The following is notes that I took during the study of business risk management and this article will only cover the very basic knowledge of business risk management (BRM).
What is Risk?
The effect of uncertainty on objectives (ISO31000)
- A deviation from an object (positive or negative impact)
- objectives may exist for a range of aspects of a business( financial targets, operational, technological, reputational) and at multiple levels (enterprise-wide, business line, project etc.)
- assessments of risk typically focus on likelihood and consequences
How to describe a risk?
Triggers + risk event → consequences
Too many risks?
- Categorise
- limited number of important risks
- priorities
Risk profile
The risk profile is description of the set of risks faced by an organisation, business unit, project, process, or task.
The risk profile draws information from a “risk register” or similar documentation or database which specifies:
- What is the risk?
- The nature of the risk
- The likelihood
- The consequence
- How are we managing it?
- The mitigation or controls in place (or to be put in place)
- The risk owner
Risk appetite/ attitude
Basic principle:
BENEFIT SOUGHT ≥ RISK UNDERTAKEN
ISO31000’s definition of risk attitude: organisation’s approach to assess and eventually pursue, retain, take or turn away from risk
risk vs return tradeoff
In informed and liquid markets
Risk management principles, framework, process
1. Establishing the context
- What’s the business / program
- Objectives / strategy
- External context (external environment in which to achieve objectives)
- Driving forces; PESTEL analysis (Political, Economic, Social, Technological, Environmental, Legal)
- External stakeholders: relationships, expectations and assumptions
- Internal context (internal environment in which to achieve the objectives)
- Core business/program operations
- Governance, risk policies, risk capabilities
- Internal stakeholders: relationships, expectations and assumptions
- Approach to risk (Appetite/Attitude)
- Approach to defining, measuring and managing risk
- What is acceptable/tolerable
2. Risk identification
▪ What can happen, where and when?
▪ Why and how it can happen?
▪ Is it under our control?
▪ Think of the risk without any special controls in place.
▪ Should be comprehensive (e.g. include risks of missed opportunity)
Identifying risks – Basic approaches
- Reliance on historical data
Assumes that sources and causes of risks in the past are likely to be sources and causes of risks in the future. Useful if future conditions are similar to past conditions. Analysis tools that mainly depend on this approach include checklists and benchmarks.
- Reliance on intuition
Assumes that personal insights into risk events under a set of circumstances can apply to a different set of circumstances. Requires access to broad and deep experience. Vulnerable to biases. Analysis tools that mainly depend on this approach include any that utilise brain storming and management opinion.
- Reliance on pure reasoning
Assumes that the sources and causes of risks correlate to discrete elements of an organisation or program. Limited by knowledge of organisational processes, activities and tasks. This approach is the basis of component analysis tools (e.g. FMEA)
3. Risk analysis
- Evaluate existing controls
- Control: “measure that is modifying risk” (ISO 31000)
- “process, policy, device, practice, or other actions which modify risk”
- what is their reliability?
- Control: “measure that is modifying risk” (ISO 31000)
- Determine (define and estimate) the consequences and likelihood of risk occurring given the existing controls
- Types of consequence and likelihood measures: Qualitative vs. Quantitative
4. Risk Evaluation
The process of comparing risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable” (ISO31000)
– Risk Analysis
Level of Risk: combination of likelihood & consequence
“Terms of reference against which the significance of risk is evaluated”
Detailed/Formalised version of Risk Appetite/Attitude Influenced by organisational objectives, context (including external legal, regulatory or other requirements).
▪Informs the selection of Risk Treatment.
– Treatment Choice = f (Risk Evaluation) = f ( Analysis vs. Criteria)