The world does not always respond to actions as business managers would expect it to in consonance with historical evidence, research, or analytics. Hence, it is essential to plan to tackle the scenarios involving what the world presents itself as or possibly could. These uncertainties are considered possible risks in every gamut of activity and decision.
Risk management refers to a structured approach to managing risks that could potentially impact an organisation's ability to achieve its objectives. The process involves identifying, assessing, and controlling threats to an organisation's capital and earnings. Some of the various definitions of risk management are:
Risk management is the application of systematic processes, practices, policies and procedures to the activities of communicating, identifying, analysing, evaluating, treating, monitoring, and controlling risk. (Project Management Institute)
Risk management is the process of identifying, assessing, and controlling threats and opportunities to an organisation's capital and earnings. It is a systematic approach to managing risks that could potentially impact an organisation's ability to achieve its objectives. (Association for Project Management)
Risk management is a process for managing the risks of an organisation across all levels and functions. (ISO 31000:2018)
Importance of Risk Management for Business Leaders
In today's uncertain and rapidly changing business environment, organisations face a wide range of financial risks, operational risks, strategic risks, and compliance risks. By effectively managing risks, business leaders can mitigate these risks to protect their organisations from harm and thus improve the probability of success.
It has been observed that many organisations treat risk management as a compliance issue involving drawing up rules and ensuring that those are followed. However, rules and compliance can mitigate some but not all of the risks. The issues left unaddressed can contribute to the likelihood of failure. Cost-effective and active risk management requires managers to think systematically about the multiple categories of risks they face. In this way, they can institute appropriate processes for each.
This makes holistic risk management important for business leaders so that the system may help to protect assets, avoid costly mistakes and make informed decisions for improving overall performance.
Effective risk management is essential for all businesses, regardless of size or industry.
Benefits of Effective Risk Management
Effective risk management can help businesses to:
Protect their assets
Make better-informed decisions
Avoid costly mistakes
Improve their overall performance
Maintain compliance with regulations
Attract and retain customers
Improve their reputation
Increase their shareholder value
Thus, we see that effective risk management is an essential part of any successful business strategy and, hence, an important area of interest for business leaders.
Scope of Risk Management
The scope of risk management in business organisations encompasses all aspects, from strategic objectives to day-to-day operations. Some of the key areas of risk that business organisations need to manage include:
Financial Risks: These include market volatility, currency fluctuations, and credit risk.
Operational Risks: These include product defects, supply chain disruptions, and cyberattacks.
Strategic Risks: These include changes in customer demand, technological advancements, and regulatory changes.
Compliance Risks: These include failure to comply with laws and regulations and violating industry standards.
Risk Management Process
It is a systematic approach to recognising, assessing, controlling, and monitoring risks. It is an ongoing process that should be embedded into the organisation's culture and decision-making processes.
Most commonly, the risk management process includes four steps:
Risk identification: Identifying all the potential risks that could impact the organisations. This can be done through a variety of methods, such as brainstorming, surveys, and risk assessments.
Risk Assessment: Evaluating the likelihood and impact of each risk so identified. This can be done using a variety of tools and techniques, such as qualitative and quantitative risk analysis.
Risk Treatment: Involves developing strategies to mitigate, avoid, or transfer risks. Implementation of these strategies is also part of this step. There are a variety of risk treatment strategies that can be used, such as risk avoidance, risk reduction, risk sharing, and risk acceptance.
Monitoring and Review: This includes regular monitoring and review of the risks with an objective to ensure that the organisation's risk management strategies and their implementation are effective. This may involve updating the risk register, conducting risk audits, and reviewing risk management performance.
Risk Management Tools
There are a variety of risk management tools and techniques to help organisations manage their risks effectively. Some of the most common tools include Risk registers, Risk heatmaps, Scenario planning, War gaming and Monte Carlo simulation. The specific tools that an organisation chooses to use will depend on its specific needs and circumstances. Let us look into each of these common tools.
It is a document listing all of the risks identified for a project or organisation. The register typically includes information about each risk along with its likelihood, impact, and mitigation strategies. Risk registers are a valuable tool for tracking risks and ensuring that they are managed effectively. A risk register:
Helps to ensure that all risks are identified and considered.
Provides a central repository for information about risks.
Facilitates communication and collaboration about risks.
Helps to track the status of risks over time.
It can be used to support decision-making about risk management.
It is a visual representation of the risks identified for a project or organisation. The heatmap typically uses colours to indicate severity, i.e., the likelihood and impact of each risk. For example, Red, Yellow and Green may be used to indicate High, Medium and Low severity, respectively, for the project or organisation. Risks that are the most severe would require immediate attention. Risks that are of medium severity would require monitoring. Risks of low severity would not require immediate action. A risk heatmap:
Provides a quick and easy way to see the relative importance of risks.
