ENTERPRISE RISK MANAGEMENT

CONCEPTS TOOL S STRATEGIES AND IMPLEMENTATION

INTRODUCTION

RISK is present everywhere and derives from the term “unpredictability”. When life itself is uncertain, nothing else in life can be certain and even the best laid plans undergo alterations midway and needs to be re-designed, altered and recast. Organizations are constituted of people, systems, drawings, control, materials, equipment, working tools and tackle and of course materials and methods and procedures and face a very wide range of speculations, change in plans, theories and risks that can impact the outcome of their operations. Business transactions on a global scale, apart from transnational movement of raw materials and finished goods, have today to face risks of massive proportions such as terrorism, pandemics, trade sanctions, smuggling of men and materials across borders, abduction of young girls and boys for ransom and credit crunches are deployed, not to speak of periodical inspection by banks how the funds provided by them are deployed. Even well planned enterprises go very often awry because of delay in supply of raw materials, logistics and problems in distribution of finished products, strikes by workers, logistic calculations in marketing and even changes in government policy. However, as every black cloud has a silver lining, every downside in business also provides information on new and valuable opportunities and a la carte avenues that could be planned and executed. Many of today’s industrial ventures and household ways of working were born out of adversity.

Risk management provides a framework for organizations to deal with, defend and react to events which spring forth all of a sudden and helps the modern practice of coming to terms with risks in a systematic and comprehensive approach, drawing from their experience and from transferable tools and techniques. Whether they are individuals whose personal activities range from those associated with work or personal financial decisions, or organizations which deal with products and funds, there are considerable risks present in the work-place or domestic situations.

WHAT IS “RISK”?

The Oxford English Dictionary defines the term “risk” as:  “a chance or possibility of danger, loss, injury or other adverse consequences” and the definition of “at risk” is “exposure to danger”. In this context, “risk” is used to signify negative consequences. But a risk does not necessarily connote negative outcomes and can take many forms.Whatever it be, a risk can also suggest how toinvent, improvise, throw up impromptu and extempore opportunities on the spur of the moment. The Cambridge Dictionary defines “risk analysis” as a “methodical investigation process undertaken to assess the financial and physical affecting a business risk”.

Take the example of owning a motorcar. For most people, owning a motorcar is an opportunity to be more mobile and gain the related benefits. However, there are uncertainties in owning a car. We are responsible for maintaining the car and repair any damage to the car at our expense. We have to pay road tax at regular intervals and also pay for gasoline. Finally, motorcars can be involved in accidents, so there are obvious negative outcomes that can occur like paying for third party damages.

“Risk’”has various meanings, depending on the situation. When a person says he bets on a race horse, he says he is taking a risk. When a person who is late and is rushing to a railway station to catch a train says he is taking a risk, as he may miss the train. When a patient is admitted in a hospital for a surgery for a serious ailment, people say he/she is taking a risk.In all these examples, what characterizes “risk” is “uncertainty”.

Risk, which is defined as uncertainty, is a simple concept, a way of thinking through planning a program or a project. For instance, funding a new venture whose contours are not that well defined may be in for a crash or it may make enormous profits. There are many treatments of risk in literature, but the most tend to overdo the quantitative tools and understate the softer, more people-oriented issues in risk management.

First, risk has been narrowly treated in the context of work-related activities and tasks, but the sources of risk are more appropriately addressed at the business and industry level. The prevailing notion about work-related risk management has been the assumption that knowledge of internal work-oriented planning and control issues was most important in forecasting and managing risks and costs. This assumption has driven the subject of job risk management in directions that focus on internal work-related tasks. But business analysis increasingly find that external business issues often have a much more impact on the future of their organizations — and project success — than any internal issues. Thus the roots of work-related risks lie in the forces acting on the organization.

Second, and as a consequence of the first point, risk cannot be separated from business planning, job selection, planning and control. It is integral to these processes. Risk is the core plan challenging at the heart of business development and later, work management.  The separation of risk management process from the rest of the border business and work management paradigm is a wrong approach to the subject because it implies that somehow risk is largely internal to a work schedule and therefore controlled by the work team. Since work risk is business risk, the whole business strategic planning, marketing, and risk analysis applied to a business framework produces SWOT (strengths, weaknesses, opportunities and threats) analysis and other outputs that support identification of work-related risks. These risks include competition, business finance, workforce issues and changes in the customer base.

