RISK MANAGEMENT PROCESS

Risk management is the process of identifying, assessing and controlling threats to an organization's
capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial
uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. IT security threats
and data-related risks, and the risk management strategies to alleviate them, have become a top priority for
digitized companies. As a result, a risk management plan increasingly includes companies' processes for
identifying and controlling threats to its digital assets, including proprietary corporate data, a customer's
Personally Identifiable Information (PII) and intellectual property.

Every business and organization face the risk of unexpected, harmful events that cancost the
company money or cause it to permanently close. Risk management allows organizations to attempt to
prepare for the unexpected by minimizing risks and extra costs beforethey happen.

Importance of Risk Management

By implementing a risk management plan and considering the various potential risks or events
before they occur, an organization can save money and protect their future. This isbecause a robust
risk management plan will help a company establish procedures to avoid potential threats, minimize their
impact should they occur and cope with the results. This ability to understand and control risk enables
organizations to be more confident in their business decisions. Furthermore, strong corporate governance
principles that focus specifically on risk management can help a company reach their goals.

Important Benefits of Risk Management

1. Creates a safe and secure work environment for all staff and customers.
2. Increases the stability of business operations while also decreasing legal liability.
3. Provides protection from events that are detrimental to both the company and the
environment.
4. Protects all involved people and assets from potential harm.
5. Helps establish the organization's insurance needs in order to save on unnecessary
premiums.

The importance of combining risk management with patient safety has also been revealed. In most
hospitals and organizations, the risk management and patient safety departments are separated; they
incorporate different leadership, goals and scope. However, some hospitals are recognizing that the
ability to provide safe, high-quality patient care is necessary to the protection of financial assets and,
as a result, should be incorporated with riskmanagement.

Risk Management Strategies and Processes

All risk management plans follow the same steps that combine to make up the overallrisk
management process:

Establish context. Understand the circumstances in which the rest of the process will take place.
The criteria that will be used to evaluate risk should also be established and the structure of the analysis
should be defined.

Risk identification. The company identifies and defines potential risks that may negatively
influence a specific company process or project.

Risk analysis. Once specific types of risk are identified, the company then determinesthe odds
of them occurring, as well as their consequences. The goal of risk analysis is to further understand each
specific instance of risk, and how it could influence the company's projects and objectives.

Risk assessment and evaluation. The risk is then further evaluated after determining therisk's
overall likelihood of occurrence combined with its overall consequence. The company can then make
decisions on whether the risk is acceptable and whether the company is willing to takeit on based on its risk
appetite.

Risk mitigation. During this step, companies assess their highest-ranked risks and develop a plan
to alleviate them using specific risk controls. These plans include risk mitigation processes, risk prevention
tactics and contingency plans in the event the risk comes to fruition.

Risk monitoring. Part of the mitigation plan includes following up on both the risks and the overall
plan to continuously monitor and track new and existing risks. The overall risk management process should
also be reviewed and updated accordingly.

Communicate and consult. Internal and external shareholders should be included in

communication and consultation at each appropriate step of the risk management process and with regards
to the process as a whole.

Risk Management Approaches

After the company's specific risks are identified and the risk management process has been
implemented, there are several different strategies companies can take with regards to differenttypes of
risk:

Risk avoidance. While the complete elimination of all risk is rarely possible, a risk avoidance strategy is
designed to deflect as many threats as possible in order to avoid the costly and disruptive consequences of
a damaging event.

Risk reduction. Companies are sometimes able to reduce the amount of damage certain riskscan have
on company processes. This is achieved by adjusting certain aspects of an overall project plan or company
process, or by reducing its scope.

Risk sharing. Sometimes, the consequences of a risk are shared, or distributed among several of the
project's participants or business departments. The risk could also be shared with a thirdparty, such as
a vendor or business partner.

Risk retaining. Sometimes, companies decide a risk is worth it from a business standpoint, and decide to
keep the risk and deal with any potential fallout. Companies will often retain a certain level of risk if a
project's anticipated profit is greater than the costs of its potential risk.

Limitations
While risk management can be an extremely beneficial practice for organizations, its limitations
should also be considered. Many risk analysis techniques -- such as creating a model or simulation -- require
gathering large amounts of data. This extensive data collection can be expensive and is not guaranteed to
be reliable.

Furthermore, the use of data in decision making processes may have poor outcomes if simple
indicators are used to reflect the much more complex realities of the situation. Similarly, adopting a decision
throughout the whole project that was intended for one small aspect can lead to unexpected results.

Another limitation is the lack of analysis expertise and time. Computer software programs have
been developed to simulate events that might have a negative impact on the company. While cost effective,
these complex programs require trained personnel with comprehensive skills and knowledge in order to
accurately understand the generated results. Analyzing historical data to identify risks also requires highly
trained personnel. These individuals may not always be assigned to the project. Even if they are, there
frequently is not enough time to gather all their findings, thus resulting in conflicts.

