Vision: A globally recognized university in a heritage city by 2030.

Mission: To produced globally skilled and morally upright professionals instilled with rich cultural
values.

Goal of the College: To produce globally competitive and morally upright professionals in business
and allied fields.
Objectives of the Program:

1. Execute managerial operations accurately and apply management models;

2. Apply effective critical thinking and problem-solving skills particularly in an organization
setting;
3. Gain the facility for using workplace technologies to access, use, and present information
to support strategic decisions;
4. Demonstrate the core business management concepts and principles; and
5. Show ethical responsibility and professionalism and live by the core values of integrity,
industry, and innovation.
Subject: Risk Management

Course Code: MGT 105

Credit units and number of hours: Three (3) units/ Fifty-four (54)

Course Description: This course will examine the way in which business and society make an
assessment of control and transfer risk. It is designed for the student with no previous knowledge
of risk management. The goal of this course is to engage students in active discovery of risk
management principles. Students will be prepared to function in a business environment, developing
an awareness of the challenges, the tools, and the process of designing and implementing a risk
management program.
Objectives of the Program:

1. Execute managerial operations accurately and apply management models;

2. Apply effective critical thinking and problem-solving skills particularly in an organization
setting;
3. Gain the facility for using workplace technologies to access, use, and present information
to support strategic decisions;
4. Demonstrate the core business management concepts and principles; and
5. Show ethical responsibility and professionalism and live by the core values of integrity,
industry, and innovation.
Course Learning Objectives:

At the end of the subject the student will learn the following:
1. Define and explain what is risk and risk management;
2. Identify the different principles of risk management;
3. Discuss the importance of risk management;
4. Enumerate the different types of risk;
5. Identify the different sources of risk; and
6. Illustrate the steps in risk management;
7. Assess the different tools in evaluating risk;
8. Create a risk management plan.
LESSON 1

Learning objectives
Introduction
At the end of the lesson, Every organization small or large, is susceptible to
you are expected to: risk in many different areas: operational, market, legal,
 Define and explain
environmental, reputational, brand, liability, financial,
what is risk and risk and property losses.
management What Is Risk?
 Recognize the
importance of
Risk can be defined as the chance of loss or an
studying risk
unfavorable outcome associated with an action.
management
Uncertainty is not knowing what will happen in the
future. The greater the uncertainty, the greater the risk.

Risk is defined in financial terms as the chance that an

outcome or investment's actual gains will differ from an
expected outcome or return. Risk includes the possibility
of losing some or all of an original investment.

A probability or threat of damage, injury, liability, loss,

or any other negative occurrence that is caused by
external or internal vulnerabilities, and that may be
avoided through preemptive action. – Business
Dictionary

What is Risk Management?

“Risk management” helps an organization to identify,

evaluate, analyze, monitor, and mitigate the risks that
threaten the achievement of the organization’s strategic
objectives in a disciplined and systematic way (note the
words “disciplined” and “systematic”).

Risk management is intentionally proactive, not reactive.

It can be as simple as one crew member mentioning that
a coworker needs to wear her safety glasses, or it may
involve something as complex as a full asset allocation
modeling of all of your organization’s capital assets. Risk
management practices can even be applied to events as
broad and far-reaching as the loss of a major employer
in the community.
Different situations and events can simultaneously result in both good and bad
consequences. Each consequence may require a different risk management strategy.
As an example, let’s say that a new 300-home subdivision is planned for your
community. On the positive side, an event like this will likely be welcomed as it will
mean more tax revenues, increased population to support local business, and vitality
for the community. On the negative side, however, it may also result in increased
traffic and added demands on law enforcement and fire services, and it may upset
neighbors who are averse to change. Each issue will require a separate risk
management strategy.

The Benefits of Risk Management There are four major benefits of adopting a
risk management system for your organization.

First, risk management enhances management, both in day-to-day and long-term

situations. Knowing what might go wrong and how to deal with a situation lets you
control the outcome.

Second, risk management systems streamline day-to-day operations. Employees who

know the proper procedures and policies are better able to do their jobs safely.

Third, risk management improves financial management. Losses, lawsuits, and

injuries all cost money and risk management helps your agency avoid these costs.

Finally, risk management helps provide consistent and enhanced services. Every time
a loss occurs or property is damaged, reports need to be written, depositions taken,
and so on, activities that take time away from an employee’s ability to provide services
to the public.
How Do You Manage Risk?

If your agency has a designated “risk manager” that

person can be a valuable resource. Most organizations,
however, do not have a full or even part-time risk
manager, and thus, it falls to everyone in the
organization, in one way or another, to become a risk
manager. In any event, the actual implementation of
your organization’s risk management strategies is the
responsibility of all of your department directors,
employees, volunteers, and elected officials.

When assessing risks, try to stay focused on risks over

which your organization has some degree of control.
For example, lightning striking and hurting someone at
a public park is possible but what control do you have
over this event? You have no control over lightning
strikes but you can control the likelihood of an injury by
posting signs informing individuals to go inside if they
hear thunder.

A business risk is a future possibility that may prevent

you from achieving a business goal. The risks facing a
typical business are broad and include things that you
can control such as your strategy and things beyond
your control such as the global economy.

There is a strong relationship between risk and reward.

It’s generally impossible to achieve business gains
without taking on at least some risk. Therefore, the
purpose of risk management isn’t to completely
eliminate risk. In most cases, risk management seeks
to optimize the risk-reward ratio within the bounds of
the risk tolerance of your business.
 LESSON 2
LEARNING OBJECTIVES: at the
end of this topic you should be able to:

 adapt and explain the different principles of risk

management; and
 enumerate the different types of business risk.

ISO 31000 is organized around 11 risk management

principles. A management principle refers to a
fundamental idea, rule, or truth about a subject. ISO 31000
risk principles serve as the guideline, method, logic, design,
and implementation for the risk management framework
and its process.

ISO 31000 does not specify how the principles can be

used to design, implement, and assure a risk management
process. ISO 31000 believes an organization should apply
and tailor these principles to the organizational context. ISO
31000 as a guidance document is applicable to all
organizations and may be used with any product or service.

