In the last article we defined risk management as a process of identifying all possible risks that may negatively affect business objectives, analysing them and putting in place measures to reduce their frequency of occurrence and/or their financial impact. Companies adopt different approaches to risk management. However, the following are the general steps taken in the risk management process cycle:
Risk Identification: Businesses should go through their whole value chain to identify what could go wrong at each stage (establish what negative occurrence can cause a loss or negatively affect performance). Companies employ different tools and techniques to identify risks. All possible risks identified form the organisation’s risk universe.
Risk Evaluation: Having identified all the possible risks, the next step is risk analysis where each risk is analysed in terms of its likelihood to occur and the impact it can cause i.e. how frequent is the risk likely to occur and if it happens, what is the potential loss it can cause to business? A combination of both the likely frequency and the financial impact of the risk is called the risk magnitude. For example, the chances of a fire happening may be low but if a fire occurs the financial impact can be devastating to the business. On the other hand, the chances of pilferage of small stationery items (such as pens) may be high but the financial impact may be low. Having established the risk magnitude of the identified risks, businesses should rank the risks in order of magnitude. Each organisation should keep a Risk Register where the identified risks are ranked in order of magnitude. Risk Registers must be available at Corporate level and drilled down to Departments, Units and individuals. Based on thorough analysis of risk, management can make one of the following or a hybrid of the following decisions (Four “Ts” of Risk Management):
- T – Terminate the project or business (do not do it)
- T – Tolerate the risk and do nothing about it (for low impact risks)
- T – Treat the risk (put in place measures to reduce likelihood or impact of risks to acceptable levels)
- T – Transfer the risk (place the burden of financial loss to a third party which is usually an insurance company)
Risk Control – Risk control is the process of development and implementation of measures to eliminate risk or to reduce the risk magnitude if it happens i.e. The process of reducing or eliminating the likelihood of a risk occurring and/or reducing the financial impact of the risk. A practical example of risk control is the installation of sprinkler systems during construction of buildings to reduce the financial impact of a fire if it happens. It is important for organisations to re-rank their risks in terms of risk magnitude after implementing all possible risk control measures. In summary businesses should look at ways to avoid risks (risk preventive plans), ways to mitigate the risks (reduce risk magnitude) and risk contingency plans (to ensure business continuity after a loss).
Risk Transfer – risk transfer is the process of transferring the financial loss likely to be caused by a negative occurrence to a third party i.e. should the risk happen and the organisation suffers a loss, the organisation will recover its money from a third party. The most popular way of risk transfer is now what is popularly known in the modern world as insurance. Insurance dates back to early days of humanity where society just agreed to assist each other in the event of loss to modern day insurance where organisations insure or place risks with registered insurance companies.
Monitoring and review – risk management has been defined as a continuous process. It’s not an event. Businesses should continuously monitor and review their risk universe and update their Risk Registers. This is more-so as there are more and more emerging risks that are coming in into the business world particularly those linked to automation and modernisation of equipment and machinery. For instance, whilst the chances of physical bank robberies are being reduced by installation of modern premises monitoring technology and security systems, the emergence of online banking services brings with it a new threat – cyber robberies as opposed to physical robberies.
The next article will touch on different tools that can be used to identify business risks in different business environments.
Joey Shumbamhini is the Principal Officer for CBZ Risk Advisory Services (Pvt) Limited. He writes in his own capacity. For feedback relating to this article you can contact him on simonsays@cbz.co.zw