Prerequisites for efficient risk identification

Risk identification is one of the most important steps of risk management process according various methodologies and standards. Risk identification is sometimes named as event identification, for example, in COSO Risk management cube (COSO, 2004). Events can be both positive and negative (Fig. 1).

Figure 1. Event identification

Events Risks (negative impact) Opportunities (positive impact) Strategy implementation and achievement of objectives

An event is an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have positive or negative impact, or both.

Table 2. Establishing event categories within the context of broad internal and external factors External Factors

Economic Natural

environment

Political Social Technological • Capital availability • Credit issuance, default • Concentration • Liquidity • Financial markets • Unemployment • Competition • Mergers/acquisitions • Emissions and waste • Energy • Natural disaster • Sustainable development • Governmental changes • Legislation • Public policy • Regulation • Demographics • Consumer behavior • Corporate citizenship • Privacy • Terrorism • Interruptions • Electronic commerce • External data • Emerging technology Internal factors

Infrastructure Personnel Processes Technology

• Availability of assets • Capability of assets • Access to capital • Complexity • Employee capability • Fraudulent activity • Health and safety

• Capacity • Design • Execution

• Suppliers/dependencies

• Data integrity

• Data and system availability • System selection

• Development • Deployment • Maintenance Source: COSO ERM Integrated Framework (2004)

In event identification, management recognizes that uncertainties exist, but does not know whether an event will occur, or when, or its precise impact should it occur. Management

initially considers a range of potential events − stemming from both internal and external sources − without necessarily focusing on whether the impact is positive or negative. In this way management identifies not only potential events with negative impact, but also those representing opportunities to be pursued. To avoid overlooking relevant events, identification is best made apart from the assessment of the likelihood of the event occurring and its impact. However, practical limitations exist, and it is often difficult to know where to draw the line. But even events with a relatively low possibility of occurrence should not be ignored if the impact on achieving an important objective is great.

A lot of external and internal factors drive events that affect strategy implementation and achievement of objectives. As part of enterprise risk management, management recognizes the importance of understanding these external and internal factors and the type of events that can emanate therefrom. The factors, categories and types of events, proposed by COSO event identification methodology, are presented in Table 2.

The proposed scheme of determining categories for events in risk identification process can help companies develop event categories based on categorization of their objectives, using a hierarchy that begins with high-level objectives and then cascades down to objectives relevant to organizational units, functions, or business processes. Each company, depending on its size and field of activity, can have slightly different event categories.

Event identification techniques

An entity’s event identification methodology may comprise a combination of techniques,

together with supporting tools. For instance, management may use interactive group workshops as part of its event identification methodology, with a facilitator employing any of a variety of technology-based tools to assist participants.

Event identification techniques look to both the past and the future (Fig. 2). Techniques also vary in where they are used within an entity (Fig. 3).

Further the most widely used and proposed in literature event identification techniques will be analysed (COSO ERM Integrated Framework, 2004; ISO 31000:2009):

• Event inventories. These are detailed listings of potential events common to companies within a particular industry, or to a particular process or activity common across industries.

• Internal analysis. This may be done as part of a routine business planning cycle process,

typically via a business unit’s staff meetings. Internal analysis sometimes utilizes

information from other stakeholders (customers, suppliers, other business units) or subject matter expertise outside the unit (internal or external functional experts or internal audit).

• Facilitated workshops. These techniques identify events by drawing on accumulated knowledge and experience of management, staff, and other stakeholders through structured discussions. The facilitator leads a discussion about events that may affect achievement of entity or unit objectives. By combining the knowledge and experience of team members, important events are identified that otherwise might be missed

• Process flow analysis. This technique considers the combination of inputs, tasks, responsibilities, and outputs that combine to form a process. By considering the internal and external factors that affect inputs to or activities within a process, an entity identifies events that could affect achievement of process objectives.

• Leading event indicators. By monitoring data correlated to events, entities identify the existence of conditions that could give rise to an event.

• Loss event data. Repositories of data on past individual loss events are a useful source of information for identifying trends and root causes. Once a root cause has been identified, management may find that it is more effective to assess and treat it than to address individual events. This analysis equips management to identify root causes of events and take action.

Source: created by author (2012) Source: created by author (2012)

• Brainstorming is a creative method applied in risk identification step. Applied in a group of persons (eg. staff) in order to broaden up each other’s ideas and generate new ideas. It gathers a list of ideas spontaneously contributed by its members.

Event identification techniques PAST FUTURE Payment default histories Changes in commodity prices Lost-time accidents Shifting demographics New market conditions Competitor actions Event identification techniques B ott om -up Top -do w n

Figure 2. Classification of event identification techniques in time

Figure 3. Event identification techniques according their manner application

• The Delphi technique gains information from experts, anonymously, about the likelihood of future events (risks) occurring.

• Cause and effect diagrams or fishbone diagrams are used for identifying causes of risk. Along with the techniques and methods mentioned above, some traditional techniques as SWOT, PEST, PESTLE or more sophisticated as systems analysis, scenario analysis and system engineering can be used for risk identification. Also, a company can choose a combination of techniques or methods for more successful risk identification.