The eleven risk management principles are:

1. Risk management establishes and sustains value.

2. Risk management is an integral part of all
organizational processes.
3. Risk management is part of decision making.
4. Risk management explicitly addresses uncertainty.
5. Risk management is systematic, structured, and
timely.
6. Risk management is based on the best available
information.
7. Risk management is tailored.
8. Risk management takes human and cultural factors
into account.
9. Risk management is transparent and inclusive.
10. Risk management is dynamic, iterative, and
responsive to change.
11. Risk management facilitates continual
improvement of the organization.
 Many of us still think about ‘shall’ clauses as the basis for the design of a process
or to demonstrate compliance. ISO 31000 is different. It is more principles based. It
is more discretionary. It requires deep knowledge of risk management and context.

The successful implementation of these risk management principles will determine

the design, implementation, and assurance of an effective ISO 31000 risk
management process.

20 Types of Business Risk

1. Competitive Risk- the risk that your competition will gain advantages over
you that prevent you from reaching your goals. For example, competitors that
have fundamentally cheaper cost base or a better product.
2. Economic Risk- The possibility that conditions in the economy will increase
your costs or reduce your sales.
3. Operational Risk- the potential of failures related to the day-to-day
operations of an organization such as a customer service process. Some
definitions of operational risk claim that it is the result of insufficient or failed
processes. However, operational processes that are deemed to be complete and
successful also generate risk.
4. Legal Risk- The chance that new regulations will disrupt your business or that
you will incur expenses and losses due to a legal dispute.
5. Compliance Risk- the chance that you will break laws or regulations. In many
cases, a business may fully intend to follow law but ends up violating regulations
due to oversights or errors.
6. Strategy Risk- The risks associated with a particular strategy.
7. Reputational Risk- is the chance of losses due to a declining reputation as a
result of practices or incidents that are perceived as dishonest, disrespectful or
incompetent. The term tends to be used to describe the risk of a serious loss of
confidence in an organization rather than a minor decline in reputation.
8. Program Risk- the risk associated with a particular business program or
portfolio of projects.
 9. Project Risk- the risk associated with a project. Risk management of projects
is a relatively mature discipline that is enshrined in a major project management
methodology.
10. Innovation Risk- risk that applies to innovative areas of your business
such as product research. Such areas may require adapting your risk
management practices to fast paced and relatively high risk activities.
11. Country Risk- Exposure to the conditions in the countries in which you
operate such as political events and the economy.
12. Quality Risk- the potential that you will fail to meet your quality goals
for your products, services and business practices.
13. Credit Risk- the risk that those who owe you money to fail to pay. For
the majority of business this is mostly relate to accounts receivable risk.
14. Exchange Rate Risk- the risk
that volatility in foreign exchange
rates will impact the value of business
transactions and assets. Many global
businesses have high exposure to a
basket of currencies that can add
volatility to financial results such as
operating margins.
15. Interest Rate Risk- the risk
that changes to interest rates will disrupt your business. For example, interest
rates may increase your cost of capital thus impacting your business model and
profitability.
16. Taxation Risk- the potential for new tax laws or interpretations to result
in higher than expected taxation. In some cases, new tax laws can completely
disrupt the business model of an industry.
17. Process Risk- the business risks associated with a particular process.
Processes tend to be a focus of risk management as reducing risks in core
business processes can often yield cost reductions and improved revenue.
18. Resource Risk- The chance that you will fail to meet business goals due
to a lack of resources such as financing or the labor of skilled workers.
19. Political Risk- the potential for political events and outcomes to impede
your business.
20. Seasonal Risk- a business with revenue that’s concentrated in a single
season such as a ski resort. Internalize

Source: https://accendoreliability.com/iso-31000-principles-risk-management/

https://simplicable.com/new/business-risk
 SOURCES OF RISK

LESSON 3 Learning Objectives: at the end of

this topic you will be able to:

 determine the different sources

risk, and
 explain where and when this risk may possibly arise and
eventually affects the operations of the business.

SOURCES OF RISK

The human resource of a certain organization is considered

as the best asset. The intellectual capabilities, splendid skills, rich
ideas and knowledge, and rational behavior and attitude are the
main tools that the organization is utilizing from them. Given that
this human resource contributes in the achievement of the
organization’s goal but in the side of the coin they also considered
as contributor in the development of potential risk in the
organization. This risk may destroy the tranquility of the business
operation and transaction.

Below the different sources of risk are discussed for you to

be able to understand its nature and how can this certain risk
affects the business. After knowing the possible effects, you will
be able to formulate proactive and vigilant solutions to mitigate
risk and sooner create a risk management plan that the
organization may utilize if ever that this risk will arise in
unexpected time.

1. PRODUCTION RISK- any production related activity or

event that has a range of possible outcomes is a production
risk. The major sources of production risks are weather,
climate change, diseases, technology, genetics, machinery
efficiency and the quality of inputs.

In the parlance of human resource, the main key person to

manipulate the machineries and equipment of the organization
are the employees. Without the knowledge of these employees a
certain machinery will never work. If ever the employees are not
well trained to manipulate/use such machine that organization is
using in order to produce a product there will be a possibility that
amount of waste in production will increase. Therefore, employees
should be given proper training so that they will acquire ample knowledge on what are the expected
tasks that they will be executing upon deployment in their respective job.
 2. MARKETING RISK- is a market related activity or event that leads to the variability of
prices receive for their products or pay for production inputs. Access to markets is also a
marketing risk.

Market risk is the possibility of an investor experiencing losses due to factors that affect the overall
performance of the financial markets in which he or she is involved. Market risk, also called
"systematic risk," cannot be eliminated through diversification, though it can be hedged against in
other ways. Sources of market risk include recessions, political turmoil, changes in interest rates,
natural disasters and terrorist attacks. Systematic, or market risk tends to influence the entire
market at the same time.