Third, risk management is largely a leadership and management challenge first, not fundamentally a quantitative process as portrayed in text books on the subject. It is Operational Culture that drives the approach to risk. Risk is actually qualitative and intuitive and brings out the most creative juices of work process. It is risk that generates the passion of business accomplishment; to overcome a competitive challenge and create opportunity. Overcoming risk equals business success. No industrial or commercial venture has ever succeeded unless risks were met squarely and tackled appropriately.

The Software Engineering Institute defines risk management as “A successful risk management practice is one in which risks are continuously identified and analyzed for relative importance”. Risks are mitigated, tracked, and controlled to use effectively program resources. Problems which are both internal to the organization and external are prevented before they occur and personnel consciously focus on what could affect product quality and schedules of production and distribution.

There are five principles underlying the definition of risk:

  1. Risk is any uncertainty in a project or work-schedule that can distort, potentially control, or at least track. This means there are many risks in any business.
  2. Risk is integral to the business and the project planning process; therefore don’t think of risk as something different or separate from management. Risk is why you do business and plan projects – if there was no risk, there won’t be any business.
  3. Focus only on high risk, resource-consuming tasks because you can’t focus on all of them. Assessing risk is a question of rank-ordering risks and keeping your eye on them.
  4. Monitoring risk is a question of identifying key milestones or points in the work schedule where risk decisions need to be made. These milestones would mark whether a piece of equipment worked, or a key source was available
  5. Planning a response to risk involves understanding the work and impacts of various corrective actions midstream.

NATURE OF RISK

Recent events in the world have brought risk into higher profile. Terrorism, religious extremism, cross-border smuggling of men and materials, abduction of young women and children for ransom, tsunami waves, cyclones, hurricanes, earthquakes and earthquake shocks, floods, drought, landslides and other climate related events and even global financial crisis that are facing society, industry and commerce and nations have upset the normal living standards of people and nations. These extreme risks occur recurrently and repetitively among somewhat more mundane risks. Evaluating the range of risk responses available and deciding the appropriate response in each case is the core of risk management. Responding to risks should produce benefits for individuals as well as for organizations both in work-places and domestic-situations. For example, many of the responses to risk are automatic.

Evaluating the range of risk responses available and deciding the appropriate response in each case is the core of risk management. Responding to risks should produce benefits for individuals as well as for organizations both in work-places and domestic situations. For example, many of the responses to risk are automatic like admitting a person who has collapsed while walking on the road. Ways of avoiding fire and road accidents are based on well-established and automatic responses.

Certain other risks have established responses that are imposed on us as individuals and/or organizations as requirements. For example, in our personal lives buying insurance for a motorcar is a legal requirement, whereas buying insurance for our residence is often not, but doing so is good risk management and sensible. As well as hazard and control risks, these are risks that have a positive return. For example, investing money in the stock market is in anticipation of making a profit from the investment. But placing a bet on a race horse is more a gamble than an investment, as the outcome may be a positive payback or the money invested may be a dead loss.

People participate out of choice in motor sports, water sports, horse racing and other potentially unsafe pursuits in the hope of winning a jackpot. In these circumstances the return may not be entirely financial, but can be measured in terms of pride, self-esteem or peer group respect. Undertaking activities that involve risks of this type where a positive return may be expected is referred as taking opportunity risks.

ATTITUDES TO RISK

Different organizations will have different attitudes to risk. Some organizations may be considered to be risk averse, while other organizations will be risk aggressive. To some extent, the attitude of the organization to risk will depend on the sector and the nature and maturity of the market place within which it operates as well as the attitude of the individual board members.

He key factors that will determine the risk attitude of the organization include the stage in the maturity cycle. For an organization that is in the start-up phase, a more aggressive attitude is required than for an organization that is enjoying growth or one that is a mature organization in a mature market place. Where an organization is operating in a mature market place and is suffering decline, the attitude to risk will be much more risk averse.

Risks cannot be considered outside the context that gave rise to the risks. It may appear that an organization is being risk aggressive when in fact the board has decided that there is an opportunity that should not be missed. However, the fact that the opportunity is high risk may not have been fully appreciated.

COMPONENTS AND DEGREES OF RISK MANAGEMENT

Organizations face a wide range of risks that can impact the outcome of their operations. The desired overall aim may be stated as “a mission or a set of corporate objectives”. The events that can impact an organization may inhibit what it is seeking to achieve (hazard risks), enhance their objectives (opportunity risks), or create uncertainty about the outcome (control risks). Risk management needs to offer an integrated approach to the evaluation, control and monitoring of these types of risks.