Helps to prioritise risks for mitigation.
It can be used to communicate risks to stakeholders.
It is a process of developing and evaluating alternative future scenarios. The goal of scenario planning is to recognise potential risks and opportunities that could arise in the future. The benefits of using scenario planning are:
Helps to identify opportunities and potential risks that may arise in the future.
Encourages creative thinking about the future.
It can help to build consensus among stakeholders.
It can be used to support decision-making about the future.
It needs to be noted that scenario planning is suited for long-range analysis. It is typically five to ten years out. Scenario analysis is a systematic process for defining the plausible boundaries of future states of the world. Political, economic, technological, social, regulatory, and environmental forces are examined, and typically, four drivers that would have the biggest impact on the company are selected.
For each of the selected drivers, maximum and minimum anticipated values over five to ten years are estimated. Combining the extreme values for each of the four drivers leads to 16 scenarios. About half tend to be implausible and are discarded; then, it is assessed as to how the organisation’s strategy would perform in the remaining scenarios. If the strategy is found to be contingent on a generally optimistic view, these may need to be modified to accommodate pessimistic scenarios, or plans may be made for how the strategy would be changed if indicators show in the future that pessimistic scenarios are gaining an increased likelihood of unfolding.
Monte Carlo Simulation
Monte Carlo simulation is a technique for quantifying the uncertainty in a project or organisation. It uses random numbers generated by a computer from a probability distribution to estimate the likelihood of different outcomes. Monte Carlo simulation is a valuable tool for assessing the risks and uncertainties in a project or organisation. The technique is often used to assess the financial risk of a project or investment. For example, a company might use it to estimate the cost of a new product development project. The simulation would take into account a range of possible factors, such as the time it takes to develop the product, the cost of materials, and the cost of labour. The results of the simulation would provide the company with a range of possible costs for the project. Monte Carlo simulation can be used to:
Model the probability of different outcomes.
Quantify the financial risk of a project or investment.
Identify the most likely outcomes.
Support decision-making about risk.
It assesses a firm’s vulnerability to disruptive technologies or changes in competitors’ strategies. In a war game, the company assigns three or four teams the task of devising plausible near-term strategies or actions that existing or potential competitors might adopt during the next one or two years—a shorter time horizon than that of scenario analysis. Then, it is examined how competitors could attack the company’s strategy. The process helps to overcome the bias of leaders to ignore evidence that runs counter to their current beliefs, including the possibility of actions that competitors might take to disrupt their strategy.
Another Categorisation of Risks as a Tool for Handling
Companies have no influence over the likelihood of risk events identified through testing tools like scenario planning and war-gaming. However, managers can take specific actions to mitigate their impact. Companies can use insurance or hedging to mitigate some risks, like sharp increases in fuel prices or make investments now to avoid much higher costs later, such as increasing construction costs of earthquake-proofing the facilities in earthquake-prone areas.
We can also use an alternate categorisation of risk as a tool to find out which risks can be managed through a rules-based model and which require alternative approaches. This categorisation can help in creating an effective risk-management system through an understanding of the qualitative distinctions among the types of risks on the basis of three categories: Preventable, Strategy and External.
Preventable risks are internal risks arising from within the organisation that are controllable and should be eliminated or avoided. Examples are the risks from breakdowns in routine operational processes and the risks from employees’ and managers’ unauthorised, illegal, unethical, incorrect, or inappropriate actions.
Although companies cannot anticipate every circumstance or conflict of interest that an employee might encounter, risks of this category can be managed through a rules-based compliance approach towards active prevention: monitoring operational processes and guiding people’s behaviours and decisions toward desired norms.
For these risks, the executive management has to play the role of coordinating, overseeing, and revising specific risk controls with an internal audit function, while the risk management team has to act as an external monitor.
Companies can have a zone of tolerance for defects or errors that would not cause extreme damage to the enterprise, for which achieving complete avoidance would be too costly.
Strategy risks are those that a company voluntarily accepts in order to generate superior returns. For example, consider the risks taken by manufacturing industries through their research and development activities or credit risk assumed by a bank when lending money. These risks are not inherently undesirable. In capturing the potential gains, managing those risks is a key driver.
These risks cannot be managed through a rules-based model. Organisations require a risk-management system that is designed to decrease the likelihood that the risks assumed actually materialise. Also, to improve the internal ability to manage or contain the risk events if they occur. Such a system would enable them to take on high-risk high-reward ventures than competitors.
For these risks, the Risk management team has to act as independent facilitators or experts while the executive management has to play the role of conducting risk workshops and risk review meetings such that it Helps develop a risk portfolio and Acts as devil’s advocate.