This can be contrasted with unsystematic risk, which is unique to a specific company or industry.
Also known as “nonsystematic risk,” "specific risk," "diversifiable risk" or "residual risk," in the
context of an investment portfolio, unsystematic risk can be reduced through diversification.

Key Takeaways

 Market risk, or systematic risk, affects the performance of the entire market simultaneously.
 Because it affects the whole market, it is difficult to hedge as diversification will not help.
 Market risk may involve changes to interest rates, exchange rates, geopolitical events, or
recessions.

Market (systematic) risk and specific risk (unsystematic) make up the two major categories of
investment risk. The most common types of market risks include interest rate risk, equity risk,
currency risk and commodity risk.
Main Types of Market Risk

Interest rate risk covers the volatility that may accompany interest rate fluctuations due to
fundamental factors, such as central bank announcements related to changes in monetary policy.
This risk is most relevant to investments in fixed-income securities, such as bonds.

Equity risk is the risk involved in the changing prices of stock investments, and commodity risk
covers the changing prices of commodities such as crude oil and corn.

Currency risk, or exchange-rate risk, arises from the change in the price of one currency in relation
to another. Investors or firms holding assets in another country are subject to currency risk.

Volatility and Hedging Market Risk

Market risk exists because of price changes. The standard deviation of changes in the prices of
stocks, currencies or commodities is referred to as price volatility.

Investors can utilize hedging strategies to protect against volatility and market risk. Targeting
specific securities, investors can buy put options to protect against a downside move, and investors
who want to hedge a large portfolio of stocks can utilize index options.

Measuring Market Risk

To measure market risk, investors and analysts use the value-at-risk (VaR) method. VaR modeling
is a statistical risk management method that quantifies a stock or portfolio's potential loss as well
as the probability of that potential loss occurring. While well-known and widely utilized, the VaR
method requires certain assumptions that limit its precision. For example, it assumes that the
makeup and content of the portfolio being measured is unchanged over a specified period. Though
this may be acceptable for short-term horizons, it may provide less accurate measurements for long-
term investments.

3. FINANCIAL RISK- encompasses those risks that threaten the financial health of the
business and has four basic components:
a. The cost and availability of capital
b. The ability to meet cash flows needs in a timely manner
c. The ability to maintain and grow equity
d. The ability to absorb short-term financial shocks

Cash flows are especially important because of the variety of on-going obligation such as cash inputs
costs, cash lease payments, tax payments, debt repayment and family living expenses.

Financial risk is the possibility of losing money on an investment or business venture. Some more
common and distinct financial risks include credit risk, liquidity risk, and operational risk.

Financial risk is a type of danger that can result in the loss of capital to interested parties. For
governments, this can mean they are unable to control monetary policy and default on bonds or
other debt issues. Corporations also face the possibility of default on debt they undertake but may
also experience failure in an undertaking the causes a financial burden on the business.

Financial markets face financial risk due to various macroeconomic forces, changes to the market
interest rate, and the possibility of default by sectors or large corporations. Individuals face financial
risk when they make decisions that may jeopardize their income or ability to pay a debt they have
assumed.

Financial risks are everywhere and come in many sizes, affecting everyone. You should be aware of
all financial risks. Knowing the dangers and how to protect yourself will not eliminate the risk, but
it can mitigate their harm.

Key Takeaways

 Financial risk generally relates to the odds of losing money.

 The financial risk most commonly referred to is the possibility that a company's cash flow will
prove inadequate to meet its obligations.
 Financial risk can also apply to a government that defaults on its bonds.
 Credit risk, liquidity risk, asset-backed risk, foreign investment risk, equity risk, and currency
risk are all common forms of financial risk.
 Investors can use a number of financial risk ratios to assess a company's prospects.

Understanding Financial Risks for Businesses

It is expensive to build a business from the ground up. At some point in any company's life the
business may need to seek outside capital to grow. This need for funding creates a financial risk to
both the business and to any investors or stakeholders invested in the company.
Credit risk—also known as default risk—is the danger associated with borrowing money. Should the
borrower become unable to repay the loan, they will default. Investors affected by credit risk suffer
from decreased income from loan repayments, as well as lost principal and interest. Creditors may
also experience a rise in costs for collection of the debt.

When only one or a handful of companies are struggling it is known as a specific risk. This danger,
related to a company or small group of companies, includes issues related to capital structure,
financial transactions, and exposure to default. The term is typically used to reflect an investor's
uncertainty of collecting returns and the accompanying potential for monetary loss.

Businesses can experience operational risk when they have poor management or flawed financial
reasoning. Based on internal factors, this is the risk of failing to succeed in its undertakings.

Financial Risks for Governments

Financial risk also refers to the possibility of a government losing control of its monetary policy and
being unable or unwilling to control inflation and defaulting on its bonds or other debt issues.

Financial Risks for the Market

Several types of financial risk are tied to financial markets. As mentioned earlier, many
circumstances can impact the financial market. As demonstrated during the 2007 to 2008 global
financial crisis, when a critical sector of the market struggles it can impact the monetary wellbeing
of the entire marketplace. During this time, businesses closed, investors lost fortunes, and
governments were forced to rethink their monetary policy. However, many other events also impact
the market.

Volatility brings uncertainty about the fair value of market assets. Seen as a statistical measure,
volatility reflects the confidence of the stakeholders that market returns match the actual valuation
of individual assets and the marketplace as a whole. Measured as implied volatility (IV) and
represented by a percentage, this statistical value indicates the bullish or bearish—market on the
rise versus the market in decline—view of investments. Volatility or equity risk can cause abrupt
price swings in shares of stock.

Default and changes in the market interest rate can also pose a financial risk. Defaults happen
mainly in the debt or bond market as companies or other issuers fail to pay their debt obligations,
harming investors. Changes in the market interest rate can push individual securities into being
unprofitable for investors, forcing them into lower-paying debt securities or facing negative returns.

Asset-backed risk is the chance that asset-backed securities—pools of various types of loans—may
become volatile if the underlying securities also change in value. Sub-categories of asset-backed
risk involve the borrower paying off a debt early, thus ending the income stream from repayments
and significant changes in interest rates.

