverse inspection results / prosecution
Unfavourable press
Financial implications
Severe reputational damage

To name but a few !!

THE RISK MANAGEMENT CYCLE

Confirm
Strategy
Risk Management Cycle – Step 1

MISSION DEFINE PURPOSE

HIGH LEVEL PLAN

STRATEGY

UNIT SPECIFIC TARGETS

GOALS
Risk Management Cycle – Step 2

 Risk Identification – what are the threats and

uncertainties associated with my organization’s or
units objectives?

Separate out the risk into its cause & possible

effect

Be concise & clear

Do not concentrate on symptoms only

Risk Management Cycle – Step 5

Monitor & Report

Use a standard format for capturing risk data e.g. a “Risk

Register”

Review all risks at least annually

Serious risks to be reviewed more often depending on

circumstances

Report on risk to senior management / Board

Make Risk Register available to stakeholders to show good

 Steps of the Risk Management Process

Step 1. Communicate and consult.

Step 2. Establish the context.
Step 3. Identify the risks.
Step 4. Analyze the risks.
Step 5. Evaluate the risks.
Step 6. Treat the risks.
Step 7. Monitor and review
Risk management techniques
Assess Risk

Evaluate /
modify Develop
systems RISK Systems
TECHNIQUES

Monitor Implement
Efforts Programs
Step 1: Communicate and consult
 Communication and
consultation aims to identify
who should be involved in
assessment of risk (including
identification, analysis and
evaluation) and it should
engage those who will be
involved in the treatment,
monitoring and review of
risk.
 Step 1: Communicate and consult-2
• As such, communication and consultation will be
reflected in each step of the process describe here.
As an initial step, there are two main aspects that
should be identified in order to establish the
requirements for the remainder of the process.
-These are communication and consultation aimed
at:
A-Eliciting risk information
B-Managing stakeholder perceptions for management of
risk.
 A- Eliciting risk information

• Communication and consultation may occur within the

organization or between the organization and its
stakeholders.
• It is very rare that only one person will hold all the
information needed to identify the risks to a business or
even to an activity or project.
• It therefore important to identify the range of
stakeholders who will assist in making this
information complete.
B-Managing stakeholder perceptions for
management of risk
Tips for effective communication and consultation

• Determine at the outset whether a communication

strategy and/or plan is required

• Determine the best method or media for

communication and consultation

• The significance or complexity of the issue or activity in

question can be used as a guide as to how much
communication and consultation is required: the more
complex and significant to the organization, the more
detailed and comprehensive the requirement.
Step 2. Establish the context

Provides a five-step
process to assist with
establishing the context
within which risk will be
identified.
1-Establish the internal context
2-Establish the external context
3-Establish the risk management
context
4- Develop risk criteria
5- Define the structure for risk
analysis
 1- Establish the internal context

• As you know, risk is the chance of something

happening that will impact on objectives.
As such, the objectives and goals of a business,
project or activity must first be identified to ensure
that all significant risks are understood.
This ensures that risk decisions always support the
broader goals and objectives of the business. This
approach encourages long-term and strategic
thinking
 1- Establish the internal context-2

In establishing the internal context, the business owner

may also ask themselves the following questions:
• Is there an internal culture that needs to be considered?
For example, are staff resistant to change? Is there a
professional culture that might create unnecessary risks
for the business?
- What staff groups are present?
- What capabilities does the business have in terms of
people, systems, processes, equipment and other
resources?
 2. Establish the external context

• This step defines the overall environment in

which a business operates and includes an
understanding of government policies, the
clients’ or customers’ perceptions of the
business. An analysis of these factors will
identify the strengths, weaknesses,
opportunities and threats to the business in the
external environment.
 2. Establish the external context-2

A business owner may ask the following questions

when determining the external context:
• What regulations and legislation must the
business comply with?
• Are there any other requirements the business
needs to comply with?
• What is the market within which the business
operates? Who are the competitors?
• Are there any social, cultural or political issues
that need to be considered?
 Tips for establishing internal and
external contexts

• Determine the significance of the activity in

achieving the organization's goals and
objectives
• Define the operating environment
• Identify internal and external stakeholders and
determine their involvement in the risk
management process.
 3- Establish the risk management context

• Before beginning a risk identification exercise, it is

important to define the limits, objectives and scope
of the activity or issue under examination.

For example, in conducting a risk analysis for a

new project, such as the introduction of a new
piece of equipment or a new product line, it is
important to clearly identify the parameters for this
activity to ensure that all significant risks are
identified.
 Tips for establishing the risk
management context
• Define the objectives of the activity, task or
function
• Identify any legislation, regulations, policies, standards
and operating procedures that need to be complied with
• Decide on the depth of analysis required and allocate
resources accordingly
• Decide what the output of the process will be, e.g. a risk
assessment, job safety analysis or a board presentation. The
output will determine the most appropriate structure and type
of documentation.
 4. Develop risk criteria

• Risk criteria allow a business to clearly

define unacceptable levels of risk.
Conversely, risk criteria may include the
acceptable level of risk for a specific
activity or event.
 Tips for developing risk criteria

• Decide or define the acceptable level of

risk for each activity
• Determine what is unacceptable
• Clearly identify who is responsible for
accepting risk and at what level.