External risks are those that arise from events outside the company and are beyond its control. Sources of these risks include natural and political disasters as well as major macroeconomic shifts. Because companies cannot prevent such events from occurring, their management must focus on identifying them, planning scenarios, and mitigating their impact.
For these risks, the executive management conducts scenario-planning and war-gaming exercises with the management team, and the Risk management team complements the strategy team and serves as a facilitators for what-if exercises.
Major Risk Management Roles at Different Levels of Management
Risk management is a critical function for all business organisations. It is essentially a team effort wherein all levels of management, from line executives to the Board of Directors, have a role to play so that the organisation has an effective risk management framework in place. Let us quickly summarise the roles of each level of management in this important process.
Line executives are responsible for the day-to-day operations of a business organisation. They are, therefore, in a prime position to identify and manage risks. Some of the key risk management roles expected from line executives include:
Identifying and assessing risks within their area of responsibility.
Developing and implementing risk management strategies.
Ensuring that risk management controls are in place and effective.
Monitoring and reporting on risks to senior management.
Communicating risks to employees and stakeholders.
Senior-level executive management is responsible for the overall strategy and performance of a business organisation. They, therefore, have a key role to play in ensuring that the organisation has an effective risk management framework in place. Some of the key risk management roles expected from this level of executive management include:
Set the organisation's risk appetite and tolerance levels.
Develop and approve the organisation's risk management policies and procedures.
Oversee the implementation and effectiveness of the organisation's risk management framework.
Ensure that risks are adequately reported to the Board of Directors.
Take appropriate action to mitigate or avoid high-priority risks.
Risk Management Team
The risk management team is the dedicated team at the organisation level that is responsible for developing and implementing the organisation's risk management framework. Their role involves:
Develop and implement the organisation's risk management framework.
Identify, assess, and treat risks.
Monitor and review risks.
Report on risks to top management.
The Board of Directors is ultimately responsible for the governance and oversight of a business organisation. This includes ensuring that the organisation has an effective risk management framework in place. Some of the key risk management roles expected from the Board of Directors include:
Approve the organisation's risk management policies and procedures.
Oversee the implementation and effectiveness of the organisation's risk management framework.
Review and assess the organisation's risk profile on a regular basis.
Ensure that the executive management is taking appropriate action to mitigate or avoid high-priority risks.
By working together, line managers, senior management, the risk management team, and the Board of Directors can create and maintain an effective risk management framework that will help the organisation to achieve its objectives and protect its assets.
It is important to consider that risk management is not a one-time event. It is an ongoing process that should be embedded into the organisation's culture and decision-making processes. By effectively managing risks, businesses can improve their resilience and position themselves for success in the long term.
Risk Management Frameworks
The two of the most widely used major Risk management frameworks in the world are the COSO Enterprise Risk Management Framework and ISO 31000 Risk Management Framework.
The COSO Enterprise Risk Management Framework
COSO stands for the Committee of Sponsoring Organisations of the Treadway Commission. It is a private sector initiative headquartered in the Netherlands that develops frameworks and guidance to help organisations improve their performance and accountability. COSO is best known for its Enterprise Risk Management (ERM) Framework, which is the most widely used ERM framework in the world. The ERM Framework provides a comprehensive approach to risk management that can be tailored to the specific needs of any organisation and applied to organisations of all sizes and industries.
It is a comprehensive approach to risk management that covers all aspects of the organisation, from its strategic objectives to its day-to-day operations. The framework is based on five components:
Risk Environment: This component focuses on understanding the organisation's internal and external environment and how it may impact the organisation's ability to achieve its objectives.
Objective Setting: This component focuses on setting clear and measurable objectives for the organisation.
Event Identification: This component focuses on identifying all of the potential risks that could impact the organisation's ability to achieve its objectives.
Risk Assessment: This component focuses on evaluating the likelihood and impact of each risk.
Risk Response: This component focuses on developing and implementing strategies to mitigate, avoid, or transfer risks.
ISO 31000 Risk Management Framework
The ISO 31000 Risk Management Framework is a generic risk management framework that can be applied to any organisation, regardless of size, industry, or sector. The framework is based on three principles:
Integration: Risk management should be integrated into all aspects of the organisation's activities and processes.
Tailoring: The risk management framework should be tailored to the specific needs of the organisation.
Continuous Improvement: The risk management framework should be continuously improved.
The ISO 31000 Risk Management Framework consists of the following steps:
Communication and Consultation: This step involves communicating and consulting with relevant stakeholders about risk management.
Establishing the Context: This step involves establishing the context for risk management, including the organisation's objectives, risk appetite, and tolerance levels.
Risk Identification: This step involves identifying all of the potential risks that could impact the organisation's ability to achieve its objectives.
Risk Analysis: This step involves analysing the risks to assess their likelihood and impact.
