Risk Management News
There are many definitions of risk management, the Oxford English Dictionary defines risk as ‘a chance or possibility of danger, loss, injury or other adverse consequences’. Risk management then, “is the set of activities within an organisation undertaken to deliver the most favourable outcome and reduce the volatility or variability of that outcome” (Hopkin, 2017).
Risk Management Stages
The first stage of this risk management plan is that of risk identification, risk identification could be described as taking stock of an organisation’s risks and vulnerabilities and then to raise awareness of these risks within the organisation. This is the first stage of risk management as organisations must identify and acknowledge the risks before progressing through the risk management cycle, or in other words must know what risks the organisation faces before anything else can be done. Organisations are required to identify sources of risk, areas where that risk will cause impact, the causes, and also the potential consequences of such risk. It is worth noting that the aim is to identify risks not just under the control of the company, but also those that are not under the control of the company.
PESTLE analysis will allow us to break down an organisation in order to identify the entire range of external risks that the company may be exposed to, this will include political, economic, social, technological, legal and environmental areas of operation. We can use PESTLE to simplify the identification stage, and plan each of the risks associated with each aspect of the PESTLE model as below:
Political – risks could be linked to changes in government
Economical – risks could be linked to staff costs in country, or to conversion rates and/or state of the global economy
Social – risks could be linked to changes in the demographic of the potential market, changes in market needs and so on
Technological – risks could be linked to technological advances by competitors, availability of certain parts, changes in technology
Legal – risks could be linked to changes in legislation in country and overseas, breach of contract or copyright infringement
Environmental – risks could be linked to changes in environmental policy, changes in manufacturing processes affecting local environment
The tools used to identify risks include a self-assessment approach whereby departments will review their activities with the assistance of the risk manager, in order to identify potential risks associated with those activities, it is worth noting that such activities will be linked to the organisation’s objectives. All activities and risks identified will then be documented to allow for review of such risks by the board, including the head of risk management.
It is clear that there are a number of appropriate risk identification models that an organisation can adopt including those mentioned and which are certainly relevant and beneficial to the organisation, it is also clear from history that any form of risk identification especially relating to the technological aspect of the company must commence at the initial design phase.
In terms of risk assessment, then an organisation can either adopt a top down approach or a bottom up approach to conducting risk assessments. Each option has advantages and disadvantages, for example a top down risk assessment exercise will tend to focus on risks related to strategy, tactics, operations and compliance in that order. A bottom up approach may allow for more focus on actual internal operational risks and this would be due to being conducted at grass roots level whereby those responsible for the risk assessment have much more experience and are more interwoven with the operational aspects. This means that both a top down and bottom up approach would be of benefit as this would ensure that the strategic risks and the everyday operational risks are identified and assessed, it would be of benefit if the risk manager was the operational link between these two variations as this would ensure that any variances between board and management level was bridged.
Qualitative and quantitative assessments are to be conducted in order to cater for differing departments within a company, including manufacturing through to design. Techniques to be adopted in the risk assessment stage are workshops and audits, workshops being actioned at operational level and to include brainstorming sessions with a view of identifying additional areas of risk at departmental level. Audits are to also be actioned with guidance from board level to ensure that guidance from a strategic level is included in any form of auditing, including methodology and overall culture.
4 T’s of Risk Management
Transfer – The risks that organisations face are varied although in terms of the transfer response then if that risk has a low likelihood but the impact could be significant then an organisation would look to transfer the risk or otherwise share such a risk. This can be achieved through insurance or by utilising sub-contractors for specific areas of either design and manufacturing.
Tolerate – Management may deem that some risks can be tolerated and these would identify themselves on a risk matrix as potentially low impact and also low likelihood, this means that an organisation and the board of the organisation including stakeholders are ready to bear such risks and this may be due to the overall strategic objectives of the organisation. As Hopkin (2017) states, tolerance relates to a specific or individual risk, rather than the more general approach represented by risk appetite so are not to be mistaken especially in the context of this report. An example of a risk tolerated by a technology provider is that of technological failure and whereby the risk is tolerated in order to ensure that the product launch is on schedule, this is further evidenced by the serious problems in the past with certain technology providers.
Treat – In terms of treating risk then an organisation would identify the risks that do have a likelihood to occur although such risks would cause a low impact, I would class treating risk as using risk reduction measures in that we would attempt to reduce the likelihood and thus reduce the overall opportunity of that risk being realised. Further to treating risk then it is clear that some form of control measures would be used and in relation to hazard risks, then these controls would consist of preventative, corrective, directive and detective.
Terminate – Any organisation will have risks that are of both a high likelihood and also that will have a high impact if such a risk is realised, in this case then any course of action involving that risk is to be terminated.