Fundamental Concepts of Risk and the Risk Management Process


Overview


Various publications view risk as a by-product of setting objectives, whether for profit or not for profit.

Risk is the effect of uncertainty on objectives. 

Risk is the combination of the probability of occurrence of harm and the severity of that harm.

Risk is the possibility that events will occur and affect the achievement of business objectives.

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Simply put, risk is the deviation from expectations. It can be positive or negative.

Note that risk is not the harm itself. Rather, risk is merely a possibility that harm will occur. What causes harm is hazard.  For example, the slippery floor at 5th floor, PUP Main Building after the janitor applies the floor wax can be considered hazard to some students and teachers. The probability that someone might be harmed by slipping and failing is the risk.

Hazard can be qualified in order to define the origin of the hazard or the nature of the expected harm (e.g. “electric shock hazard”, “crushing hazard”, “cutting hazard”, “toxic hazard”, “fire hazard”, “drowning hazard”).

Moreover, the concept of risk does not always relate to harm. Risk can likewise create opportunities. Investing in stocks presents a speculative risk where either a gain or loss can result.

The concept of risk must be distinguished from uncertainty. Frank Knight (1921) distinguished two types of uncertainty. First type is called uncertainty risk or not knowing the potential outcomes and the probability of these outcomes. Second type is called Genuine uncertainty where the potential outcomes and their probabilities are unknown.

Betting in a game of chance is an example of risk because you would know the possible outcomes and their probabilities. For example, a game of Cara y Cruz  has two possible outcomes (head or tails); you have 50% chance of winning. A color game at perya during fiesta in your hometown with three colorful dice has twenty color combinations; which means you have 1/20 or 5% change of winning.

But if you bet in a color game with unknown number of dice, this would not be a risk. It is an example of Genuine uncertainty. Courting a lady is a risk or uncertainty? You bet.

Course Objectives

After studying this module, you should be able to
  • Interpret fundamental concepts of risk and the risk management process;
  • Identify and assess the impact on the stakeholders involved in business risk
  • Explain the dynamic nature of risk assessment;
  • Identify the types of risk facing an organization;
  • Identify and asses how business organizations use policies and techniques to mitigate various types of business and financial risks;
  • Explain and assess the importance of risk transfer, avoidance, reduction, and acceptance.
Course Materials

Classification of Risks

Risks can be classified based on its effect, controllability, correlation, impact, and drivers.

Risks can be fundamental, particular, speculative, and pure.  Fundamental risks are those that affect society in general. It is beyond the control of any one e.g. risk of atmospheric pollution. Particular risks are risks over which an individual may have some measure of control. For example, there is a risk attached to smoking and we can mitigate that risk by refraining from smoking. Speculative risks are those from which either good or harm may result. Investing in stocks as discussed earlier presents a speculative risk because either a gain or loss can result. Pure risks are those whose only possible outcome is harmful e.g., risk of loss due to fire.

Controllable vs. Uncontrollable. Risk may be classified according to controllability, i.e., Controllable (unsystematic) and Uncontrollable (systematic).

Positive vs. Negative Correlation. Where positive correlation exists, the risks will increase or decrease together. If there is negative correlation, one risk will increase as the other decreases and vice versa. The relationship between the risks is measured by the correlation coefficient. A figure close to +1 shows high positive correlation, and a figure close to –1 high negative correlation.

Financial vs. Non-Financial. Financial Risk has some direct financial impact on the entity is treated as financial risk. This risk may be Market risk, Credit risk, Liquidity risk, Operational Risk, Legal Risk and Country Risk.

Non-Financial Risks do not usually have direct and immediate financial impact on the business. Nonfinancial risk may have a significant financial impact if left uncontrolled. Examples are Business/Industry & Service Risk, Strategic Risk, Compliance Risk, Industry Fraud Risk, Reputation Risk, Transaction risk, Disaster Risk.

Strategic vs Operational. Operational risks relate to matters that can go wrong on a day-to-day basis while the organization is carrying out its business. It is the risk of loss from a failure of internal business and control processes. Strategic risk is the potential volatility of profits caused by the nature and type of the business strategies. It relates to the business long-term effect of key strategic decisions.

Impact of Risk to Stakeholders 

Shareholders. When the company’s risk profile changes, shareholders may sell their shares resulting to a lower share price, or they may replace directors depending on their level of risk tolerance.

Risk averse shareholders can tolerate risks up to a point where the receive acceptable return. Risk-seeking shareholders likely enjoy investing in risk ventures. Risk neutral focus on maximizing return notwithstanding the level of risk.