Risk Evaluation: This step involves evaluating the risks to determine whether they are acceptable or need to be treated.
Risk Treatment: This step involves developing and implementing strategies to mitigate, avoid, or transfer risks.
Monitoring and Review: This step involves monitoring and reviewing the risks and the effectiveness of the risk treatment strategies.
Selection of Risk Management Framework for Your Organisation
The COSO ERM Framework and the ISO 31000 Risk Management Framework are both comprehensive risk management frameworks that can be used by organisations of all sizes and industries. However, there are some key differences between the two frameworks.
The COSO ERM Framework is more focused on enterprise-wide risk management, while the ISO 31000 Risk Management Framework is more generic and can be applied to any type of risk. The COSO ERM Framework also includes more specific guidance on risk response, while the ISO 31000 Risk Management Framework is more focused on the risk management process as a whole.
The best risk management framework for any organisation will depend on the specific needs and requirements of the organisation. If you are looking for a comprehensive framework that covers all aspects of enterprise-wide risk management, then the COSO ERM Framework may be a good choice for you. If you are looking for a more generic framework that can be applied to any type of risk, then the ISO 31000 Risk Management Framework may be a better choice.
It is also possible to combine the two frameworks to create a risk management framework that is tailored to the specific needs of your organisation. For example, you could use the COSO ERM Framework for enterprise-wide risk management and the ISO 31000 Risk Management Framework for specific types of risk, such as operational risk or financial risk.
Ultimately, the most important thing is to choose a risk management framework that will help your organisation achieve its objectives and protect its assets.
The Current Status of Risk Management in the World
A firm’s ability to weather storms depends on how seriously risk management has been taken when the sun is shining. Let us see how the world is faring on this aspect in general.
The effectiveness of risk management functions in business organisations varies widely depending on the region of the world. In general, organisations in developed countries tend to have more mature and effective risk management practices in place than organisations in developing countries.
United States (US)
Risk management is well-established in the US. Many large organisations have dedicated risk management teams that are responsible for identifying, assessing, and managing risks across the organisation. These teams typically use a variety of risk management tools and techniques, such as risk registers, risk heatmaps, and scenario planning. The US also has a number of laws and regulations that require organisations to manage risk, such as the Dodd-Frank Wall Street Reform and Consumer Protection Act and the Sarbanes-Oxley Act.
European Union (EU)
The EU also has a number of laws and regulations that require organisations to manage risk, such as the General Data Protection Regulation (GDPR) and the Solvency II Directive. However, the level of risk management maturity varies across the EU, with some countries being more advanced than others. However, too many organisations here use the COSO Enterprise Risk Management Framework to guide their risk management activities.
Risk management is becoming increasingly important in the APAC region as businesses become more globalised and face new and complex risks. However, risk management practices in the APAC region are still evolving, and there is a significant gap between the leading and lagging organisations. In the APAC region, many organisations are using risk management to support their business expansion plans. For example, some organisations are using risk management to assess the risks associated with entering new markets or launching new products.
Risk management is still in the early stages of development in India. Many organisations in India do not have dedicated risk management teams or processes in place. However, there is a growing awareness of the importance of risk management, and many organisations are starting to invest in this area. Still, it is more in the nature of compliance than culture. In India, many organisations are using risk management to comply with regulatory requirements. For example, the Securities and Exchange Board of India (SEBI) requires all listed companies to have a risk management framework in place.
Thus, we can observe that the effectiveness of risk management functions in business organisations varies widely depending on the region of the world. In general, organisations in developed countries tend to have more mature and effective risk management practices in place than organisations in developing countries.
Overall, the effectiveness of risk management functions in business organisations is improving around the world, and there is a growing awareness of the importance of risk management in all regions. However, there is still a lot of room for improvement, especially in developing countries.
As the tone of risk management in several countries appears more to be compliance-oriented and less ingrained in the culture, it is desirable that the top management of companies take a proactive role in influencing the culture so that Risk Management effectiveness is improved.
The reasons behind the absence of risk management in the management culture need to be looked at through different lenses.
Managing risk is different from managing strategy, which the top management is more inclined towards. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the confidence and positivity culture most leadership teams try to foster.
Many leaders tend to discount the future and are reluctant to commit time and money now to prevent any uncertain future problems that may occur down the road- maybe when they have completed their own tenure.
Mitigating risk usually involves dispersing resources and diversifying investments, just the opposite of the focus of a successful strategy. Managers may find it antithetical to their culture to lead and create processes that identify the risks to the strategies they themselves helped to formulate or praise along their ladders.
So, the top management has to take the lead on the topic.
It is important to note that risk management is not a one-size-fits-all approach. The specific steps that a company needs to take will vary depending on the specific circumstances of each company and project. However, the general principles outlined in this article can be applied to all projects and companies.