Business risk management 101

Risk 2 Minutes

The following is notes that I took during the study of business risk management and this article will only cover the very basic knowledge of business risk management (BRM).

What is Risk?

The effect of uncertainty on objectives (ISO31000)

  • A deviation from an object (positive or negative impact)
  • objectives may exist for a range of aspects of a business( financial targets, operational, technological, reputational) and at multiple levels (enterprise-wide, business line, project etc.)
  • assessments of risk typically focus on likelihood and consequences

How to describe a risk?

Triggers + risk event → consequences

Too many risks?

  • Categorise
  • limited number of important risks
  • priorities

Risk profile

The risk profile is description of the set of risks faced by an organisation, business unit, project, process, or task.

The risk profile draws information from a “risk register” or similar documentation or database which specifies:

  • What is the risk?
    • The nature of the risk
    • The likelihood
    • The consequence
  • How are we managing it?
    • The mitigation or controls in place (or to be put in place)
    • The risk owner

Risk appetite/ attitude

Basic principle:

BENEFIT SOUGHT ≥ RISK UNDERTAKEN

ISO31000’s definition of risk attitude: organisation’s approach to assess and eventually pursue, retain, take or turn away from risk

risk vs return tradeoff

In informed and liquid markets

Risk management principles, framework, process

Screen Shot 2019-10-15 at 2.49.37 pm.png

1. Establishing the context

  • What’s the business / program
    • Objectives / strategy
  • External context (external environment in which to achieve objectives)
    • Driving forces; PESTEL analysis (Political, Economic, Social, Technological, Environmental, Legal)
    • External stakeholders: relationships, expectations and assumptions
  • Internal context (internal environment in which to achieve the objectives)
    • Core business/program operations
    • Governance, risk policies, risk capabilities
    • Internal stakeholders: relationships, expectations and assumptions
  • Approach to risk (Appetite/Attitude)
    • Approach to defining, measuring and managing risk
    • What is acceptable/tolerable

2. Risk identification

▪ What can happen, where and when?
▪ Why and how it can happen?
▪ Is it under our control?
▪ Think of the risk without any special controls in place.
▪ Should be comprehensive (e.g. include risks of missed opportunity)

Identifying risks – Basic approaches

  • Reliance on historical data

Assumes that sources and causes of risks in the past are likely to be sources and causes of risks in the future. Useful if future conditions are similar to past conditions. Analysis tools that mainly depend on this approach include checklists and benchmarks.

  • Reliance on intuition

Assumes that personal insights into risk events under a set of circumstances can apply to a different set of circumstances. Requires access to broad and deep experience. Vulnerable to biases. Analysis tools that mainly depend on this approach include any that utilise brain storming and management opinion.

  • Reliance on pure reasoning

Assumes that the sources and causes of risks correlate to discrete elements of an organisation or program. Limited by knowledge of organisational processes, activities and tasks. This approach is the basis of component analysis tools (e.g. FMEA)

3. Risk analysis

  • Evaluate existing controls
    • Control: “measure that is modifying risk” (ISO 31000)
      • “process, policy, device, practice, or other actions which modify risk”
      • what is their reliability?
  • Determine (define and estimate) the consequences and likelihood of risk occurring given the existing controls
  • Types of consequence and likelihood measures: Qualitative vs. Quantitative

4. Risk Evaluation

The process of comparing risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable” (ISO31000)

– Risk Analysis
Level of Risk: combination of likelihood & consequence

– Risk Criteria:
“Terms of reference against which the significance of risk is evaluated”

    Detailed/Formalised version of Risk Appetite/Attitude    Influenced by organisational objectives, context (including external legal, regulatory or other requirements).

▪Informs the selection of Risk Treatment.
– Treatment Choice = f (Risk Evaluation) = f ( Analysis vs. Criteria)

5. Risk treatment

Screen Shot 2019-10-15 at 9.37.13 pm.png

Published by geeklady

The girl who likes geeky things in the world.

Published

Leave a comment