Risk management refers to the process of identifying, assessing and prioritizing uncertainty and either the acceptance or mitigation this uncertainty. Essentially, risk management is a two-step process involving determining of risks that may exist and handling them in the best way that suits an institution. The risk management process consists of a number of fundamental components.
Risk Identification – The most elemental component of the risk management process is risk identification. Risk identification encompasses the contexts of the impact, persistence, likelihood and velocity of a risk. It seeks to determine current or potential risks in all facets of an organization (DeLoach, 2012).
Source of the Risk – Identifying the source of the risk is another major component of the risk management process. This entails identification of the root causes of a risk. DeLoach (2012) explains that it becomes easier for management to design proactive responses to risks and risk metrics when they are well versed with knowledge of what drives the risks.
Risk Analysis and Assessment – Analyzing and accessing a risk is also a major component in the process of risk management. In this component, the aim is to measure or quantify the risk (analyze) and prioritize (access) the identified risks. Risks with a high probability of occurrence and higher consequences of loss are given higher priority.
Risk Evaluation/Response – Risk evaluation, which entails responding to risks, constitutes another component in the process of risk management. This is done after a risk has been identified, its source as well as its measurement (analysis) and priority determined. An organization can choose to respond to a risk by avoiding it, accepting it, reducing it or sharing it. DeLoach (2012) insists that response to a given risk depends on the organizations goals and strategies as well as the type of risk.
Risk Mitigation – Another component in the risk management process is risk mitigation or planning for contingencies. This is essentially a backup plan that management has to formulate in the event that an unforeseen risk materializes. Such a plan majorly covers schedules, costs and scope/ technical requirements to enable the organization circumvent the risk.
Risk Monitoring – Monitoring of risks, which entails incorporating of models and analytics to aggregate information on risks, is also a component of the risk management process. This aims at giving predictions on the occurrence and the effects of risks thereby supporting decision making. This component features the use of heat maps and traffic lights indicators (DeLoach, 2012).
Depending on the type of the risk, and the organizations goals and strategies, different methods and activities can be employed to help identify risks.
Brainstorming – One way of identifying risks is through brainstorming. This is a process by which people are involved, in a face to face meeting, where participants are encouraged to present all their thoughts and perspectives on a topic without having to evaluate them. The different perspectives are then analyzed, and evaluation is only done towards the end of the session. The nature of perspectives and ideas brought out depends on the diversity of the participants and thus their composition should be properly determined. The results of a brainstorming session are a myriad of perspectives and ideas which bring to light different schools of thought and thus wide scope of the possibility of risk occurrence (Methods of Identifying Risks, 2010).
Focus Group – Use of a focus group can also help in identification of risks. A focus group is made up of persons invited to a meeting in order to have them focus their attention on a precise topic. They then provide information and feedback with regards to the particular area of concern. This feedback and resultant information are resourceful in identification of risks.
Experience Judgment/ Heuristics – Another method that can be used to identify risks is by taking a person’s knowledge and experience Methods of Identifying Risks, 2010). This is resourceful in the sense that, through an individual’s practice, they may have experienced a given set of risks and thus their experience can be used to highlight possible uncertainties in an organization.
Flow Charts – Use of flow charts comprises diagrammatic representation of a dynamic process. Areas of high risk may be focused on to identify any possible uncertainties that may arise by analyzing critical activities throughout the process.
SWOT Analysis – This is a highly effective method for prospective risk identification. Areas of positive or negative risks can easily be identified by analyzing the Strengths, Weaknesses, Opportunities and Threats in an organization or a process. This method is normally applied in planning.
System Analysis – It entails understanding how a system functions and its interaction with and organization to point out possible weaknesses. A system in this case may refer to management or operational processes (Methods of Identifying Risks, 2010).
Scenario building – This involves creating a fictitious situation on paper thus creating a model of the potential outcomes. This allows for analysis as well as application of treatment options.
Other methods to identify risks may include the use of checklists (list of items against which possible scenarios are checked), feedback and communication (through meetings, handing complaints), and risk identification forms (forms with specific steps to be followed or a set of questions in order to identify a risk).