Other limitations include:

A false sense of stability. Value-at-risk measures focus on the past instead of the future. Therefore,
the longer things go smoothly, the better the situation looks. Unfortunately, this makes a downturn more
likely.

The illusion of control. Risk models can give organizations the false belief that they can quantify
and regulate every potential risk. This may cause an organization to neglect the possibility of novel or
unexpected risks. Furthermore, there is no historical data for new products, so there's no experience to base
models on.

Failure to see the big picture. It's difficult to see and understand the complete picture of
cumulative risk.

Risk management is immature. An organization's risk management policies are underdeveloped

and lack the history to make accurate evaluations.

Risk management standards

Since the early 2000s, several industry and government bodies have expanded regulatory
compliance rules that scrutinize companies' risk management plans, policies and procedures. In an
increasing number of industries, boards of directors are required to review and report on the adequacy of
enterprise risk management processes. As a result, risk analysis, internal audits and other means of risk
assessment have become major components of business strategy.

Risk management standards have been developed by several organizations, including the National
Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).
These standards are designed to help organizations identify specific threats, assess unique vulnerabilities
to determine their risk, identify ways to reduce these risks and then implement risk reduction efforts
according to organizational strategy.

The ISO 31000 principles, for example, provide frameworks for risk management process
improvements that can be used by companies, regardless of the organization's size or target sector. The ISO
31000 is designed to "increase the likelihood of achieving objectives, improve the identification of
opportunities and threats, and effectively allocate and use resources for risk treatment," according to the
ISO website. Although ISO 31000 cannot be used for certification purposes, it can help provide guidance
for internal or external risk audit, and it allows organizations to compare their risk management practices
with the internationally recognized benchmarks.

The ISO recommends the following target areas, or principles, should be part of theoverall
risk management process:
a. The process should create value for the organization.
b. It should be an integral part of the overall organizational process.
c. It should factor into the company's overall decision-making process.
d. It must explicitly address any uncertainty.
e. It should be systematic and structured.
f. It should be based on the best available information.
g. It should be tailored to the project.
h. It must consider human factors, including potential errors.
i. It should be transparent and all-inclusive.
j. It should be adaptable to change.
k. It should be continuously monitored and improved upon.
 The ISO standards and others like it have been developed worldwide to help organizations
systematically implement risk management best practices. The ultimate goal for these standards is to
establish common frameworks and processes to effectively implement risk management strategies.

These standards are often recognized by international regulatory bodies, or by target industry
groups. They are also regularly supplemented and updated to reflect rapidly changing sources of business
risk. Although following these standards is usually voluntary, adherence may be required by industry
regulators or through business contracts.

Risk management examples

One example of risk management could be a business identifying the various risksassociated with
opening a new location. They can mitigate risks by choosing locations with a lot of foot traffic and low
competition from similar businesses in the area.
Another example could be an outdoor amusement park that acknowledges their business is completely
weather-dependent. In order to alleviate the risk of a large financial hit whenever there is a bad season,
the park might choose to consistently spend low and build up cashreserves.

Yet another example could be an investor buying stock in an exciting new company with high
valuation even though they know the stock could significantly drop. In this situation, risk acceptance is
displayed as the investor buys despite the threat, feeling the potential of the large reward outweighs the
risk.

The Role of Internal Auditing in Risk Management

Internal auditing is an independent, objective assurance and consulting activity. Its core role with
regards to the risk management is to provide objective assurance to the board on the effectiveness of risk
management. Indeed, research has shown that board directors and internal auditors agree that the two most
important ways that internal auditing provides value to the organization are in providing objective assurance
that the major business risks are being managed appropriately and providing assurance that the risk
management and internal control framework is operating effectively.

The key factors to consider when determining internal auditing’s role are whether the activity
raises any threats to the internal audit activity’s independence and objectivity and whether it is likely to
improve the organization’s risk management, control and governance processes. They form part of the
wider objective of giving assurance on risk management. An internal audit activity complying with the
International Standards for theProfessional Practice of Internal Auditing can and should perform at least
some of these activities.

Internal auditing may provide consulting services that improve an organization’s governance, risk
management, and control processes. The extent of internal auditor’s consulting in risk management will
depend on the other resources, internal and external, available to the board and on the risk maturity of the
organization and it is likely to vary over time. Internal auditor’s expertise in considering risks, in
understanding the connections between risks and governance and in facilitation mean that the internal audit
activity is well qualified to act as champion and even project manager for risk management, especially in
the early stages of its introduction. As the organization’s risk maturity increases and risk management
becomes more embedded in the operations of the business, internal auditing’s role in championing risk
management may reduce. Similarly, if an organization employs the services of a risk management
specialist or function, internal auditing is more likely to give value by concentratingon its assurance role,
than by undertaking the more consulting activities. However, if internal auditing has not yet adopted the
risk-based approach represented by the assurance activities, it is unlikely to be equipped to undertake the
consulting activities.