Creditors. Creditors are concerned whether the company can fulfil its obligation and limit the risk of default; otherwise, they can deny credit, charge higher interest, file actions in court that could lead the company into liquidation, ask for collateral.

The long-term strategic objectives of the company may be unacceptable to potential creditors because of the differences in their risk appetite. Creditors may place restrictive provisions in the debt covenant.

Employees. Employees are concerned about threats to their job e.g. salary, promotion, benefits, satisfaction, job itself. If the business fails, employees may lose their jobs. Hence, employees pursue their own goals rather than shareholder interests.

Customers and suppliers. Suppliers are concerned about the risk of making unprofitable sales; while customers are concerned on getting the value from the goods or services that they expect.

The wider community. The risks that the wider community are concerned about are less easy to predict. In general, the community is concerned with risks that the company does not act as a good corporate citizen. Otherwise, pressure groups tactics can include publicity, direct action, sabotage or pressure on government. As a result, Government can impose tax increases or tighten regulation.

Risks Faced by Organizations

There are different types of risk faced by organizations. These risks may include the following.

Business risks. Simply, the risk associated in doing business. It includes the risk of inadequate profits or even losses due to uncertainties arising from increased competition, changes in government policy, changes in preferences of consumers, or obsolescence of products and services, etc.

Business risk is borne by both the firm's equity holders and providers of debt, as it is the risk associated with investing in the firm in whatever capacity. The only way that either party can get rid of the business risk is to withdraw its investment in the firm.

Financial risk, on the other hand, is borne entirely by equity holders. This is due to the fact that payment to debt holders (ie interest) takes precedence over dividends to shareholders. The more debt there is in the firm's capital structure, the greater the financial risk to equity holders, as the increased interest burden coming out of earnings reduces the likelihood that there will be sufficient funds remaining from which to pay a dividend. Debt holders however know there is a legal obligation on the firm to meet their interest commitments.

Financial Risk. This relates to the effect of company’s capital structure or the mix of equity and debt capital.

Financial risk can be long term or short term. Shorter-term financial risks include liquidity risk and credit risk. And longer-term risks include gearing, currency, and interest rate risks, among others.

Market risk. Market risk is another type of financial risk. However, market risk is hardly controllable. It is also a good example of a speculative risk. Businesses can benefit from favorable price movements as well as lose from adverse changes.

Product risks. Product risks include risks of financial loss due to producing a poor-quality product. It may be in the form of compensation to dissatisfied customers, loss of sales due to loss reputation, or expenses on improving quality control procedures.

Legal risk. Companies are subject to the police power of the country where it seeks to operate. Legislation in a country may have very serious consequences for the company. For example, the government may impose liquor ban during the pandemic.

Political risk. Political risk is the risk that political action will affect the position and value of an organization. A political policy that encourages private sector participation will benefit the private corporations in privatization of certain public functions. Changes in this policy would have adverse effect on the corporation. For example, the water concessionaires in Metro Manila faced consecutive arbitration proceedings against the government in relation to their contracts with the government.

Technological risk. Technological risk is the failure of system caused due to tampering of data access to critical information, non-availability of data and lack of controls. Technological risks can be strategic and operational, physical damage, data and systems integrity, fraud, internet, denial of service attack risks.

Strategic and operational technological risks. The company may force a new system for strategic reasons but is impractical for operational purposes. If in the end the system has to be abandoned, the write-off costs can be large and the damage to operational efficiency significant.

Environmental risk. This refers to the potential liability of the company arising out of the environmental effects of the company’s operation, for example, pollution caused to bodies of water if waste materials are toxic.

Probity risk is the risk of unethical behavior by one or more participants in a particular process. Being the victims of bribery or corruption or being pressurized into it are obvious examples of probity risk.

Reputation risk. This type of risk arises from the negative public opinion. Reputation risk is strongly correlated to other risks. For example, product risk arising from poor customer service and failure to innovate may lead to increased number of complaints followed inevitably by loss of business. Probity risk and environmental risk increase reputation risk.

Fraud risk. Fraud is perpetrated through the abuse of systems, controls, procedures and working practices. It may be perpetrated by an outsider or insider. Fraud may not be usually detected immediately and thus the detection should be planned for on a proactive basis rather than on a reactive basis.