The effectiveness, use, and appropriateness of given techniques, as opposed to specific tools, varies from organization to organization and from cases to case. Brainstorming, for example, could be more effective in risk identification for new processes within an organization as opposed to using of flowcharts. In this case, there may not be enough information and possible scenarios to represent a new scenario graphically. For example, when trying to produce and market a completely new product, brainstorming over the possible risks that may be involved in this endeavor would be more fruitful than us of flow charts since charts would require a lot of intricate details in order to identify high risk situations.
Use of SWOT analysis as a tool, however, may be more effective over reliance on experience judgment in the event that no one has prior experience in a given organizational process. In this case, use of laid down procedures and formulas outlined in a SWOT analysis will definitely yield more fruit in the process of risk identification.
In another case, use of a checklist could be more exhaustive and thorough in identifying possible risks as opposed to using expert judgment. This is in light of possible assumption that human beings may make on certain issues within an entire process. In essence, the effectiveness of using tools over given techniques or otherwise is highly dependent on the specific scenario.
An organization’s risk management policy consists of a number of sections. Siting the example of the risk management policy of a Welsh Sports Association, for example, the policy consists of a couple of major parts. An introduction, which outlines the purpose of the entire document, that is, the purpose of risk management policy, in various facets of the organization. The institutions underlying approach to risk management forms another part of the policy. This section outlines the entire association’s alignment to risk management. For example, who oversees risk management within the organization, how other members of the institution approach risk management in the association and the conduct of members with regard to risk management. The roles of the association’s board/committee members form another section of the policy document. As the title implies, this section outlines the roles to be played by the board explicitly, as far as risk management is concerned. Another part of the policy outlines the role of key staff within the association pertinent with risk management. The role played by risk management as part of the system of internal control within the association forms another component of the policy. This component seeks to enable the association respond to various forms of risks as part of internal control within the association. It outlines issues of policies and procedures, reporting, planning and budgeting, self-assurance, audits, both internal and external, as well as the framework of the risk management process. The last part consists of an annual review of the effectiveness of the risk management policy. This section outlines how the board/committee is to carry out such a review based on information from senior employees of the organization.
Standardization in the process of risk management to an organization is beneficial in a number of ways. A standardized risk management process provides an organizational environment, which gives the possibility of carrying on the activities of the organization in a substantial and controlled manner in the event or anticipation of risks according to Ciocoiu (2010). It also improves the process of decision making, planning and prioritization with a complete and structured understanding of the business activities, volatility and project threats or opportunities. A standardized risk management process also contributes to efficient allocation of capital and organization’s resources. Another benefit is that it helps reduce volatility in the unimportant facets of the business. With such a risk management process, a business can react appropriately, and thereby the values and image of the company are protected and improved. Finally, standardizing the risk management process of a business enables it to optimize operational efficiency (Ciocoiu, 2010).
A strategic risk is an example of a risk where an organization loses its way and, therefore, does not achieve a given strategic goal. A particular example is where an organization seeks to establish a product line and have the specific product as the core of its operation by driving sales and production. In this case, the strategic goal is to become a market leader for the given product. However, the environment in which the organization is in keeps on changing, with the introduction of competing products that may appear more lucrative. At the end of the day, due to prevailing changes, the organization unknowingly abandons its strategy and ends up following a trend that is not necessarily beneficial to its long term existence. The most suitable response to this form of a risk is to create a strategic plan. This response can be categorized under the reduction of risk category since it reduces the risk by changing the work practice.
(2010). Methods of Identifying Risks. Woombalah Festival. Retrieved from
Ciocoiu, C. N. & Dobrea, R. C., (2010). The Role of Standardization in Improving the
Effectiveness of Integrated Risk Management. Romania: The Bucharest Academy of Economic Studies.
DeLoach, J., (2012). Key Elements of the Risk Management Process. Corporate Compliance
Insights. Retrieved from http://www.corporatecomplianceinsights.com/key-elements-of-the-risk-management-process/