Consulting Roles
Consulting roles, shows that internal auditing may undertake in relation to risk management. In
general, the further to the right of the dial that internal auditing ventures, the greater are the safeguards that
are required to ensure that its independence and objectivity are maintained. Some of the consulting roles
that the internal audit activity may undertake are:
 1. Making available to management tools and techniques used by internal auditing to
analyze risks and controls;
2. Being a champion for introducing risk management into the organization, leveragingits
expertise in risk management and control and its overall knowledge of the organization;
3. Providing advice, facilitating workshops, coaching the organization on risk andcontrol
and promoting the development of a common language, framework andunderstanding;
4. Acting as the central point for coordinating, monitoring and reporting on risks; and
5. Supporting managers as they work to identify the best way to mitigate a risk.

The key factor in deciding whether consulting services are compatible with the assurance role is to
determine whether the internal auditor is assuming any management responsibility. In the case of risk
management, internal auditing can provide consulting services so long as it has no role in actually
managing risks – that is management’s responsibility – and so long as senior management actively endorses
and supports risk management. We recommend that, wheneverthe internal audit activity acts to help the
management team to set up or to improve riskmanagement processes, its plan of work should include a
clear strategy and timeline for migrating the responsibility for these services to members of the
management team.

Safeguards
Internal auditing may extend its involvement in risk management, provided certainconditions
apply. The conditions are:
1. It should be clear that management remains responsible for risk management.
2. The nature of internal auditor’s responsibilities should be documented in the
internal audit charter and approved by the audit committee.
3. Internal auditing should not manage any of the risks on behalf of management.
4. Internal auditing should provide advice, challenge and support to
management’s decision making, as opposed to taking risk management
decisions themselves.
5. Internal auditing cannot also give objective assurance on any part of the risk
management framework for which it is responsible. Such assurance should be
provided by other suitably qualified parties.
6. Any work beyond the assurance activities should be recognized as a consulting
engagement and the implementation standards related to such engagements should be
followed.

Skills and body of knowledge

Internal auditors and risk managers share some knowledge, skills and values. Both, for example,
understand corporate governance requirements; have project management, analytical and facilitation skills
and value having a healthy balance of risk rather than extreme risk-taking or avoidance behaviors.
However, risk managers as such serve only the management of the organization and do not have to provide
independent and objective assurance to the auditcommittee. Nor should internal auditors who seek to extend
their role in risk management underestimate the risk managers’ specialist areas of knowledge (such as risk
transfer and risk quantification and modeling techniques) which are outside the body of knowledge for most
internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and knowledge should
not undertake work in the area of risk management. Furthermore, the head of internal audit should not
provide consulting services in this area if adequate skills and knowledgeare not available within the internal
audit activity and cannot be obtained from elsewhere.

Tools for Risk Management

A risk matrix is probably the inter-industry safety standard for the tool used in risk evaluation.

In aviation SMS programs they are ubiquitous. They use “probability” and “severity”to quantify
the scope of a real or hypothetical safety scenario. The quantification is generally broken into 3 categories:
✓ Acceptable risk;
 ✓ Unacceptable risk; and
✓ Ideally risk that is as low as reasonably possible (ALARP) (yellow), though riskin
this middle section should be monitored carefully to ensure that reasonable
controls are in place.

Some organizations use more colors, such as light green and/or orange. Extra colors only provide
further “aesthetic” rather than quantification. Risk matrix are ultimately used risk management tools used
to rank risks with the risk grid.

A Risk Register is a tool for documenting risks, and actions to manage each risk. TheRisk
Register is essential to the successful management of risk. As risks are identified they are logged on the
register and actions are taken to respond to the risk.

Risk is evident in everything we do. When it comes to project management, understanding risk and
knowing how to minimize its impacts (or take full advantage of its opportunities) on you project is essential
for success.

The Risk Register is essential to the management of risk. As risks are identified they should be
logged on the register and actions should be taken to respond to the risk.

Most frequently Risk Managers attempt to reduce the likelihood of the risk occurring or the impact
if the risk does occur.
The responses are documented on the Risk Register and the register should regularly reviewed tomonitor
progress. Ideally the Risk Register should be reviewed in every project team meeting. It should certainly
be review at the end of each phase of the project lifecycle.

Management of risk should be a constant ongoing process with the project team raising risks with
the Risk Manager or Project Manager who then logs the risk and identifies actions that can be taken to
mitigate the risk. To properly respond to a risk the Risk Manager may need to bring in experts to understand
the actions that can be taken to reduce the likelihood of the risk occurring or the impact if the risk does
occur. Read more on the possible responses to risk.

Control Issues for Risk management Processes

Control Objectives for Risk Management Processes

(a) Organizational objectives support and align with the organization’s mission.
(b) Significant risks are identified and assessed.
(c) Appropriate risk responses are selected that align risks with the organization’srisk
appetite.
(d) Relevant risk information, enabling staff, management, and the board to carry outtheir
responsibilities, is captured and communicated in a timely manner across the
organization, enabling staff, management, and the board to carry out their
responsibilities.