The demystification of risk involves a new whole perspective on a business-wide process that has been looked at for many years as a separable, quantitative and work specific exercise. The quantification comes from the attempt to replicate scientific, mathematical models of probability but most activities do not need such rigor. The issue of risk management is simple comprising awareness of risks and focused and intense management.

Setting up for risk management means preparing the organization and not the work activities first. The issue is establishing first the value of risk analysis as part of the normal planning process. Finding out where risks emerge from that make inroads into the work breakdown structure and scheduling process. We have to bear in mind risk is an input to risk-based scheduling. Dimensioning risk is qualitative, ranking and ordering, usually not quantitative.

The risk management process is fairly well established, although it may be carried out in a number of different ways. But the process cannot take place in isolation. It needs to be supported by a framework within the organization and further needs to be implemented in different ways appropriate to the situation in the range of standards, guides and other publications that are available. The key components of a successful risk management framework are the structure which is comprised of the communications and reporting system, the strategy that is set up by the organization and the set of guidelines and procedures and protocols that have been established. The combination of risk management process together with the description in place for supporting the process constitutes the “risk management standard”.

There are standards in existence, including the Institute of Risk Management (IRM) Standard and the recently published British Standard (BS) 31100. There is also American COSO ERM framework. The latest addition to the available risk management standard is the International Standard (ISO) 31000 published in 2009. The well-established and highly regarded Australian Standard (AS) 2004 was withdrawn in 2009 in preference for ISO 3100. SA 4360 was first published in 1995 and ISO 3100 includes many of the features previously described in AS 4360.

BENEFITS OF RISK MANAGEMENT

There is a range of benefits arising from successful implementation of risk management. A key benefit is to enhance the efficiency of operations within the organization. Risk management helps ensure that business processes (including process experiments by way of projects and other change initiatives) are effective and that the selected strategy is efficacious. The outputs from risk management activities can benefit organization in three time scales and ensure that the organization achieves:

# efficacious strategy;#  effective process;    #  efficient operations.

In order to achieve a successful risk management contribution, the intended benefits of any risk management initiatives have to be identified, listed and prioritized. If those benefits have not been identified, there may be no means of evaluating whether the risk management initiative has been successful at all.

Therefore, good risk management has to have a clear set of desired indisputable set of outcomes/benefits. Appropriate attention has to be paid to each stage of risk management process, as well as to details of the design, implementation and monitoring of the framework that supports these risk management activities. One of the major requirements for a good lawyer is to be up-to-date with case law. Most judgments delivered by Superior Courts in India are by the State High Courts and the Supreme Court. As a matter of fact many a case is won in Superior Courts by the citation of Case Law And many a precedent is cited by case law.

FEATURES OF RISK MANAGEMENT

Failure to adequately manage risks which organizations quite often face can be caused by inadequate risk recognition, insufficient analysis of significant risks which need consideration and failure to identify suitable risk responsive activities. Also, failure to set a risk management strategy and communicate that strategy and the associated responsibilities to those who are involved like colleagues and other co-workers. It’s also possible that risk management procedures or protocols may actually be incapable of delivering the required results that may lead to inadequate management of risks.

The consequences of failure to adequately manage risks can be disastrous and result in inefficient operations. Projects not completed on time and strategies that are not delivered, or were incorrect in the first place are the major cause of organizational failure. The hallmarks of a successful risk management initiative should be proportionate to and aligned with the organization’s mission and objectives and comprehensive, embedded and dynamic. “Proportionate” means that the efforts put into risk management activities should be appropriate to the level of risks that the organization faces.  Risk management activities should be   ”aligned” with all other activities within the organization and will also need to be “comprehensive”, so that any risk management initiative covers all the aspects and facets of the risks the organization faces. Finally, risk management activities have to be “dynamic” (moving with the times) and be “responsive” to the changing times and business environment faced by the organization.

TYPES OF RISKS

Risks may have positive or negative outcomes or may simply result in uncertainty. Therefore “risks” may be considered to be related to an “opportunity” or a “loss” or the presence of “uncertainty” for an organization. Every risk has its own characteristics that require appropriate analysis and management. As in ISO Guide 73 definition, risks are divided into three categories; (a) Hazard or Pure Risks; (b) Opportunity or Speculative Risks and (c) Control or Uncertainty Risks.

It is important to note that there is no ‘right’ or ‘wrong’ sub-division of risks. The most important issue is that an organization adopts a risk classification system that is most suitable for its own circumstances, business processes and its personnel.

There are certain events that can result only in “negative outcomes”. These risks are “hazard” or “pure” risks and these may be thought of as” operational or insurable risks”. In general, organizations have built a tolerance for pure (hazard) risks and these need to be managed within the levels of tolerance of the organization.