Financial Risks for Individuals

Individuals can face financial risk when they make poor decisions. This hazard can have wide-
ranging causes from taking an unnecessary day off of work to investing in highly speculative
investments. Every undertaking has exposure to pure risk—dangers that cannot be controlled, but
some are done without fully realizing the consequences.

Liquidity risk comes in two flavors for investors to fear. The first involves securities and assets that
cannot be purchased or sold quickly enough to cut losses in a volatile market. Known as market
liquidity risk this is a situation where there are few buyers but many sellers. The second risk is
funding or cash flow liquidity risk. Funding liquidity risk is the possibility that a corporation will not
have the capital to pay its debt, forcing it to default, and harming stakeholders.

Speculative risk is one where a profit or gain has an uncertain chance of success. Perhaps the
investor did not conduct proper research before investing, reached too far for gains, or invested too
large of a portion of their net worth into a single investment.

Investors holding foreign currencies are exposed to currency risk because different factors, such as
interest rate changes and monetary policy changes, can alter the calculated worth or the value of
their money. Meanwhile, changes in prices because of market differences, political changes, natural
calamities, diplomatic changes, or economic conflicts may cause volatile foreign investment
conditions that may expose businesses and individuals to foreign investment risk.
Pros and Cons of Financial Risk

Financial risk, in itself, is not inherently good or bad but only exists to different degrees. Of course,
"risk" by its very nature has a negative connotation, and financial risk is no exception. A risk can
spread from one business to affect an entire sector, market, or even the world. Risk can stem from
uncontrollable outside sources or forces, and it is often difficult to overcome.

While it isn't exactly a positive attribute, understanding the possibility of financial risk can lead to
better, more informed business or investment decisions. Assessing the degree of financial risk
associated with a security or asset helps determine or set that investment's value. Risk is the flip
side of the reward.

One could argue that no progress or growth can occur, be it in a business or a portfolio, without
assuming some risk. Finally, while financial risk usually cannot be controlled, exposure to it can be
limited or managed.

Pros

 Encourages more informed decisions

 Helps assess value (risk-reward ratio)
 Can be identified using analysis tools

Cons

 Can arise from uncontrollable or unpredictable outside forces

 Risks can be difficult to overcome
  Ability to spread and affect entire sectors or markets

Tools to Control Financial Risk

Luckily there are many tools available to individuals, businesses, and governments that allow them
to calculate the amount of financial risk they are taking on.

The most common methods that investment professionals use to analyze risks associated with long-
term investments—or the stock market as a whole—include:

 Fundamental analysis, the process of measuring a security's intrinsic value by evaluating all
aspects of the underlying business including the firm's assets and its earnings.
 Technical analysis, the process of evaluating securities through statistics and looks at
historical returns, trade volume, share prices, and other performance data.
 Quantitative analysis, the evaluation of the historical performance of a company using specific
financial ratio calculations.

For example, when evaluating businesses, the debt-to-capital ratio measures the proportion of debt
used given the total capital structure of the company. A high proportion of debt indicates a risky
investment. Another ratio, the capital expenditure ratio, divides cash flow from operations by capital
expenditures to see how much money a company will have left to keep the business running after
it services its debt.

In terms of action, professional money managers, traders, individual investors, and corporate
investment officers use hedging techniques to reduce their exposure to various risks. Hedging
against investment risk means strategically using instruments—such as options contracts—to offset
the chance of any adverse price movements. In other words, you hedge one investment by making
another.

4. LEGAL RISK- legal issues intersect with other areas. For example, acquiring an operating
loan has legal implications if not repaid in the specified manner. The legal issues most
commonly associated with organization fall into five broad categories:
a. Contractual arrangement
b. Business organization
c. Laws and regulation
d. Tort liability and,
e. Public policy and attitudes

Along with the explosion of interest in digital currency and all of its implications for both new and
traditional businesses, there is a growing need for clarity regarding the legal implications of these
new technologies and currencies. As governments around the world, regulatory agencies, central
banks, and other financial institutions are working to understand the nature and meaning of digital
currencies, individual investors can make a great deal of money investing in this new space. On the
other hand, investors assume certain legal risks when they buy and sell cryptocurrencies.
While digital currency might be easy to confuse for conventional electronic money, it is not the
same; similarly, it is unlike conventional cash currencies because it cannot be physically owned and
transferred between parties. Much of the murkiness of the legal standing of digital currency is due
to the fact that the space has only recently become popular as compared with more traditional
currency and payment systems. Below, we'll explore some of the emerging legal implications
associated with investing in cryptocurrencies.

Business Registrations and Licensing

A growing number of businesses are taking advantage

of digital currencies as a form of payment. As in other
financial areas, businesses may be required to register
and obtain licensure for particular jurisdictions and
activities. Owing to the complex and evolving legal
status of digital currencies, this area is significantly less
clear for businesses operating in the crypto market.
Companies which only accept cryptocurrencies, for example, may not need to register or obtain
licenses at all. On the other hand, they may be required to submit to special considerations
depending upon their jurisdiction. The onus of responsibility falls on business owners and
managers to insure that they are following proper legal procedure for their operations at both
the local and state levels. At the federal level, for example, financial institutions must maintain
certain activities related to protections against money laundering and fraud, transmission of
funds, and more. Considerations like these also apply to businesses dealing with digital
currencies.

Fraud and Money Laundering

There is a widespread belief that cryptocurrencies provide criminal organizations with a new
means of committing fraud, money laundering, and a host of other financial crimes. This may
not directly impact most cryptocurrency investors who do not intend to use this new technology
to commit such crimes. However, investors who find themselves in the unfortunate position of
being a victim of financial crime do not likely have the same legal options as traditional victims
of fraud.

