LILIANA IVĂNUŞ
∗Abstract: Risk management is a is a complex and multifaceted process which varies from one organization to another consisting of well defined steps which, when taken in sequence, support better decision making by contributing to a greater insight into risks and their impact. It should be viewed as an ongoing process which needs continual oversight, planning and modification as needs evolve .
Key words: risk, risk management, risk avoidance, risk assumption, risk handling
In the past, risk management might mean nothing more than buying insurance. In today’s competitive environment, organizations need to re-think and re-position their approach to risk management systems. There are several factors pushing them to change. Government regulations have become more extensive and tougher. Insurance coverage is not as easy to get and the premium is getting more expensive. Expectations of customers and general public are up to higher standards. Globalization of corporations increases the awareness of risk management. More importantly, other firm’s disasters really scare the top management. These factors inspire risk management to grow in importance to the point where it has become a strategic issue. In the competitive business world, all organizations are concerned with their unique position and organizational effectiveness .
It is time for every organization to review its risk management position and to adopt an appropriate risk management system .
One of the reasons why risk management has received so much ongoing attention is that financial disasters seem to occur on a regular basis to remind us of the perils of “not getting it right” .
It is the responsibility of corporate management to ensure that an effective risk management program is in place. This responsibility includes :
a) defining the organization’s risk appetite in terms of loss tolerance, risk-to- capital leverage and target and debt rating;
Handling risks – risk management process 107 b) ensuring that the organization has the required risk management skills and risk absorption capability (human and financial resources) to support its business strategy;
c) establishing the organizational structure and defining the roles and responsibilities for risk management, including the role of a chief risk officer;
d) implementing an integrated risk measurement and management framework for credit, market and operational risk;
e) establishing risk assessment and audit processes, as well as benchmarking company practices to industry best practices;
f) shaping the organization’s risk culture by “setting the tone from the top” not only through words but actions and reinforcing that commitment through incentives;
g) providing the appropriate opportunities for organizational learning, including lessons learned from previous problems and ongoing training and development .
Enterprise risk management is a work in process. While it is emerging at the best practice model for measuring and managing all types of risk across an organization, there is much work to be done. Key challenges for companies adopting this model include :
- defining the role of the chief risk officer;
- establishing an enterprise risk management framework;
- developing risk technologies, including Internet or Intranet applications; - implementing operational risk management;
- determining the role of new risk transfer products .
There are five components of risk which provide a broader definition that goes beyond market risk and credit risk (ie, financial risk) to include operational risk, business risk and organizational risk. Market risk includes client investments and our own balance sheet and proprietary trading. Credit risk includes counterparty, settlement and lending exposures to the default of critical business partners and vendors. Operational risk involves mainly back-office operations such as transactions processing, fund pricing, cash and securities movement and systems. Business risk includes front-office issues such as strategy, client management, product development and pricing and distribution. Finally, organizational risk involves the company’s reputation, people and skills, as well as incentives and other aspects of the control environment .
Risk management is a process consisting of well defined steps which, when taken in sequence, support better decision making by contributing to a greater insight into risks and their impact. It is as much about identifying opportunities as it is about avoiding losses. By adopting effective risk management techniques you can help to improve safety, quality and business performance in the company .
There are many benefits in implementing risk management procedures. Some of these include:
- more effective strategic planning; - better cost control;
108 Ivănuş, L.
- enhancing shareholder value by minimizing losses and maximizing opportunities;
- increased knowledge and understanding of exposure to risk;
- a systematic, well-informed and thorough method of decision making; - increased preparedness for outside review;
- minimized disruptions; - better utilization of resources;
- strengthening culture for continued improvement .
Risk management commences with setting the context of the risk. This facilitates identifying the sources of risks indicators and in turn the particular risks that have a likelihood of occurrence .
