What is risk?
A risk is defined by ISO/IEC Guide 73:2009 Risk management – vocabulary as “effect of uncertainty on objectives.”
First it is necessary to define risk – “the combination of the probability of an event and its consequences.”2 ISO/IEC Guide 73 terminology hereafter shown in italics. There can be more than one consequence from an event and the consequences can be positive or negative.
Risks, if they are realized, may prevent you from achieving a daily task, a project, or your organization’s objectives and goals. Risk is inherent in everything we do – though by managing risks you can reduce the chances of serious harm to your organization and your community.
Risk has become a positive (opportunity) as well as a negative concept. For example, the ISO/IEC Risk Terminology document opens with the statement “All types of undertakings are faced with situations (or events) that constitute opportunities for benefit or threats to their success. Opportunities may be realized or threats averted by effective management. There is always a probability of outcomes, both positive and negative, that are not “usual” outcomes and the organization needs to have a management strategy for dealing with these outcomes.”
Effective risk management is only sustainable in an organization if there is constant attention in the form of audits, reviews, and other forms of monitoring. This is due to the low probability nature of risks – they do not happen very often – relative to other management tasks they are easily forgotten and their predominantly negative characteristic makes it easier to leave them for another day. Unless the organization is vigilant, risk management controls, like batteries in smoke detectors, quickly become ineffective.
Each organization must design its own risk management framework, process, roles and responsibilities, documentation, and so forth. However, there are standard risk management functional elements for framework, procedures, etc. which should be used in the design. This ensures that the risk management procedures will be recognizable to others and will improve both effectiveness and efficiency.
Risks can have positive outcomes, but for this exercise we have focused on the risks that have negative outcomes.
There are three ways of looking at risk*:
Absolute risk – The overall risk inherent in a situation that has no controls present – the worst thing that could happen if you didn’t do anything about a risk.
Residual risk – The level of risk remaining after risk treatment measures have been taken – after you have decided to do something about a risk, there still may be a chance that it will happen.
Perceived risk – An individual’s subjective assessment of the risk present at any time – how risky you think the situation is.
Take jumping off a high bridge for example. The absolute risk is extreme – if you jump off the bridge, it might be fun for a few seconds, but you will probably die. You can reduce the risk by tying bungee cords to your ankles. If the bungee is secure and of the right length, the residual risk is pretty minimal. Different individuals, however, may perceive quite different levels of risk depending on their own personalities and experiences.
The concept of risk also covers “hazards.” Hazards are situations which give rise to risk.
For example, think of a fire hazard. The possibility of fire is the risk; a pile of paper near a heater is a hazard.
What is risk management?
Risk management is a systematic way of identifying, assessing, treating and monitoring risks. Following a systematic process helps organizations to identify likely risks and to make plans to reduce the potential consequences.
Risk management is becoming an increasingly important activity within firms and organizations.
Like other management activities, risk management helps an organization meet its objectives through the allocation of resources to undertake planning, make decisions, and carry out productive activities. Risk management is unique in that it focuses on uncertainties that an organization faces: uncertainties in the probability of occurrence of events, uncertainties in the value to the organization of consequences of events, and other uncertainties that fall outside the “normally expected” range of variation. Generally, risks are low probability, but high consequence events that can cause major disruption to the organization. Risk management, like other management activities, must be practical, cost effective, and help the organization survive and prosper. The growth in risk management is directly linked to the increasing number of risks an organization faces due to more complexity and interactions in the world, greater scrutiny by stakeholders and the media, and so forth.
Risk management is the process of implementing and maintaining appropriate management controls including policies, procedures and practices to reduce the effects of risk to an acceptable level. The principles of risk management can be directed both to limiting adverse outcomes and achieving desirable ones. The process involves identifying, analyzing, assessing, treating and monitoring risk in all areas of customer operations and business.
Risk Management is an integral part of good management practice that should be embedded within all business processes.
Risks by their nature can be avoided, managed to acceptable levels, or shared to a third party. Community service organizations that manage risk effectively and efficiently are more likely to achieve their objectives.
Being part of corporate governance1 – the overall guidance system for achieving planned objectives – risk management2 develops treatment plans, controls and strategies associated with achieving objectives.
Controls provide reasonable assurance to the Board and Management that planned objectives will be achieved. They are processes, policies, or actions to minimize negative risk or enhance positive opportunities.
Compliance3 and quality management ensures that organizational standards and requirements are met and these are part of the organization’s controls.
Why manage risk?
The management of risk was once prompted by self-preservation or by a moral duty to others. These days, legal and economic imperatives also provide a powerful incentive to take a systematic approach to managing risk.
We manage risk to optimize the balance between risk and opportunity. That is, we want to increase the chances that we will achieve something, and reduce the chances that anything will go wrong.
By managing risk, you can also improve your performance. A key way to reduce the
likelihood of something untoward happening and to achieve the best possible results is to apply best practice. For example, you might apply good accounting or investment practices to reduce your risk of losing money. As an added benefit, you may find that you improve your financial position.
Risk Management System
A risk management system – “ set of elements of an organization’s management system concerned with managing risk” is one component of an organization’s management and
associated organizational structure. Like the other management components, it has elements that include decision-makers, policies, strategic planning, resources, and a unique corporate culture.
The risk management system’s function is to establish an organizational structure to:
establish the risk criteria,
maintain the organization’s risk management framework to identify, estimate, assess, control and communicate about risks,
implement risk controls to modify risks (usually reduce the negative consequences and
associated probabilities but may also be to enhance the positive consequences),
develop relationships with stakeholders, and
be responsible for how the organization manages risks.
Risk control – “actions implementing risk management decisions” may involve monitoring, evaluation, compliance with decisions, as well as specific actions to modify risks, such as licensing, laws and regulations, establishment of standards, enforcement, and modification of behavior.
Key indicators of an effective risk management activity in an organization are:
Commitment of senior management
Risk controls and programs that are ubiquitous in the organization and well understood
A well-publicized “Risk Profile” that sets priorities for modifying risk controls
Effective risk communication that results in transparency for employees and other stakeholders, and
Monitoring, review, and performance indicators of the organization’s risks. These include all legal and regulatory requirements.
Finally, risk management must produce a net value for the organization. This value is estimated and reviewed and consists of three basic elements: costs, financial benefits, and trust and respect of stakeholders and the public.
We assesses, evaluates found risks and treats these risks with our security consulting and services. The risk assessment provided by our team is customized to your business’s environment and helps your business stay ahead of any potential risks. write us for more information: firstname.lastname@example.org
Tags: risk assessment, risk management
Categorised in: Security
This post was written by Suman Mondal