Risk Management

Risk Management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

Commonly used standards in managing risks include:
  • COSO 2017 Enterprise Risk Management – Integrating with Strategy and Performance
  • COSO 2004 Enterprise Risk Management – Integrated Framework
  • ISO 31000:2018 – Risk Management Principles and Guidelines
  • A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – developed in 2002 by the UK’s 3 main risk organizations.
  • The Turnbull Guidance
COSO 2017 Enterprise Risk Management – Integrating with Strategy and Performance

In 2004, COSO published its Enterprise Risk Management – Integrated Framework. Because of the changes in the complexity of the risk, COSO updated its framework in 2017, now titled: Enterprise Risk Management – Integrating with Strategy and Performance. The 2017 Framework is a set of principles organized into five interrelated components:

Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
  • Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.
  • Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.
  • Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.
  • Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.
  • Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.
Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
  • Analyzes Business Context—The organization considers potential effects of business context on risk profile.
  • Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.
  • Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.
  • Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.
Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
  • Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.
  • Assesses Severity of Risk—The organization assesses the severity of risk.
  • Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.
  • Implements Risk Responses—The organization identifies and selects risk responses.
  • Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.
Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and considering substantial changes, and what revisions are needed.
  • Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.
  • Reviews Risk and Performance—The organization reviews entity performance and considers risk.
  • Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.
Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
  • Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.
  • Communicates Risk Information—The organization uses communication channels to support enterprise risk management.
  • Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.
COSO 2004 Enterprise Risk Management – Integrated Framework

The adoption of the 2017 Framework is not mandatory. Hence, management may continue to utilize the Original Framework. However, COSO reserves the right to supersede or retire the 2004 Enterprise Risk Management–Integrated Framework in the future.

COSO’s ERM model establishes a direct relationship between organizational objectives and ERM components. The relationship is depicted as the cube-shaped three-dimensional matrix.

The vertical columns depict the four categories of objectives: Strategic (high level goals, aligned with and supporting the organization’s mission), Operations (efficient and effective use of resources), Reporting (reliability of reporting). Compliance (compliance with laws and regulations).

The entity and its units are depicted by the third dimension: Entity level, Division, Business unit, Subsidiary.

The horizontal rows represent the eight components: Internal environment, Objective setting, Event identification, Risk assessment, Risk response, Control activities, Information and communication, Monitoring

ISO 31000: 2018

The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives. ISO 31000 has three areas of principles and guidance:
  • Principles. The interrelated values that are foundational to the risk-management process.
  • Framework. The ways in which the risk-management plan should be integrated into “significant activities and functions.”
  • Process. A step-by-step list of procedure in managing risk.
Principles. The principles are the foundation for managing risk and should be considered when establishing the organization’s risk management framework and processes. These principles should enable an organization to manage the effects of uncertainty on its objectives.
  • Integrated. Risk management is an integral part of all organizational activities.
  • Structured and comprehensive. A structured and comprehensive approach to risk management contributes to consistent and comparable results.
  • Customized. The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
  • Inclusive. Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
  • Dynamic. Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
  • Best available information. The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
  • Human and cultural factors. Human behavior and culture significantly influence all aspects of risk management at each level and stage.
  • Continual improvement. Risk management is continually improved through learning and experience.
Framework. The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions. The components of the framework and the way in which they work together should be customized to the needs of the organization.
  • Leadership and commitment. Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment
  • Integration. Integrating risk management into an organization is a dynamic and iterative process and should be customized to the organization’s needs and culture.
  • Design. This involves understanding the organization and its context, articulating risk management commitment, assigning organizational roles, authorities, responsibilities and accountabilities, allocating resources, establishing communication and consultation.
  • Implementation. Successful implementation of the framework requires the engagement and awareness of stakeholders. Properly designed and implemented, the risk management framework will ensure that the risk management process is a part of all activities throughout the organization, including decision-making, and that changes in external and internal contexts will be adequately captured.
  • Evaluation In order to evaluate the effectiveness of the risk management framework, the organization should:
  • periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behavior;
  • determine whether it remains suitable to support achieving the objectives of the organization.
  • Improvement. This involves adapting and continually improving the risk management framework.
  • Adapting. The organization should continually monitor and adapt the risk management framework to address external and internal changes. In doing so, the organization can improve its value.
  • Continually improving. The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
Process. The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

1. Scope, context and criteria. The purpose of establishing the scope, the context and criteria is to customize the risk management process, enabling effective risk assessment and appropriate risk treatment. Scope, context and criteria involve defining the scope of the process and understanding the external and internal context.

2. Communication and consultation. The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on which decisions are made and the reasons why particular actions are required.

