CGE 4023

Topic 4: Risk Management Process

Overview
Risk Management Process
Overview
 Risk management is essential for organizations to anticipate,
evaluate, and address risks that may affect their goals and
operations.

 It involves a structured approach to dealing with uncertainty, and

each step in the process plays a critical role in safeguarding against
threats and leveraging opportunities.
4.1 Communication and
Consultation
 Purpose: Communication and consultation are foundational to
successful risk management. They ensure that relevant information
flows freely between stakeholders, and that everyone involved
understands the risks and their implications.
Communication and
Consultation among
Stakeholders
 Internal and external stakeholders: Internal stakeholders include
employees, management, and board members, while external
stakeholders could include customers, suppliers, regulatory bodies, and
investors. These groups often have different perspectives, insights, and
concerns regarding risks.

 Involvement of stakeholders: By consulting with stakeholders, you

can gather vital information about potential risks, clarify the objectives of
risk management, and ensure that all voices are heard in the decision-
making process.
Communication and
Consultation among
Stakeholders
 Creating a risk-aware culture: Proper communication promotes a
culture where employees are aware of risks and understand their role
in the overall risk management process.

 Ensuring understanding: Communication ensures that everyone

understands the risks, the actions being taken, and their own roles in
mitigating these risks. This step is also critical for managing
stakeholder expectations.
4.2 Scope, Context, and Criteria
 Purpose: Defining the scope, context, and criteria is crucial for
framing the risk management process. It helps in establishing the
boundaries, understanding the environment, and determining the
acceptable level of risk.

Scope:
 The scope defines what areas or activities the risk management
process will cover. For example, is it the entire organization, a specific
project, or a certain department? Clear scope helps focus the efforts
and resources on relevant areas.
Context of Risk Management
Process
 Context: The internal and external environments need to be understood
before assessing risks as following:

1. Internal context: Factors like organizational structure, culture,

processes, and resources are part of the internal context. Understanding
these factors helps identify how risks will impact operations.
2. External context: The market, industry trends, regulatory
requirements, political factors, and economic conditions form the
external context. These external elements influence the risks an
organization faces and its ability to manage them.
Criteria of Risk Management
Process
Criteria: Criteria are the standards or benchmarks used to evaluate
the significance of a risk. The following are the criteria:

1. Risk appetite: This refers to the level of risk that the organization is
willing to accept in pursuing its goals.
2. Risk tolerance: Risk tolerance defines acceptable deviations from the
organization’s objectives.
3. Impact and likelihood: Establishing clear criteria for assessing the
impact (consequences of a risk) and likelihood (the probability of the
risk occurring) is essential for consistency and prioritization.
4.3 Risk Assessment
 Risk assessment is a systematic process of identifying, analyzing, and
evaluating risks. It helps decision-makers understand which risks are
critical and require attention.
Process of Risk Assessment
 Risk Identification:

1. The first step is to identify all potential risks that could affect the
organization’s objectives. These can be internal or external risks,
such as financial, operational, market, or legal risks.
2. Common methods for risk identification include brainstorming
sessions, expert interviews, historical data analysis, SWOT analysis
(Strengths, Weaknesses, Opportunities, Threats), and scenario
planning.
3. Identifying risks early allows for proactive management and reduces
the chances of being caught off guard. (why??)
Process of Risk Assessment
 Risk Analysis:

1. Once risks are identified, they need to be analyzed in terms of their

likelihood (probability of occurring) and impact (the severity of their
consequences).
2. The analysis can be qualitative (using descriptive terms like low,
medium, or high) or quantitative (using numerical data such as
probabilities and financial impacts).
3. This analysis helps determine the level of each risk and whether it is
within acceptable boundaries as defined by the organization’s risk
criteria.
Process of Risk Assessment
 Risk Evaluation:

1. Risk evaluation involves comparing the results of the risk analysis

with the established criteria (risk appetite and tolerance).
2. Based on this comparison, risks are prioritized to decide which ones
require immediate action and which can be accepted or monitored.
Risks that exceed the acceptable levels need treatment, while others
may only require monitoring or no action.
4.4 Risk Treatment
 Risk treatment refers to the process of selecting and implementing
options to manage the identified risks. This step ensures that
appropriate measures are taken to minimize potential losses or
exploit opportunities.
Risk Treatment Approaches
1. Avoidance: This involves taking actions to completely
eliminate a risk. For example, a company may decide not to
enter a risky market or discontinue a project that poses high
financial risk.

2. Mitigation (or reduction): In cases where risks cannot be

avoided, organizations can take steps to reduce the likelihood
of the risk occurring or minimize its impact. For example,
installing safety equipment to reduce the risk of workplace
accidents or implementing additional quality controls to
reduce product defects.
Risk Treatment Approaches
3. Transfer: Some risks can be transferred to a third party, typically
through contracts or insurance. For instance, a company may
purchase insurance to protect against risks such as natural disasters
or legal liabilities, or it may outsource risky activities to specialized
vendors.

4. Acceptance: Sometimes, the cost of mitigating or transferring a risk

outweighs the potential impact. In such cases, organizations may
choose to accept the risk. This is typically reserved for low-probability
or low-impact risks. However, even accepted risks need to be
monitored for changes.

Each risk treatment option should be carefully considered,

weighing the costs and benefits of the available options, as well
as the organization's strategic objectives.
4.5 Recording and Reporting
 Documentation is essential in risk management for transparency,
accountability, and informed decision-making. Recording and
reporting ensure that stakeholders have access to accurate and
relevant information about risks and the actions taken to manage
them.
How to Record and Report?

 Documentation: All risk management activities should be

thoroughly documented. This includes identified risks, the results of
risk assessments, decisions made regarding risk treatments, and the
implementation of risk control measures.

 Risk registers: A risk register or log is a tool used to record all

identified risks, along with their analysis, evaluation, and treatment
plans. It serves as a central repository of risk-related information.
How to Record and Report?
 Regular reporting: Organizations must regularly report on risk
status to stakeholders, such as management teams, boards of
directors, and regulatory bodies. Reports typically include updates on
high-priority risks, changes in risk profiles, and the effectiveness of
mitigation strategies.

 Decision support: By maintaining a thorough record, organizations

can support future decision-making processes, conduct reviews, and
improve risk management strategies over time.
4.6 Monitoring and Review
 Risks and the environment in which an organization operates are
constantly changing. The monitoring and review process ensures that
the risk management framework remains relevant and effective over
time.
Monitoring and Review
Approaches
 Continuous monitoring: Organizations need to continuously track
and assess both the internal and external environments for new risks
or changes in existing risks. This involves reviewing risk treatments to
ensure they remain effective.

 Effectiveness evaluation: The monitoring process includes

checking whether the implemented risk treatments are performing as
expected. If the treatments are not reducing risks as planned,
adjustments may be necessary.
Monitoring and Review
Approaches
 Emerging risks: Organizations must be vigilant for new risks that
may arise due to changes in market conditions, technology,
regulations, or other factors. These emerging risks may require new
strategies or alterations to existing plans.

 Review frequency: Regular reviews should be scheduled as part of

the risk management process. However, reviews may also be
triggered by significant events, such as changes in leadership,
financial crises, or external regulatory changes.

 Feedback loop: Monitoring and review form a feedback loop that

ensures the risk management process is iterative and adaptive.
Lessons learned from previous risk management efforts feed back
into the system, leading to continuous improvement.
Tutorials

 What are the potential challenges in communicating risk to different

stakeholder groups?

 How does engaging stakeholders in the risk management process

help in risk identification and treatment?

 How can risk mitigation reduce both the likelihood and impact of a
risk?
THANK YOU 