This issue also relates to the decentralized status of

digital currencies. When a cryptocurrency exchange
is hacked and customers' holdings are stolen, for
instance, there is frequently no standard practice for
recovering the missing funds. Digital currency
investors thus take on a certain amount of risk by
purchasing and holding cryptocurrency assets. It is
for this reason that developers and startups related
to digital currency have focused such a great deal
of attention on creating secure means of holding
digital coins and tokens. Still, while new types of wallets are being released all the time, and
 while cryptocurrency exchanges are always improving their security measures, investors have
so far not been able to fully eliminate the legal risks associated with owning cryptocurrencies,
and it's likely that they never will.

5. HUMAN RISK- people are both source of business and important part of the strategy for
dealing with risk. At its core, human risk management is the ability to keep all people who
are involved in the business safe, satisfied and productive. Human risk can be summarized
into four categories:
a. Human health and well-being
b. Family and business relationship
c. Employee management
d. Transition planning.

If there are humans on or near your farm, you have human risks to contend with. Human risks arise
from the four D’s: disagreement, divorce, death, or disability of an essential owner, manager, or
employee. It also includes risks related to illness and high stress and to poor communication and
people-management practices.

Humans are not just risk liabilities, however. They also are a great strategy for dealing with and
managing risk and even finding opportunities in mitigating risk.

Some Sources of Human Risk

 Yourself
 Family
 Employees
 Neighbors
 Visitors
 Safety (chemicals, structures, machinery, manure/compost)

Some Questions to Ask to Assess Your Human Risk

Safety:

 Do I have a safety plan and training manual for all parts of the operation? (See Standard
Operating Procedures page)
 Do the people who come here know how to deal with potential safety issues?
 Do I have liability insurance in case any safety issues come up?

Communication:

 Have my family/employees and I communicated our goals for the operation?

 Do we understand each other's goals?
 Where are the differences? How can we deal with them?

Illness/Injury:

 What will happen if I get sick or hurt?

  Do I have health, disability, and long-term care insurance?
 Can people find important documents (like wills, property titles, banking and legal records)?
 Does someone besides me know the passwords to access online accounts?
 Am I managing my health and stress levels to stay healthy?

Succession:

 When I want to retire, do we have a succession plan?

 What will happen to my operation when I die? Do I have an up-to-date will?
 Do I know all my options for transferring assets to the next generation?
 Do I need professional help with transition planning?

Relationship:

 What happens if my farm/life partner and I disagree or separate/divorce?

 Do I have good relationships with my neighbors?
 Do my relationships with them add to or remove risk for the operation?

Sources:

https://ucanr.edu/sites/placernevadasmallfarms/Farm_Business_Planning/FBP_Risk_Management/
Risk_Management/Human_Risk/

https://www.investopedia.com/
The 5 Step Risk Management Process

Implementing a risk management process is vital for any organization. Good risk management
doesn’t have to be resource intensive or difficult for organizations to undertake or insurance brokers
to provide to their clients. With a little formalization, structure, and a strong understanding of the
organization, the risk management process can be rewarding.

Risk management does require some investment of time and money but it does not need to be
substantial to be effective. In fact, it will be more likely to be employed and maintained if it is
implemented gradually over time.

The key is to have a basic understanding of the process and to move towards its implementation.

The 5 Step Risk Management Process

1. Identify potential risks

What can possibly go wrong?

The four main risk categories of risk are hazard risks, such as fires or injuries; operational risks,
including turnover and supplier failure; financial risks, such as economic recession; and strategic
risks, which include new competitors and brand reputation. Being able to identify what types of risk
you have is vital to the risk management process.

An organization can identify their risks through experience and internal history, consulting with
industry professionals, and external research. They may also try interviews or group brainstorming,
as discussed in this Project Manager.
It’s important to remember that the risk environment is always changing, so this step should be
revisited regularly.

Example:

TYPE OF RISK ISSUES DESCRIPTION

Human Resource Risk In efficiency of the This risk is commonly
employees observed to the employees
when they create a lot of
wastes in the production of
products.

2. Measure frequency and severity

What is the likelihood of a risk occurring and if it did, what would be the impact?

Many organizations use a heat map to measure their risks on this scale. A risk map is a visual tool
that details which risks are frequent and which are severe (and thus require the most resources).
This will help you identify which are very unlikely or would have low impact, and which are very
likely and would have a significant impact.

Knowing the frequency and severity of your risks will show you where to spend your time and
money, and allow your team to prioritize their resources.

3. Examine alternative solutions

What are the potential ways to treat the risk and of these, which strikes the best balance between
being affordable and effective? Organizations usually have the options to accept, avoid, control, or
transfer a risk.

Accepting the risk means deciding that some risks are inherent in doing business and that the
benefits of an activity outweigh the potential risks.

To avoid a risk, the organization simply has to not participate in that activity.

Risk control involves prevention (reducing the likelihood that the risk will occur) or mitigation, which
is reducing the impact it will have if it does occur.

Risk transfer involves giving responsibility for any negative outcomes to another party, as is the
case when an organization purchases insurance.

4. Decide which solution to use and implement it

Once all reasonable potential solutions are listed, pick the one that is most likely to achieve desired
outcomes.

Find the needed resources, such as personnel and funding, and get the necessary buy-in. Senior
management will likely have to approve the plan, and team members will have to be informed and
trained if necessary.
Set up a formal process to implement the solution logically and consistently across the organization,
and encourage employees every step of the way.

5. Monitor results

Risk management is a process, not a project that can be “finished” and then forgotten about. The
organization, its environment, and its risks are constantly changing, so the process should be
consistently revisited.

Determine whether the initiatives are effective and whether changes or updates are required.
Sometimes, the team may have to start over with a new process if the implemented strategy is not
effective.

If an organization gradually formalizes its risk management process and develops a risk culture, it
will become more resilient and adaptable in the face of change. This will also mean making more
informed decisions based on a complete picture of the organization’s operating environment and
creating a stronger bottom line over the long-term.