3. Risk assessment. Risk assessment is the overall process of
  • risk identification, to find, recognize and describe risks that might help or prevent an organization achieving its objectives
  • risk analysis, to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk.
  • risk evaluation, to support decisions.
4. Risk treatment. The purpose of risk treatment is to select and implement options for addressing risk. Options for treating risk may involve one or more of the following:
  • avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  • taking or increasing the risk in order to pursue an opportunity;
  • removing the risk source;
  • changing the likelihood;
  • changing the consequences;
  • sharing the risk (e.g. through contracts, buying insurance);
  • retaining the risk by informed decision.
5. Monitoring and review. Monitoring and review should take place in all stages of the process. The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes.

6. Recording and reporting. The risk management process and its outcomes should be documented and reported through appropriate mechanisms. Recording and reporting aims to:
  • communicate risk management activities and outcomes across the organization;
  • provide information for decision-making;
  • improve risk management activities;
  • assist interaction with stakeholders, including those with responsibility and accountability for risk management activities.
IRM's Risk Management Standard

The Risk Management Standard was originally published by the Institute of Risk Management (IRM), The Association of Insurance and Risk Manager (AIRMIC) and The Public Risk Management Association (Alarm) in 2002. It was subsequently adopted by the Federation of European Risk Management Association (FERMA).

Risk management protects and adds value to the organization and its stakeholders through supporting the organization’s objectives.

Risk Assessment is defined by the ISO/ IEC Guide 73 as the overall process of risk analysis and risk evaluation.

Risk Analysis covers Risk Identification, Risk Description, and Risk Estimation

Risk identification sets out to identify an organization’s exposure to uncertainty. This requires an intimate knowledge of the organization, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives.

The objective of risk description is to display the identified risks in a structured format, for example, by using a table. The use of a well-designed structure is necessary to ensure a comprehensive risk identification, description and assessment process.

Risk estimation can be quantitative, semiquantitative or qualitative in terms of the probability of occurrence and the possible consequence. For example, consequences both in terms of threats (downside risks) and opportunities (upside risks) may be high, medium or low. Probability may be high, medium or low but requires different definitions in respect of threats and opportunities.

The result of the risk analysis process can be used to produce a risk profile which gives a significance rating to each risk and provides a tool for prioritizing risk treatment efforts.

Risk Evaluation is the comparison of the estimated risks against risk criteria which the organization has established. The risk criteria may include associated costs and benefits, legal requirements, socioeconomic and environmental factors, concerns of stakeholders, etc.

Risk Reporting. There are two types of risk reporting: internal and external. Different levels within an organization need different information from the risk management process. These include the Board of Directors in order to be assured that the risk management process is working effectively; the Business Units in order to be aware of risks which fall into their area of responsibility; and individuals who should understand their accountability for individual risks. Moreover, a company needs to report to its stakeholders on a regular basis setting out its risk management policies and the effectiveness in achieving its objectives.

Risk treatment is the process of selecting and implementing measures to modify the risk. Risk treatment includes as its major element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc.

Effective risk management requires a reporting and review structure to ensure that risks are effectively identified and assessed, and that appropriate controls and responses are in place. Regular audits of policy and standards compliance should be carried out and standards performance reviewed to identify opportunities for improvement.

The Turnbull Guidance

It is officially called as Internal Control Guidance for Directors on the Combined Code originally published in 1999 in the United Kingdom.

The Guidance discusses the adoption of a risk-based approach to internal control and the assessment of its effectiveness. Listed below are some of the key tenets of the Turnbull guidance:
  • A focus on significant risks. If too many risks are identified, it becomes difficult to identify and manage the significant ones. Turnbull recommends that risk identification focus on those risks that have been identified by senior management as being potentially damaging to the achievement of the organization’s objectives.
  • Emphasis on risk management. Turnbull positions risk management as essential in reducing the probability that organizational objectives are jeopardized by unforeseen events. It promotes proactively managing risk exposures.
  • Ongoing, continuous monitoring of risk and control. An organization’s risk management and internal control strategies and policies must be continuously monitored and fine-tuned in response to changing exposures. A feedback process should be in place to learn from mistakes and to harness potential improvements and risk reductions.
  • Engaging all employees. Turnbull maintains that all employees have some responsibility for internal control and accountability for achieving organization objectives. Employees must have the necessary knowledge, skills, information, and authority to establish, operate, and monitor the system of internal control within their sphere of responsibility. They must understand organization objectives and the industries and markets in which the entity operates as well as the risks it faces.
  • Streamlining risk management databases. Control should be embedded in the organizational processes. Rather than developing separate risk reporting systems, Turnbull recommends building early warning mechanisms into exiting management information systems.
References

Reading materials you may use in this course are the following: