Identifying and

Assessing Risk
Ritu Singh
 WHAT IS RISK ??
Risk: unrealized future loss arising from a present action or inaction.
• Risks are the opportunities and dangers associated with uncertain future
events.
• A company cannot function without taking any risk.
• Risks help to generate higher returns.
• Not accepting risk tends to make a business less dynamic. Incurring risk
also implies that the returns from different activities will be higher i.e. the
‘benefit’ being the return for accepting risk.
• The benefits can either be financial or non-financial in nature.
• Risks help a business to gain competitive advantage.
 WHY MANAGE RISK?

• To identify new risks that may affect the company so an appropriate risk
management strategy can be determined.
• To identify changes to existing or known risks so amendments to the risk
management strategy can be made. For example, where there is an increased
likelihood of occurrence of a known risk, strategy may be amended from ignoring the
risk to possibly insuring against it.
• To ensure that the best use is made of opportunities.
• Risk management is a key part of Corporate Governance. It is required by the
Combined Code and codes of other jurisdictions.
 5 STEPS OF RISK ASSESSMENT

Identify hazards

Identify people who might be affected

Evaluate risk and decide on precautions

Record significant findings and implementations

Review and update

RISK GRID
CONT…
• Focusing on low-risk activities can easily result in a low ability to obtain competitive advantage – although
where there is low risk there is also only a limited amount of competitive advantage to be obtained.
• For example, a mobile telephone operator may produce its phones in a wide range of colours. There is little
or no risk of the technology failing, but the move may provide limited competitive advantage where customers
are attracted to a particular colour of phone.
• Some low-risk activities, however, will provide higher competitive advantage. When these can be
identified, then the activity should be undertaken because of the higher reward. or example, the mobile phone
operator may find a way of easily amending mobile phones to make them safer regarding the electrical
emissions generated.
• High-risk activities can similarly generate low or high competitive advantage.
• Activities with low competitive advantage will generally be avoided. There remains the risk that the activity
will not work, and that the small amount of competitive advantage that would be generated is not worth that
risk.
• high-risk activities may generate significant amounts of competitive advantage. These activities are worth
investigating because of the high returns that can be generated.
 ALARP PRINCIPLE
• As we cannot eliminate risk altogether the.Risks are a part of life, after all. But risk must be
controlled.
• Time, money and resources are needed to reduce risks. You are not expected to spend infinite
resources and money on eliminating all risks.
• How could you stay in business if that was the case? You would never make a profit, forever
chasing the impossible - zero risks.
• We have ALARP (As Low As Reasonably Practicable) principle, simply states that residual risk
should be as low as reasonably practicable
• Taking into consideration, the costly nature of risk reduction, The ALARP principle expresses a
point at which the cost of additional risk reduction would be grossly disproportionate to the
benefits achieved.
For example:
An extreme example to clarify the point:
– A company spending a million pounds to prevent a member of staff suffering from a bruised knee is
grossly disproportionate.
– A company spending a million pounds to prevent a major explosion capable of killing 150 people is
proportionate
 Risk Management

Process of reducing the possibility of adverse consequences

either by reducing the likelihood of an event or its impact or
taking advantage of the upside risk.
A business typically faces many risks like product risk, market
risk, credit risk, currency risk, reputation risk, interest rate
risk, political risk, legal risk, economic risk. financial risk,
technology risk, environmental risk, H&S risk, etc.
Risk management process includes the following:
 Risk Management process includes the following:

Risk identification – Risks are identified by key stakeholders. Risks must be identified before they can be
managed.

Risk assessment – Risks are evaluated according to the likelihood of occurrence and impact on the
organisation. This assessment provides a prioritised risk list identifying those risks that need the most urgent
attention.

Risk planning – This involves establishing appropriate risk management policies. Policies include ceasing
risky activities through to obtaining insurance against unfavourable events. Contingency planning involves
establishing procedures to recover from adverse events if they occur.

Risk monitoring – Risks need to be monitored regularly. If risks change or new risks are identified, these are
added to the risk assessment for correct categorisation and action.
 TYPES OF RISKS