There are two main aspects associated with “opportunity risks”. There are risks/dangers associated with taking the opportunity, but there are also risks associated with not taking the opportunity. Opportunity risks may not be visible and they are financial in nature. Although opportunity risks are often taken with the intention of having a positive outcome, this is not guaranteed.

COMPUTER VIRUSES

In order to understand the distinction between “hazard (or pure)”, “opportunity (or speculative)”, and “control (or uncertainty)” risks, the example of use of computers is useful. Virus infection is an operational or hazard risk and there is no benefit to an organization suffering a virus attack on its software programs. When an organization installs or upgrades a software package, control (or uncertainty) risks will be associated with the upgraded project.

The selection of new software is also an opportunity (or speculative) risk, where the intention is to achieve better results by installing the new software, but it is possible the new software may fail to deliver all of the functionality that was intended and the opportunity benefits may not be delivered. In fact, the failure of the new software system may substantially undermine the operations of the organization.

Organizations can no longer find themselves in a position whereby unexpected events can cause financial loss, disruption to normal operations, damage to reputation and loss of market presence. Stakeholders expect that organizations take full account of the risks that may cause disruption within the operations, late delivery of projects or failure to deliver strategy.

FUTURE BENEFITS OF RISK MANAGEMENT AND LOSS CONTROL

Operations will be impacted by the hazard risks and so the focus of the risk management in relation to organizations will be impacted by hazard risks and so the principal focus of risk management in relation to the operations will be in hazard management. In order to achieve maximum benefit from risk management input into operations, organizations need, however, to direct their attention on loss control.

Much of the discussion so far is concerned with risk management input into operations. It is likely that operations will be impacted by hazard risks and so the focus of risk management in relation to operations is on hazard management in relation to operations is on hazard management. I order to achieve the maximum benefit from risk management input into operations, organizations need instead, however, to focus on loss control. Loss control is a combination of loss prevention, damage limitation and cost containment.

Projects should be completed on time to budget and to specification. Inevitably, they will be a considerable amount of uncertainty associated with all works including projects. The contribution of risk management is to minimize these uncertainties. Management of risks within the budget allocations is a style of control management.

There is no single all-embracing definition of risk. Different organizations would have different attitude to risk based what on occupation or calling or work they are engaged in. For example, a locomotive driver runs the risk of not only running the train on time but he has also faces the risk of constantly being exposed high temperature caused by the engine’s heat. A bus driver has to be ever alert while piloting the bus that he his piloting. Airline pilots have to be ever alert while flying the airplane. Economists, Behavior Scientists, risk theorists, lawyers, statisticians, actuaries, physicians, surgeons, radiologists and many others each have their own concept of risk based on their profession. And the professional advice they give. Based on this concept, risk is defined as uncertainty concerning the occurrence of a loss or damage.

Risks cannot be considered outside the context that gave cause of action to the risks. It may appear that an organization is being risk aggressive, when in fact the board has decided that there is an opportunity that should not be missed. However, the fact that the opportunity the fact the opportunity is high risk may not have been fully deliberated upon.

Other key factors that will determine the risk attitude of the organization include the stage of the maturity cycle. For an organization that is at the start- up phase, a more aggressive attitude is required than for an organization that is enjoying growth or one that is a mature organization in the market place.  For any professional organization, good professional knowledge and skill and good marketing skills enhance their fame and prestige and go long in their practice.

BENEFITS OF RISK MANAGEMENT

The overall benefits of risk management can be summarized in a number of ways. By undertaking a risk management initiative less disruption to operations, successful delivery of contracted works and projects and better strategies and better strategic decisions are the expectations. Also underpinning risk management initiatives will be the desideratum for adequate risk assurance. These considerations as in the manufacturing sector where the products must be of a certain size and quality and within acceptable limits will be the guiding force.

CONCLUSION

As with any management initiative that becomes embedded within the way the organizations operate, a successful risk management initiative is bound to develop and become more sophisticated. Developments in the discipline of risk management, especially during the past 15 years have been dramatic. Also, the level to which risk management requirements have become embedded within corporate governance and governance in local bodies have been extensive.

Risk management is not a complex exercise and neither do we need heavy investment. It can be tailored to meet the needs of the organization in the early stages and modified as the level of sophistication increases. It is a systematic and pro-active approach to manage risk.  It allows the organization to focus on what is complex and important to control versus as what is easy to control.


Written by:   A. Ramachandran, General Manager & Director (Retd)
United  India Insurance Company Ltd., Chennai.