SOURCE: https://www.clearrisk.com/risk-management-blog/bid/47395/the-risk-management-
process-in-5-steps
ESTALISH THE CONTEXT
By establishing the context, the firm articulates its objectives and defines the external and internal
parameters to be taken into account when managing risk, and sets the scope and risk criteria for
the remaining process. AS/NZS ISO 31000:2009

Establishing the context defines the scope

for the risk management process and sets
the criteria against which the risks will be
assessed. The scope should be determined
within the context of the firm's strategic
and organizational objectives. Risks are
uncertainties that affect the achievement
of business objectives, so risks cannot fully
be identified if these objectives and
strategies are unclear.

The selection of key objectives within the

business should be driven by an evaluation
of the external and internal factors that
may currently impact the firm. A review of
both the external and internal context at
the commencement of the risk assessment planning assists in identifying the processes which may
be subject to increased risks and, as such, would derive the greatest value from the risk assessment.

Risks can arise due to external or internal influences:

 External risks are exposures that result from environmental conditions that the firm
commonly cannot influence, such as the regulatory environment and market conditions.
 Internal risks are exposures that derive from decision-making and the use of internal and
external resources, including the firm's operations and its objectives.

Step 1

Establish the external context

The external context is the environment in which the
firm operates and seeks to achieve its objectives.
Consideration should be given to the following
inputs as they relate to the business, social,
regulatory, legislative, cultural, competitive,
financial, and political environment, including:

 Strengths, weaknesses, opportunities and

threats
 Relationships with, perceptions and values
of, external stakeholders such as clients.
Step 2

Establish the internal context

The internal context is the internal environment in which the firm
functions and seeks to achieve its objectives. Consideration should
be given to factors such as:

 Objectives and strategies in place to achieve objectives

 Governance, structure, roles and accountabilities
 Capability of people, systems and processes
 Changes to firm processes or compliance obligations
 The risk tolerance and appetite of the firm.

Example
The output of this stage in the risk management process sets the scope for the risk assessment in
terms of external and internal influences.

Contexts
APES 325 requires that the following key organizational risks be considered within the context
of the internal and external environment and taking into account internal and external
stakeholders:

 Governance
 Business continuity, including succession planning
 Business
 Financial
 Regulatory
 Technology
 Human resources
 Stakeholder.

Business objectives
List the practice objectives for the firm and consider the key processes and sub-processes
used in the operation of the business.

Assess the strengths, weaknesses, opportunities and threats that exist and how these may influence
the firm achieving its objectives. A lso consider the stakeholders who may be impacted.
IDENTIFYING RISK
The identification of key risks to the firm is a critical step in effective risk management and needs
to be comprehensive. If a potential risk is not identified at this stage it is omitted from further
analysis, which means a material risk may be given insufficient attention.

The risks that relate to the

firm's context and business
objectives must be identified,
whether or not they are under
the influence of the firm.

The firm should identify

sources of risk, areas of
impacts, events (including
changes in circumstances)
and their causes and potential
consequences. The aim of
this step is to generate a
comprehensive list of material risks based on those events that might create, enhance, prevent,
degrade, accelerate, or delay the achievement of objectives. It is important to identify the risks
associated with not pursuing an opportunity. Comprehensive identification is critical, because a risk
that is not identified at this stage will not be included in further analysis. AS/NZS ISO 31000:2009

STEP 1

Identify what can happen, where and when it can happen

Review the key organizational risk categories from APES 325, which were considered when
establishing the context, and generate a list of potential risks that may impact the firm achieving
each objective identified as part of the context. Describe the risk event in qualitative terms, i f it
were to occur. It should succinctly describe an outcome such as:

 "Failure to..."
 "Inconsistent..."
 "Loss of..."

The consequence of the risk should not be included in the event description. Where a risk description
includes connectors such as "leading to..." or "resulting in…", assess whether the result is actually
the consequence. Risks should not be a process, a negative control or a control activity not
occurring, for example 'payment is not authorized'.

Tools and techniques

The following questions can be used to assist in identifying risks:

 What could go wrong?

 How could we fail?
 What must go right for us to succeed?
 Where are we vulnerable?
 What assets do we need to protect?
  Do we have liquid assets or assets with alternative uses?
 How could someone steal from the firm?
 How could someone disrupt our operations?
 How do we know whether we are achieving our objectives?
 On what information do we most rely?
 On what do we spend the most money?
 How do we bill and collect our revenue?
 What decisions require the most judgment?
 What activities are most complex?

STEP 2

Identify why and how can it happen

Consider the possible causes and scenarios of each risk identified.

 Cause - identify the potential triggers that may result in the risk event occurring. A single
risk event may have a specific cause or multiple possible causes. A single cause may be
applicable to multiple risks.
 Consequence - identify the possible impact should the risk event occur. A single risk event
may have a specific consequence or multiple possible consequences. A consequence may be
common across multiple risks.

Tools and techniques:

 Ongoing risk identification - any staff member can identify and raise risks.
 Desk-based risk assessment - involves a discussion and assessment of the risks and
controls of a given activity or process with the personnel involved in the day-to-day operation
of the activity or process. This is a useful technique if the activity or process is relatively
straightforward and relies upon little input from others.
 Facilitated workshops - suitable for the risk assessment of more complex activities. A risk
workshop is an effective method of obtaining input from stakeholders with multiple
viewpoints to improve the robustness of the outputs of the risk assessment process. Formal
workshops require preparation and often a mediator to ensure their effectiveness. Workshops
should include a diverse range of stakeholders and to include risk subject matter experts who
are able to challenge the issues and ratings discussed.
 Management review - a ‘top-down' review to verify the completeness and accuracy of the
risks raised by key practice stakeholders. This may involve validation at a risk workshop, if
management is present, or a separate review to ensure that any additional risks are identified
and considered for further analysis.
Example
The output of the identification stage in the risk management process is a list of risks identified with
the associated causes and potential consequences. An example of how this can be documented in
a risk register is shown:
ANALYZE AND EVALUATE RISK

Risk Analysis involves developing an understanding of the risk. Risk Analysis provides an input to
Risk Evaluation, to decisions on whether risks need to be treated, and on the most appropriate risk
treatment strategies and methods. Risk Analysis can also provide an input into making decisions
where choices must be made, and the options may involve different types and levels of risk. AS/NZS
ISO 31000:2009

Risks represent significant uncertainties

about outcomes. Any uncertainty may
be measured in two dimensions - the
likelihood of the risk event occurring and
the extent of the consequences if it were
to occur.

