In recent years, a wide range of events (legislation, court decisions, regulatory actions, new audit rules) have produced a great interest in risk management. In addition to the impact of new laws and rules, this interest is partly due to an increasingly complex world, converging global markets, accelerating technological development, and an enhanced feeling of vulnerability and insecurity among the world’s population.
The speed with which information is now transmitted around the world also adds to a sense of urgency. And, of course, the interconnectedness of the modern world is highlighted daily in such issues as terrorism, climate change, and world trade.
Risk management is an organization’s formal, planned response to both possibilities (opportunities) and threats.
Threats, of course, can produce negative effects on organisation value, while possibilities and opportunities can directly enhance value. Today, risk management is seen as a comprehensive effort to assure the organisation that risks are managed to best advantage.
Method and Process
Risk management is a formal and integrated methodology and process for setting organizational policy for managing risks, and then in assessing and addressing all risks in a manner consistent with that policy.
Risk management is linked to a number of basic activities:
1. Determination and alignment of targets and goals
It is critical that targets and goals be set for risk management efforts and that key indicators of success be identified. It is further important that risk management goals and targets are consistent with and supportive of overall organizational goals and objectives. Looked at from the opposite direction, it could be said that risk management targets and goals must be informed by the organisation’s culture and view of risk.
2. Risk identification and evaluation
Risk management aims at discovering all risks and implementing an ongoing and structured process where risks are identified and addressed according to their importance for the organization. The purpose of risk identification and evaluation is to create a coherent risk profile that forms a frame of reference for the decision making.
3. Risk treatment
Risks that have been assessed are then subject for treatment. Appropriate treatments will vary greatly, but are selected based upon effectiveness and costs relative to benefits. There are a number of tools and techniques available, but generally they will fit into one of the following categories:
a) Risk prevention
That is, measures taken to reduce the likelihood of losses. Sometimes the likelihood can be reduced to zero, though this is not always economically feasible.
b) Risk transference
That is, measures taken to shift the actual exposure or burden from one party to another party. Contractual transfers of risk are examples.
c) Risk avoidance
That is, measures taken to avoid exposure to risk. Commonly, avoidance measures absolutely eliminate the presence of the risk.
d) Risk reduction
Not all losses can be prevented or avoided. Some measures are employed to reduce the impact of losses that do occur.
e) Reduction of risk/uncertainty
That is, measures taken to improve the understanding and knowledge of risks.
f) Assumption of risks
That is, the effort undertaken to show that the organisation takes the responsibility of the risks. The organisation might decide that it can best take the responsibility, or even more frequently, the organisation evaluates that the risk might give them positive possibilities. In this regard, the assumption of risks can help promote the probability of or the size of possible gains.
g) Neutralization of risks
Measures taken to hedge or offset certain risks. This tool is most commonly seen in financial risk management.
h) Risk financing
Measures undertaken to finance the cost of risk. The purchase of insurance, or the use of derivatives are examples.
4. The ongoing administration of the risk management effort
Risk management programs must be overseen, audited and reviewed and coordinated—especially when an organization-wide approach is adopted. Some aspects of program administration are general in nature and are delegated to individuals throughout the organisation. Other times, technical experts may be necessary to address key risks.
As a final note, it is important to understand that modern risk management—often referred to as Enterprise Risk Management is both a general and a technical management function. This means that risk management is considered part of general management and therefore is identifiably part of every manager’s job.
However, some aspects of risk management require technical specialization (knowledge of insurance, or engineering, or financial markets) and therefore individuals within a firm may be specifically designated as “risk managers” with narrow or broad technical responsibilities.