ELECTIVES 3: RISK MANAGEMENT Financial Risk - The risk of financial loss due to factors

MIDTERMS REVIEWER like poor cash flow, bad investments, or market

fluctuations.
TOPIC 1: KEY CONCEPTS IN RISK MANAGEMENT Product Risk - The risk that a product may
fail to meet customer expectations, leading to recalls,
Risk - Risk is the possibility that events will occur and legal action, or reputational damage.
affect the achievement of business objectives. Legal Risk - The risk of legal consequences
due to violations of laws, regulations, or contractual
Risk Management - Risk management is the process of obligations.
identifying, assessing, and addressing any financial, Reputational Risk - The risk of damage to an
legal, strategic, and security risks to an organization. organization’s public image due to negative publicity,
customer dissatisfaction, or ethical issues.
Business Risk stem from many sources, including: Fraud Risk - The risk of financial loss due
1. Financial Uncertainty to fraudulent activities within or outside the
2. Legal Liabilities organization.
3. Technology Use
4. Strategic Management Errors Impact of Risk to Organization/ Stakeholders
5. Accident
6. Natural Disasters Hazard risks like accidents, fires, IT failures, and fraud
Root Causes can disrupt operations, harm stakeholders, and cause
1. Internal Cause (such as human error or system financial and reputational damage. Effective risk
failures) management is key to minimizing these impacts and
2. External Cause (such as global crises, climate ensuring business continuity
change, or technological advancements).
Risk Classification Systems The following outlines the impact of risk on stakeholders.
1. Shareholders
● Declining stock value and reduced
● Investor confidence.
● Financial strain
● Reputational damage
2. Creditors
● Higher risk of loan defaults
● Increased borrowing costs
● Delayed debt repayments
3. Employees
● Workplace hazards
Risk Likelihood and Magnitude
● Job losses
● Decreased morale and productivity
4. Customers
● Service delays
● Product safety concerns
● Loss of trust in the brand
5. Suppliers
● Supply chain disruptions
● Delayed payments
● Strained partnerships
6. Community
Risk faced by Organization ● Environmental hazards
● Economic downturns
Business Risk - The risk of an organization failing to ● Reputational damage
achieve its financial goals due to internal or external
factors. Commonly used Standards in Managing Risks

1
1. COSO 2017 : Enterprise Risk Management -
Integrating with strategy and performances. 4. Risk Management Standard - IRM
/Alarm/AIRMIC 2002
● Governance and Culture – Establishes a risk-
aware environment. ● Risk Identification - Recognizing potential threats
● Strategy and Objective-Setting – Aligns risk by analyzing both internal operations and
management with external influences.
● company goals. ● Risk Assessment - Evaluating the likelihood and
● Performance – Focuses on risk identification, impact of risks to prioritize responses and
prioritization, and response. allocate resources efficiently.
● Review and Revision – Ensures the process is ● Risk Control - Implementing strategies such as
adaptable and improved over time. preventive measures, contingency plans, and
● Information, Communication, and Reporting – safety protocols to reduce the impact or
Ensures risk data reaches decision-makers probability of identified risks.
effectively.
5. The Turnbull Guidance.
2. COSO 2004 : Enterprise Risk Management -
Integrated Framework ● Embedding Risk Management within the
Organizational Culture - Encouraging
● Internal Environment – Establishes the management and employees at all levels to take
organization's risk culture, values, and responsibility for identifying and addressing risks.
management philosophy. ● Regular Risk Assessment and Reporting -
● Objective Setting – Ensures that the Conducting frequent reviews to ensure new risks
organization's goals align with its risk tolerance. are identified and existing controls remain
● Event Identification – Identifies potential risks and effective.
opportunities that could impact objectives. ● Ensuring Board-Level Accountability for Risk
● Risk Assessment – Evaluates the likelihood and Oversight - Assigning clear responsibility to the
impact of identified risks. board of directors to monitor risk management
● Risk Response – Develops strategies to manage practices and ensure proper oversight.
or mitigate risks.
● Control Activities – Implements specific actions
and procedures to address identified risks. TOPIC 2: STRATEGIC PLANNING FOR
● Information and Communication – Ensures ENTERPRISE RISK MANAGEMENT
relevant risk information is shared across the
organization. Introduction to Enterprise Risk Management
● Monitoring – Continuously evaluates the
effectiveness of risk management strategies. What is Enterprise Risk Management?
Enterprise Risk Management (ERM) is a structured,
3. ISO 310000:2018 - Risk Management organization-wide approach to identifying, assessing,
Principles and Guidelines managing, and monitoring risks that could impact an
entity’s ability toachieve its objectives. Unlike traditional
● Integration into Organizational Processes – risk management, which focuses on specific areas or
Ensures risk management is embedded in departments, ERM integrates risk considerations across
decision-making, planning, and operational all business functions.
processes rather than treated as a separate
activity. Objectives of ERM
● Customization Based on Company Culture – 1. Risk Identification and Assessment:
Encourages tailoring risk management strategies Recognizing potential threats and opportunities
to align with the organization's unique structure, that could affect the organization.
culture, and objectives. 2. Risk Mitigation: Developing strategies to
● Continual Improvement – Promotes regular minimize the impact of identified risks.
evaluation and updates to risk management 3. Value Protection and Creation: Ensuring
practices to adapt to emerging risks and changing business continuity while leveraging risks for
environments. strategic growth.