Risk analysis generally involves the

assignment of an overall risk rating to
each of the risk events identified by
following these steps:

 Analyze inherent risk - What is the

likelihood and consequence of a risk
event if it were to occur in an
uncontrolled environment?
 Identify and evaluate controls -
What existing controls are in place to
address the identified risk and how
effective are these controls in design and
operation?
 Analyze residual risk - What is the
likelihood and consequence of a risk
event if it were to occur in the current
control environment?

Assessment criteria
Assessing risks assists in identifying, analyzing and prioritizing key business risks. It helps validate
and prioritize key risks to monitor and it highlights any opportunities for improvements to current
activities used as controls in the business. A risk assessment provides insight to significant inherent
risks from a practice perspective and links these to a firm's objectives, strategies and business
processes.

A firm need to develop the criteria by which all risks will be assessed. Explore each criterion for
qualitative examples that are suitable for use by midsize firms.

An assessment of likelihood and consequence is subjective, so constructive challenge of ratings by

a range of stakeholders can assist in the development of robust risk assessments.
STEP 1

Analyze the inherent risks

Initially risks are assessed on an inherent basis, considering the likelihood and impact of the risk
without taking into account the controls in place in the firm. This helps to understand the importance
of controls in mitigating risk.

For each risk identified:

 Assess inherent likelihood - What is the probability of the risk event occurring if no
controls were in place?
 Assess inherent consequence - What is the extent of the most probable impact of the
risk event occurring if no controls were in place?
 Determine overall inherent risk ranking - Apply a risk rating to determine the overall
ranking on the risk matrix.

For each risk, there should be only one overall inherent risk rating, regardless of whether multiple
causes or consequences have been identified.

STEP 2

Identify and evaluate controls

A control is any action in place that either reduces the likelihood of an event occurring or reduces
the potential consequence arising from the event. For each risk identified, there may be a single or
multiple controls in place to address the risk.

For each risk identified:

 Describe the existing control - What is the process, policy, device, practice or other action
that is used to modify the likelihood or the consequence of the risk event occurring? If there
is no existing control, there is a control gap.
 Assess the effectiveness of the control - What is the overall effectiveness of the control
in terms of the strength of its design and its operation?
 Identify the control owner - Who owns the existing control? This is the person or role
with accountability for ensuring that the control activity is in place and is operating effectively.
The control owner does not necessarily perform the control activity, however, they should
have a level of oversight of its performance.
 Test of the control - When was the control activity last tested?
 Review the control - When is the control activity due for testing and review?

STEP 3

Analyze the residual risk

Residual risk analysis involves the assessment of risk after existing internal controls are taken into
account.

A control may be:

  Designed to reduce the likelihood of the risk event occurring
 Designed to reduce the consequence if the risk event occurs
 Designed to reduce both the likelihood and consequence of the risk event
 Absent, assessed to be of low design or is operating ineffectively. As a result, the likelihood
and consequence are not reduced.

For each risk identified:

 Assess the residual likelihood - What is the probability of the risk event occurring within
the current control environment? This should be determined after a review of the
effectiveness of the control.
 Assess residual consequence - What is the most probable impact of the risk event if it
were to occur within the current control environment? Assume that the controls are operating
at their assessed strength, rather than the maximum consequence if the controls were to
fail.
 Determine overall residual risk ranking - Apply a risk rating to determine the overall
ranking on the risk matrix.

For each risk, there should be only one overall residual risk rating, based on the effectiveness of
the controls in place to address the risk.

Example
The key output from the risk analysis and evaluation stage is an assessment of current control
effectiveness and an overall risk rating for each identified risk. An example of how this can be
documented in a risk register is shown:
TREAT RISK

Risk treatment plans may involve the redesign of existing controls, introduction of new controls or
monitoring of existing controls. Low impact risks may require periodic monitoring while major risks
are likely to require more intense management focus. AS/NZS ISO 31000:2009

Risk treatment involves developing a range of options

for mitigating the risk, assessing those options, and
then preparing and implementing action plans. The
highest rated risks should be addressed as a matter of
urgency.

Selecting the most appropriate risk treatment means

balancing the costs of implementing each activity
against the benefits derived. In general, the cost of
managing the risks needs to be commensurate with the
benefits obtained. When making cost versus benefit
judgements the wider context should also be taken into
account.

Depending on the type and nature of the risk, the

following options are available:

 Avoid - deciding not to proceed with the activity that introduced the unacceptable risk,
choosing an alternative more acceptable activity that meets business objectives, or choosing
an alternative less risky approach or process.
 Reduce - implementing a strategy that is designed to reduce the likelihood or consequence
of the risk to an acceptable level, where elimination is considered to be excessive in terms of
time or expense.
 Share or Transfer - implementing a strategy that shares or transfers the risk to another
party or parties, such as outsourcing the management of physical assets, developing
contracts with service providers or insuring against the risk. The third-party accepting the
risk should be aware of and agree to accept this obligation.
 Accept - making an informed decision that the risk rating is at an acceptable level or that
the cost of the treatment outweighs the benefit. This option may also be relevant in situations
where a residual risk remains after other treatment options have been put in place. No further
action is taken to treat the risk, however, ongoing monitoring is recommended.

A range of treatments may be available for each risk and these options are not necessarily mutually
exclusive or appropriate in all circumstances. Selection of the most appropriate risk treatment
approach should be developed in consultation with relevant stakeholders and process owners.

STEP 1

Develop a risk treatment plan

Determine the level of treatment plans required for each risk level. For example, for risks rated as
‘high', a treatment plan must be developed. However, for risks rated as ‘low' and ‘very low' that
have improvement opportunities, development of a treatment plan may be at the discretion of the
partner or partners.
Effective risk treatment relies on attaining commitment from key practice stakeholders and
developing realistic objectives and timelines for implementation.