Visualization techniques for proper risk analysis

According various risk management methodologies, after risk identification step the risk assessment (or risk analysis) takes place. This is quite a broad field of discussion, and it is beyond the scope of the research described in this paper. This section just aims to show how the gathered information in the step of risk identification is further used for performing a thorough analysis.

Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Management usually assesses events from two perspectives − likelihood and impact and considers both inherent and residual risk.

An entity’s risk assessment methodology comprises a combination of qualitative and

quantitative techniques.

• Qualitative assessment techniques are used where risks do not lend themselves to quantification or when there is a lack of sufficient quantitative data.

• Quantitative techniques typically bring more precision and are used in more complex and sophisticated activities to supplement qualitative techniques.

Quantitative risk assessment techniques usually receive more attention as they help to analyse the required information that can be used for further work with risks identified and analysed. Examples of quantitative techniques are Value at Risk, Cash Flow at Risk, Earnings at Risk, Loss Distributions, Back-Testing, Sensitivity Analysis, Scenario Analysis, Stress Testing, Benchmarking.

Qualitative techniques, on the other hand, help in determining causes or consequences of certain events and provide a linguistic description of risky situations. These include tables with qualitative description of risk, its occurrence and probability, also various types of logical trees (fault trees, event trees, decision trees). Also, sometimes a method of risk assessment can have features of both qualitative and quantitative groups.

Source: created by author (2012) Source: created by author (2012) Figure 4. Risk map showing various

levels of risk impact and likelihood

Figure 5. Risk map with placed risks (events) on it

Risk maps are adequate means for portraying the results of risk assessment made by quantitative as well as qualitative techniques. In Fig. 4 the risk map shows the colored areas of various levels of impact and likelihood of risk, and Fig. 5 can be used for placing the identified events, potentially dangerous, also with respect to their impact and likelihood.

Thus sound application of the described techniques in a company can significantly improve risk management and drive the efficiency of company activity.

Conclusions

Risk is a very much overused concept, and there are many definitions of risk in literature. It can be defined as potential variation in outcomes, uncertain situation with possible negative outcomes, a combination of the probability of an event and its consequence.

In order to manage risks successfully, a company manager responsible for risk management process should select a proper risk identification procedure, and identify possible risks based on internal and external factors and further forming the classification system suitable for the particular company.

The event identification techniques described in the paper can help company managers adequately distinguish potential risks. Risks further should be analysed applying risk assessment methods, which can be qualitative or quantitative, or both, and should be visualized using risk maps. Such application of the described techniques in a company can significantly improve risk management and drive the efficiency of company activity.

References

Knight, F. V. (1921). Risk, Uncertainty and Profit. Houghton Mifflin Company, Boston, 381 p.

Luce, R. D., and Raiffa, H. (1957). Games and Decisions: Introduction and Critical Survey. New York: John Wiley and Sons. 509 p.

French, S. and Liang, Y. (1993). Decision Support Systems: a Decision Analytical Perspective, in Norman, J. (ed.) Developments in Operational Research, Operational Research Society, Birmingham.

Taylor, C. R. (2003). The Role of Risk Versus the Role of Uncertainty in Economic Systems. Agricultuiral Systems, 75: 251-264.

Rejda, G. E. (2008). Principles of Risk Management and Insurance. 10th Edition. Boston: Pearson. 748 p.

Balžeikienė, A. (2009). Rizikos suvokimas: sociologinė konceptualizacija ir visuomenės

nuomonės tyrimo metodologinės prielaidos.Filosofija. Sociologija, 20 (4): 217-226.

Rutkauskas, A. V., and Stasytytė, V. (2011). Rizikos sampratos formavimosi ypatumai.

Verslas: teorija ir praktika [Business: theory and practice], 12(2): 141-149.

Beasley, M. S., Clune, R. and Hermanson, D. R. (2005). Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, 24: 521–531

Chapman, R. J. (2007). Simple tools and techniques for enterprise risk management, John Wiley & Sons, Inc. New York-Chichester- Brisbane-Toronto--Singapore.

FERMA. (2010). European Risk Management Bench-marking Survey, Retrieved August 28, 2012 from http://www.anra.it/funzioni/blob_out.php?id_blob=254&download

Liebenberg, A. P., and Hoyt, R. E. (2003). Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers. Risk Ma-nagement and Insurance Review, 6: 37–52.

Hopkin, P. (2010). Fundamentals of Risk Management, Kogan Page, London, 2010.

Gorzeń-Mitka, I. (2012). Risk management in Polish companies, in Proceedings of the 7th

International Scientific Conference “Business and Management 2012”, May 10-11, 2012, Vilnius, Lithuania, 1090-1095.

International Standard ISO 31000:2009. Risk Management – Principles and guidelines. p. 36.

ISO Guide 73:2009. Risk Management – Vocabulary. p. 15

Institute of Risk Management. (2002). A Risk Management Standard. p.16

HM Treasury. (2004). Orange Book: Management of risk - Principles and Concepts. p.50.

The Institute of Internal Auditors. (2012). Retrieved August 20, 2012 from https://na.theiia.org/Pages/IIAHome.aspx.

Hopkin, P. (2010). Fundamentals of Risk Management. London: Kogan Page. p.357 COSO. (2004). Enterprise Risk Management – Integrated Framework. p.134

Thompson, D. (1996). The Oxford Modern English Dictionary. 2nd edition. USA: Oxford University Press. p.1248.