2
 4. Compliance and Governance: Aligning risk A risk management framework, as defined by ISO
management with regulatory requirements and Guide 73 "Risk Management—
best practices. Vocabulary" (2009, Geneva), consists of a set of
5. Informed Decision-Making: Providing components that provide the essential
leadership with data-driven insights to support foundations and organizational arrangements necessary
strategic planning. for designing, implementing, monitoring, reviewing, and
continually improving risk management throughout an
Difference Between Traditional Risk Management Organization.
(TRM) and ERM
While an internationally binding framework for
enterprise risk management has yet to be established,
there are several existing frameworks that can serve as a
foundational platform to initiate enterprise risk
management practices.

A. Enterprise-Wide ERM Frameworks

1) Committee of Sponsoring Organizations of the

Treadway Commission (COSO)

The COSO framework emphasizes internal control and

risk management to enhance organizational performance
and governance. It consists of five components: control
Types of Risks Addressed by ERM environment, risk assessment, control activities,
information and communication, and monitoring.
ERM considers a wide range of risks, including:
1. Strategic Risks: Threats to the organization’s 2)International Organization for Standardization (ISO)
long-term goals (e.g., market competition, 31000
technological disruption).
2. Operational Risks: Issues affecting daily ISO 31000 provides guidelines and principles for effective
business functions (e.g., supply chain failures, risk management applicable to any organization,
system breakdowns). regardless of size or industry. It focuses on creating a risk
3. Financial Risks: Economic factors impacting management culture and aligning risk management with
profitability (e.g., currency fluctuations, credit organizational objectives.
risks, liquidity concerns).
4. Compliance Risks: Regulatory or legal 3) Risk and Insurance Management Society Risk Maturity
violations (e.g., data privacy laws, environmental Model (RIMS RMM)
regulations).
5. Reputational Risks: Damage to the company’s The Risk and Insurance Management Society's Risk
brand or public perception (e.g., scandals, poor Maturity Model (RIMS RMM) offers a framework to assess
customer service). and improve the maturity of an organization's risk
6. Cybersecurity Risks: Threats from cyberattacks management practices. It evaluates seven key attributes
and data breaches. of risk management maturity, including executive support
7. Environmental and Social Risks: Risks from and risk appetite management.
environmental changes, sustainability issues,
and social responsibility concerns. 4) Federation of European Risk Management
Associations (FERMA)
By integrating ERM, organizations can better anticipate
risks, reduce losses, and create long-term value. The Federation of European Risk Management
Associations (FERMA) framework promotes risk
Frameworks of Enterprise Risk Management management practices across Europe through education,
training, and advocacy. It emphasizes the importance of

3
integrating risk management into strategic decision- systems to enhance accountability and ensure effective
making processes. and efficient operations.