For each risk identified in the risk assessment, detail the following:

1. Specify the treatment option agreed - avoid, reduce, share/transfer or accept.

2. Document the treatment plan - outline the approach to be used to treat the risk. Any
relationships or interdependencies with other risks should also be highlighted.
3. Assign an appropriate owner - who is accountable for monitoring and reporting on
progress of the treatment plan implementation. Where the treatment plan owner and the
risk owner are different, the risk owner has ultimate accountability for ensuring the agreed
treatment plan is implemented.
4. Specify a target resolution date - where risk treatments have long lead times, consider
the development of interim measures. For example, it is unlikely to be acceptable for a
residual risk to be rated ‘high' and to have a risk treatment with a resolution timeframe of
two years.

Management may wish to define expectations of the detail of treatment plans required for each risk
level. For example, for risks rated as ‘high', a treatment plan must be developed. However, for risks
rated as ‘low' and ‘very low' that have improvement opportunities, development of a treatment plan
may be at the discretion of the risk owner.

STEP 2

Forecast risk analysis

Forecast risk analysis involves the assessment of risk after existing controls and treatment plans for
new or reinforced controls are taken into account. Changes from residual to forecast ratings will be
dependent on whether these controls are designed to address the likelihood of the risk, the
consequence or the risk or both.

For each risk identified in the risk assessment, detail the following:

 Assess forecast likelihood - What is the probability of the risk event occurring within the
control environment? This should be determined after a review of the proposed changes to
the design of the control and/or its operating effectiveness.
 Assess forecast consequence - What is the extent of the most probable impact of the risk
event if it were to occur within the control environment? Assume that the future controls will
be operating at their intended future strength rather than the maximum consequence if the
controls were to fail.
 Determine overall inherent risk ranking - Apply the risk rating to determine the overall
ranking.

For each risk, there should be only one overall forecast risk rating based on consideration of the
future effectiveness of the single control, or the multiple controls, in place to address the risk.
STEP 3

Implement and monitor treatment plans

The treatment plan owner is responsible for coordinating activities that ensure risk treatments are
implemented. The owner may not be directly responsible for implementing the risk treatment plans,
however, they are responsible for ensuring that plans are completed within the expected timeframe.

When implementing a treatment plan, consider how the initiatives will be supported:

 Firm structure - Does there need to be any change to structure or delegations to support
the risk treatment plan?
 Financing - If the budget for control improvement is constrained, should there be a process
to prioritize controls with the greatest need or cost benefit?
 Resource availability - Does the firm have sufficient physical, human or financial resources
to implement the risk treatment plan?
 Communication with stakeholders - Does the firm need to commence briefing sessions
to inform stakeholders as to what changes are required and why?

For each risk identified in the risk assessment, detail the following:

 Monitoring mechanisms and review points - The treatment plan owner should specify
the mechanisms by which implementation will be monitored. This may include indicators to
determine if the risk is increasing or decreasing. Successful implementation will usually be
linked to business planning activities and will be reviewed regularly at meetings.
 Status of the treatment plan - the status of the treatment plan is either ‘open' for in
progress or ‘closed' when implementation has been completed. If the status is closed and
the risk has been eliminated, it may be removed from the current risk register into a closed
items register. Where a risk is not eliminated, it should be retained in the current register
and if another treatment plan is required this should be agreed or, if no other action is
possible, the treatment agreed could be to accept and monitor the risk.

Example
The key output from the risk treatment stage in the risk management process is the action plan for
treating the risks identified. An example of how this can be documented in a risk register is shown:
MONITOR AND REVIEW

Risk has a dynamic context resulting from the constantly changing external and internal
environments. Organizations must monitor not only risks but also the effectiveness and adequacy
of existing controls, risk treatment plans and the process for managing their implementation.
AS/NZS ISO 31000:2009

Monitoring and review should be a planned part of the risk management process and involve regular
checking or surveillance. The results should be recorded and reported externally and internally, as
appropriate. The results should also be an input to the review and continuous improvement of the
firm's risk management framework.

Responsibilities for monitoring and review should be clearly defined. The firm's monitoring an d
review processes should encompass all aspects of the risk management process for the purposes
of:

 Ensuring that controls are effective and efficient in both design and operation
 Obtaining further information to improve risk assessment
 Analyzing and learning lessons from risk events, including near-misses, changes, trends,
successes and failures
 Detecting changes in the external and internal context, including changes to risk criteria and
to the risks, which may require revision of risk treatments and priorities
 Identifying emerging risks.

As part of the monitoring process, the thresholds for the risk criteria should be reviewed at the
commencement of each risk assessment cycle to identify the processes that may be subject to
increased risks and, as such, would derive the greatest value from the risk assessment.

STEP 1

Monitor & Review

Regularly review risks identified in the firm’s risk register. Document any actions or events that
change the status of a risk, for example:

 Changes to a risk evaluation as a result of improvements in controls

 A control breach and near miss should be logged at the time of the event
 A new risk that has been identified.
Partners should review the risk register on a regular basis, such as at a monthly partners’ meeting,
to determine if any remedial action needs to be taken immediately.

STEP 2

Continuous Improvement
The effectiveness of the risk management framework implemented needs to be periodically
reviewed to ensure continuous improvement of risk management in the firm.

The purpose of the framework is to embed a risk aware culture within the firm. This can be evaluated
in light of breaches and near misses, the effectiveness of communication, and assessing what
lessons have been learned and remedial actions taken.

The framework is only effective if the context remains relevant to the firm, as this sets the scope
for risk management. Ensure the practice objectives and the internal and external context for risk
management are current and accurate.

The assessment criteria used in the risk framework also need to be reviewed to ensure they remain
relevant to the size and complexity of the practice.

Example
The key output from the monitor and review stage of the risk management process is ongoing. An
example of how this can be documented in a risk register is shown:

SOURCE: https://survey.charteredaccountantsanz.com/risk_management/midsize-
firms/monitor.aspx