Risk management process

Effective risk management involves anticipating outcomes and planning a strategy in advance given the likelihood and consequences of events. It involves much more than reacting to those events after they occur. A number of authors have suggested that the risk management process can be divided into a number of steps, namely risk identification, risk analysis, risk evaluation, and risk treatment (Hardaker et al., 1997; Noell and Odening, 1997; Green, 2000). These steps can be performed in a routine and cyclical way by most individuals and organisations.

Management of risk is an integral part of the overall business management process. Risk management is a multi-faceted process and its main elements are illustrated in Figure 2.3. For the sake of brevity, only a brief description of these elements will be discussed in the next paragraphs. Details of the risk management process are reported in the

18 Figure 2.3: Risk management process

Source: Adapted from the Australian/New Zealand Standards (2004, p.13) ESTABLISH THE CONTEXT

• The internal context • The external context

• The risk management context • Develop criteria

• Define the structure

IDENTIFY RISKS • What can happen? • When and where? • How and why?

EVALUATE RISKS ANALYSE RISKS Identify existing controls

Determine Determine

consequences likelihood Determine level of risk

• Compare against criteria • Set priorities

TREAT RISKS • Identify options • Assess options

• Prepare and implement treatment plan

• Analyse and evaluate residual risk Treat risks C O M M U N IC A T E A N D C O N S U L T M O N IT O R A N D R E V IE W Yes No

19 Establishing context

The first step in the process of risk management is defining the context. This step

recognises that it is not effective to try to identify future scenarios and estimate potential losses and opportunities before one has thought about what one is trying to achieve and why (Cross, 2000).

Clark and Brinkley (2001) emphasised that the ‘context’ used here refers to specific aspects of the environment, risk, and organization to which risk management is being applied. Context is usually established early because this exercise is critical to the success or failure of the process. ‘Setting the context’ will ensure that the other stages in the process are more targeted and efficient, and it will avoid wasted time and resources. It is necessary to understand the organization and its capabilities, as well as its goals and objectives and the strategies that are in place to achieve them. Information about the context helps to design a suitable risk management process. This task is usually carried out early in risk management, but it can also be modified throughout the remaining stages.

The context needs to be established to define the basic parameters within which risks must be managed and to provide guidance for decisions within more detailed risk management studies. This sets the scope for the rest of the risk management process.

Identifying risks

The next step is to identify the risks that are relevant. This is often said very glibly. It is, however, the most difficult step of the process.

In identifying the risks to be managed, a systematic approach is important to ensure that important types of risk are not overlooked. The list of all possible risks is obviously endless, so the aim in risk identification is to make a list of the events that may have an important effect on the performance of the organisation. It is a matter of considering what might happen, why, and how (Hardaker et al., 1997). Having identified a list of events, it is necessary to consider possible causes and scenarios. There are many ways an event can be initiated. It is important that no significant causes are omitted.

Risk identification narrows the task in risk management down to considering a specific set of threats, given the values, policies, and organizational context in which the individual or business is operating. The risk identification process develops preliminary information

20

about a broad set of risk factors. These factors may be narrowed either through iterations of this process, or through a more complete risk analysis (Clark and Brinkley, 2001).

Analysing risks

Once risks have been identified, the next step is to analyse them. The aim is to try to estimate how big the consequences of these risks are and to find the factors that affect their magnitude so that negative impacts can be traded off. Most of the discussion about risk is focussed on down-side risk, but it is worthwhile considering whether managers can take advantage of up-side risk.

Analysis or risks may be qualitative, semi-quantitative or quantitative, or a combination of these depending on the circumstances. In the risk analysis step, facts, predictions,

calculations, and reasoned judgements about the risk and its magnitude are considered alongside political considerations, values, criteria, constraints, and prejudices so that a decision can be made.

Evaluating risks

The purpose of risk evaluation is to make decisions, based on the outcomes of risk analysis, about which risks need treatment and treatment priorities. Risk evaluation involves comparing the outcomes from particular events identified during the analysis process with risk evaluation criteria established when the context was considered. In some circumstances, risk evaluation may lead to a decision to ignore the risk, accept the risk, or even to postpone the decision and undertake further analysis.

Making a decision

Decision making, or treating risks, is the process of selecting and implementing appropriate options to deal with risk. It involves evaluating alternative options and

selecting among them. Options can be assessed on the basis of the extent to which risk will be reduced, and the extent of any additional benefits or opportunities created. A number of options may be considered and applied either individually or in combination. The options should consider how risk is perceived by affected parties and the most appropriate ways to communicate the effects to those parties.

Ideally, responsibility for decision making in risky situations should be borne by those best able to control the risk. Responsibilities should be agreed between the parties at the earliest

21

possible time. The successful implementation of the risk management plan requires an effective management system which specifies the methods chosen, assigns responsibilities and individual accountabilities for actions, and monitors them against specified criteria.

Monitoring and communicating risk

The risks themselves, and each step of the risk management process, require monitoring. Risks change as circumstances change. New risks arise and new information becomes available to help analyse the magnitude of their outcomes. Once the risk management program is put in place, data can be generated which can improve the management process. Once a risk management cycle is complete and risks are reduced, criteria can be

strengthened to make a continuous improvement in risk management. In spite of a risk management program being in place, losses can still occur. It is therefore important to monitor the outcomes from decisions and learn from poor ones (Cross, 2000).

Furthermore, Clark and Brinkley (2001) claimed that because risk management is based on information, communication is a foundation of the process, and many criticisms of applied risk management processes have attributed failures to poor communication. Risk

management processes that are viewed as ‘successful’ are often highly communicative with rich and easily accessible information available at all stages.