Strategic risks are those risks that arise from the possible consequences of strategic decisions taken by the organization.
For example: risk of a merger/acquisition not working out. These also arise from the way that an organisation is
strategically positioned within its environment. These are high-level risks and should be identified and assessed at senior
management and board level. PESTEL and SWOT techniques could be used to identify these risks.
Operational risks refer to potential losses that might arise in business operations. For example: risks of fraud, poor quality
production, lack of inputs for production. These risks are comparatively of low level and can be managed by internal
control systems.
BUSINESS RISK
• Generic risks are those risks that affect all businesses. For example: changes in the interest rates, non-compliance
with company law, etc.
• Specific risks are those risks that affect individual business sectors. For example: rise in the prices of petrol will affect a
transport company more than an audit firm.
 RISK
IDENTIFICATION
Assessment
of Risk
Impact on stakeholders
Cont….
Assessing
Risk
 RISK MAP
• A common qualitative way of assessing the significance of risk is to produce a ‘risk map’:
• The map identifies whether a risk will have a significant impact on the organisation and links that into
the likelihood of the risk occurring.
• The approach can provide a framework for prioritising risks in the business.
• Risks with a significant impact and a high likelihood of occurrence need more urgent attention than risks
with a low impact and low likelihood of occurrence.
• The significance and impact of each risk will vary depending on the organisation: – e.g. an increase in the
price of oil will be significant for airline company but will have almost no impact on a financial services
company offering investment advice over the internet.
• The severity of a risk can also be discussed in terms of 'hazard'. The higher the hazard or impact of the
risk, the more severe it is.
Risk Perception
 Tools and techniques for quantifying risks
• Scenario planning: in which different possible views of the future are
developed, usually through a process of discussion within the organisation.
• Sensitivity analysis: in which the values of different factors which could affect
an outcome are changed to assess how sensitive the outcome is to changes in
those variables.
• Decision trees: often used in the management of projects to demonstrate the
uncertainties at each stage and evaluate the expected value for the project
based on the likelihood and cash flow of each possible outcome.
• Computer simulations: such as the Monte Carlo simulation which uses
probability distributions and can be run repeatedly to identify many possible
scenarios and outcomes for a project.
• Software packages: designed to assist in the risk identification and analysis
processes.
• Analysis of existing data: concerning the impact of risks in the past.
 RISK REGISTERS
The risk register is a very important and practical risk management tool that all
companies should have these days. It takes several days, if not weeks, to produce, and
needs to be reviewed and updated regularly – mainly annually (in conjunction with corporate
governance guidelines).
The risk register is often laid out in the form of a tabular document with various headings:
(1) The risk title – stating what the risk might be.
(2) The likelihood of the risk – possibly measured numerically if a scale has been set e.g. 1 is
unlikely, 5 is highly likely.
(3) The impact of the risk should it arise. Again this might be graded from,say, 1 (low impact)
to 5 (high impact).
(4) The risk owners name will be given – usually a manager or director.
(5) The date the risk was identified will be detailed.
(6) The date the risk was last considered will be given.
(7) Mitigation actions should be listed i.e. what the company has done so far to reduce the
risk. This might include training, insurance, further controls added to the system, etc.
(8) An overall risk rating might be given e.g. 1–10, so that management can immediately see
which risks are the ones they should be concentrating on.
(9) Further actions to be taken in the future will be listed (if any).
(10) The 'action lead' name will be detailed i.e. who is responsible for making sure that these
future actions are implemented.
(11) A due date will be stated – by when the action has to be implemented.
(12) A risk level target might be given i.e. a score lower than that given in step 8 above. This
might mean that by implementing a control, the risk rating is expected to lower from, say, 8
to, say 2 (the target risk level).
 MANAGING,
MONITORING AND
MITIGATING RISK
 BOD

• The board of directors (BOD) determine the level of risk which the
organization can accept in order to meet its strategic objectives.
• BOD makes sure that the risk management strategy is communicated to
the rest of the organization and integrated with all the other activities.
• It reviews risks and identifies and monitors progress of the risk
management plans.
• It will determine which risks will be accepted, which cannot be managed, or
which it is not cost-effective to manage, i.e. residual risk.
Embedding Risk

The aim of embedding risk management is to ensure that it is part of the way in
which a business is done. It includes embedding risk in systems and embedding
risk in culture.

Systems: This refers to ensuring that risk management is included within the
control systems of an organization.

Culture: Embedding risk into culture and values means that risk management is
‘normal’ for the organization. Establishing reward systems which recognise that
risks have to be taken in practice (e.g. not having a ‘blame’ culture),
 TARA/SARA MODEL
• Transfer/Share – Risks could be
transferred wholly or partially to a
third party, so that if an adverse
event occurs, the third party
suffers all or most of the loss. Eg:
Insurance.
• Avoid – This refers to avoiding a
risk altogether by not investing or
withdrawing from the business
area completely.
• Reduce – This refers to reducing
the risk either by limiting
exposure in a particular area or
decreasing the adverse effects
through use of internal controls.
• Accept – This refers to simply
accepting the risk & bearing the
consequences it may bring. This is
also called risk retention.
 Risk and Corporate Governance
• One link between risk and corporate governance is the shareholders'
concerns about the relationship between the level of risks and the
returns achieved.
• Another is the link between directors' remuneration and risks taken.
• If remuneration does not link directly with risk levels, but does link
with turnover and profits achieved, directors could decide that the
company should bear risk levels that are higher than shareholders
deem desirable.
• It has therefore been necessary to find other ways of ensuring that
directors pay sufficient attention to risk management and do not take
excessive risks.
Corporate governance guidelines require directors to:
• Establish appropriate control mechanisms for dealing with the risks the
organization faces
• Monitor risks themselves by regular review and a wider annual review
• Disclose their risk management processes in the accounts