Document
Document
Document
Risk management is the process of measuring or assessing risk and developing strategies to
manage it. Risk management is a systematic approach in identifying, analyzing and controlling
areas or events with a potential for causing unwanted change. Risk management is the act or
practice of controlling risk. It includes risk planning, assessing risk areas, developing risk
handling options, monitoring risks to determine how risks have changed and documenting
overall risk management program.
The International Organization of Standardization (ISO) identifies the basic principles of risk
management.
1. Create value resources spent to mitigate risk should be less than the consequence of
inaction, i.e., the benefits should exceed the costs
According to the Standard ISO 31000 “Risk management Principles and Guidelines on
Implementation, “the process of risk management consists of several steps as follows:
2. Identification of potential risks. Risk identification can start with the analysis of the
source of problem or with the analysis of the problem itself. Common risk identification
methods are:
A. Objective-based risk
b. Scenario-based risk
c. Taxanomy-based risk
d. Common-risk checking
e. Risk charting
3. Risk assessment. Once risks have been identified, their potential severity of impact and
the probability of occurrence must be assessed. The assessment process is critical to make
the best educated decisions in prioritizing the implementation of the risk management
plan.
3. Determination of the risk (i.e. the expected likelihood and consequences of specific types
of attacks on specific assets)
Although a single risk premium must compensate the investor for all the uncertainty
associated with the investment, numerous factors may contribute to investment uncertainty.
The factors usually considered with respect to investments are business risk
Financial risk
Liquidity risk
Default risk
Interest rate risk
Management risk
A. Market Risk
Product Risk
O Complexity Obsolescence
O Packaging
O Delivery of Warranties
Competitor Risk
• Pricing Strategy
O Market Share
O Market Strategy
B. Operations Risk
Environmental
Technological Obsolescence
Integrity
• Management Fraud
O Employee Fraud
• Illegal Acts
C. Financial Risk
Foreign Currency
Liquidity Derivative
Viability
D Business Risk
Regulatory Change
Reputation
Political
Shareholder Relations
Credit Rating
Capital Availability
Business Interruptions
ISO 31000 also suggests that once risks have been identified and assessed, techniques to
manage the risks should be applied. These techniques can fall into one or more of these four
categories:
Avoidance
Reduction
Sharing
Retention
As applied to corporate finance, risk management is the technique for measuring, monitoring
and controlling the financial or operational risk on a firm’s balance sheet.
The Basel II framework breaks risks into market risk (price risk), credit risk and operational
risk and also specifies methods for calculating capital requirements for each of these
components.
SEC Code of Governance Recommendations 2.11 and corresponding explanation provide the
following
“The Board should oversee that a sound enterprise risk management (ERM)
Business risks. The risk management framework should guide the Board in identifying
units/business lines and enterprise-level risk exposures, as well as the effectiveness of risk
management strategies.
The Board should oversee that a sound enterprise risk management (ERM) framework is in place
to effectively identify, monitor, assess and manage key business risks. The risk management
framework should guide the Board in identifying units/business lines and enterprise-level risk
exposures, as well as the effectiveness of risk management strategies.
To enhance management’s competence in their oversight role on risk management the following
steps may be followed:
2. Ensure that a formal comprehensive risk management system is in place. This fully
documented formal system will provide a clear vision of the board’s desire for an
effective company-wide risk management as well as awareness of the risks, internal and
external, that the company faces.
The key elements that the company-wide risk management system should possess are
The risk organizational structure should include formal charters, levels of authorization reporting
lines and job description.
176 Chapter 11
4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive
risks faced by the business firm.
Risk assessment step which includes risks identification and determination of their sources and
measurement, represents the foundation for the rest of the procedures. This step is performed by
responsible managers, i.e., finance officers, production managers marketing managers and
human resource managers.
This process culminates in the presentation of the risk profile or risk map to the board of
directors.
5. Assess if management has developed and implemented the suitable risk management
strategies and evaluate their effectiveness.
The risk profile highlights all the significant possible risks identified, prioritized and measured
by the risk management system.
Strategies are developed to manage and resolve these identified risks. These will include the
process, people, management feedback methodologies and systems.
Strategies may include avoidance, reduction, transfer, exploitation and retention of risks.
Directors must continue to monitor and assess if management has been implementing designed
risk management capabilities.
Capabilities.
Risk management performance must be monitored on a continuing basis and organization must
be ready to innovate their approaches to be in line with the changing lines.
Monitoring is done by all concerned parties such as senior managers, process owners and risk
owners.
8. See to it that best practices as well as mistakes are shared by all. This involves regular
communication of results and feedbacks to all concerned.
These should be an open communication channel to ensure that all risk management participant
particularly senior management, are informed of risk incidents or threat of risk incident. This will
go a long way towards attaining the company’s risk management vision.
9. Assess regularly the level of sophistication of the firm’s risk management system.