A risk can have one or more consequences or impacts, which have some measurable costs to the organization. It is here that the important distinction between a risk and consequences is made. The risk is in essence a description of an event that has not occurred but has some likelihood of occurrence. The consequence is a measure of the cost after the risk event is triggered .
In some cases a risk in one context may be a consequence in another context. Hence risk and consequence are sometimes interchangeable. This is no set rule other than the distinction that is qualified above. This makes it easier to define the control mechanisms, which after all, is one of the key outcomes in this exercise .
Once the risk event occurs, the likelihood is 100%, the question now remains as to what level of impact will occur. Arising from the risk and its consequences are two means to contain the losses : preventative controls that reduce the likelihood of the risk and corrective controls that mitigate the full impact of the consequences .
While individual initiative is critical, it is corporate culture which facilitates the risk management process. Corporate culture defines what behavior the members of organization will condone and what behavior they will shun. Corporate culture plays a critical role in risk management because it defines the risks which an individual must personally take if they are going to help managing organizational risks .
In order to manage risks, organizations need to be able to measure those risks prospectively. They need to know, based on their positions today, how much risk they are actually taking. This is a difficult question to answer .
A clear distinction should be made between risk management and risk taking. Risk management oversees and ensures the integrity of the process with which risks are taken. To maintain objectivity, risk management cannot be a part of the risk taking process. Individuals who manage risk need to be completely independent from individuals who are responsible for taking risk .
Enterprise risk management is a complex and multifaceted process which varies from one organization to another. It should be viewed as an ongoing process which needs continual oversight, planning and modification as needs evolve .
Risk management options are usually cited as risk handling options subdivided as it follows :
Handling risks – risk management process 109 - avoidance, which means using an alternative approach that does not have the risk. This mode is not always an option. There are programs that deliberately involve high risks in the expectation of high gains. However, this is the most effective risk management technique if it can be applied;
- control, which involves the development of a risk reduction plan and then tracking to the plan. The key aspect is the planning by experienced persons. The plan itself may involve parallel development programs;
- assumption, that is simply accepting the risk and proceeding. There appears to be a tendency within organizations to gradually let the assumption of a risk take on the aura of a controlled risk;
- risk transfer, which is an attempt to pass the risk to another program element. Typically, used in a context of a government agency passing the risk to a contractor. There are some discussions that this mode trades government risk for profit to the contractor. This belief is apparently founded on elementary economic theory and the mistaken belief that an executive in a procuring agency has avoided risks by passing the buck;
- knowledge and research, mode which is cited as not being true risk handling, but rather a technique for strengthening other techniques. From a program management perspective this approach can best be viewed as an adaptation of the approach used by graduate students for their theses : intensive study associated with specialized testing. In effect, the student develops intellectual ownership of his problem in all of the aspects : theoretical, empirical and practical .
Once the risks have been evaluated in terms of likelihood of occurrence and consequences and when options for risk management have been reviewed, it is then meaningful to rank the risks for the program manager to assign priorities. The task of prioritizing the risks is performed at the senior staff level to assure that all political, business and programmatic factors are weighted in the priority assessment .
Management must exercise its judgement to prioritize resources for risk management purposes. The ranked risks are reviewed in terms of combined likelihood and consequences and in terms of program level concerns with missions, functions, business objectives and political aspects .
Risk management provides a greater opportunity to enable relatively high-risk acquisition approaches to be successful. The ultimate success of a project within the ever-tightening triple constrains of time, cost and scope depends heavily on how the project deals with the ever-present risks .
Risk management is concerned with future events, whose exact outcome is unknown and with how to deal with these uncertainties in advance. In general, outcomes are categorized as ranging from favorable to unfavorable and risk management is the art and science of planning, assessing (identifying and analyzing), handling and monitoring actions leading to future events to ensure favorable outcomes. Thus, a good risk management process is proactive in nature and is fundamentally different from crisis management (or problem solving), which is reactive .
110 Annals of the University of Petroşani, Economics, 2 (2002), 110-113