B. Industry-Specific ERM Frameworks Industry: Telecommunications

ERF Framework: ISO/IEC 27001
Industry: Banking and Finance Description: An international standard that specifies
ERF Framework: Basel Accords (I, II, III) requirements for establishing,
Description: A set of international banking regulations implementing, maintaining, and continuously improving
developed by the Basel Committee on Banking an information security management system to protect
Supervision that provides recommendations on banking sensitive telecommunications data.
laws and regulations to enhance global financial stability.
Industry: Aviation and Aerospace
Industry: Healthcare ERF Framework: Safety Management System (SMS)
ERF Framework: ASHRM's Risk Management Description: A systematic approach to managing safety
Framework that includes organizational structures, accountabilities,
Description: A professional organization that focuses on policies, and procedures to enhance safety performance
developing risk management strategies and solutions to in the aviation and aerospace sectors.
improve patient safety and reduce risk in healthcare
settings. Key Components of Enterprise Risk Management
Framework
Industry: Information Technology and Cybersecurity
ERF Framework: NIST Cybersecurity Framework Governance and Culture
Description: A federal agency that develops and Governance and culture serve as the foundation of risk
promotes standards, guidelines, and best practices to management in any organization. Governance refers to
enhance the security and resilience of the nation’s how a company establishes its risk management
information systems and cybersecurity infrastructure. framework, assigns responsibilities, and ensures
oversight. Culture, on the other hand, defines the values,
Industry: Energy and Utilities behaviors, and ethical standards that guide employees
ERF Framework: Bowtie Methodology when making decisions. A strong governance structure
Description: A risk assessment tool that visually ensures that risk management is taken seriously, while a
represents the pathways of risk from causes to risk-aware culture encourages employees to follow
consequences, helping organizations in the energy and ethical practices and proactively address risks.
utilities sectors to identify and manage hazards.
Strategy and Objective-Setting
Industry: Insurance Before making major business decisions, companies
ERF Framework: Solvency II must set their strategic objectives while considering the
Description: A regulatory framework for insurance firms risks involved. A key part of this process is defining the
in the European Union that sets out risk management company’s risk appetite, which determines how much risk
standards to ensure companies have sufficient capital to it is willing to take in pursuit of growth. Businesses must
withstand financial shocks. also ensure that their objectives align with their ability to
manage potential risks effectively.
Industry: Retail and Consumer Goods
ERF Framework: C-TPAT (Customs-Trade Partnership Performance
Against Terrorism) Performance evaluation in risk management involves
Description: A voluntary supply chain security program continuously monitoring and assessing risks that could
led by U.S. Customs and Border Protection that focuses impact business objectives. Companies must identify,
on improving the security of private companies' supply analyze, and prioritize risks based on their potential
chains against terrorism. impact. This allows them to allocate resources effectively
and address the most critical threats before they escalate.

Industry: Government and Public Sector Review and Revision

ERF Framework: OMB Circular A-123 No risk management plan is perfect from the start, so
Description: A directive that provides guidelines for businesses must regularly check and improve their
federal agencies to establish and maintain internal control processes. This means looking at past mistakes,

4
identifying new risks, and making changes to avoid bigger
problems in the future. Companies that fail to do this can ENTERPRISE RISK MANAGEMENT TOOLS
fall behind or even face major disasters. 1. Risk Management Software
- This method consolidates an enterprise-wide
Information, Communication, and Reporting view of the risk domain. This view includes
For risk management to be effective, companies need cutting-edge dashboards, automatic reporting,
transparent and timely communication. Information about and real-time updates.
risks should be easily accessible to key decision-makers, 2. Risk Assessment Frameworks
employees, and even external stakeholders. By ensuring - These act as playbooks for the risk assessment
that the right information reaches the right people, endeavors. They provide organized ways for
companies can prevent minor risks from escalating into evaluating hazards and classifying them in order
major crises. of importance.
3. Decision-Support Systems
ENTERPRISE RISK MANAGEMENT PROCESS - These information-based tools aid users in
1. Identify Risks - The first step in the ERM process is making informed decisions grounded in risk data.
to identify the potential risks (and opportunities) that Consider a GPS navigating you through
may affect the organization’s objectives. This step obstacles.
entails the identification of internal and external risks 4. Compliance Management Systems
originating from various places, including operational, - They serve as a safeguard to ensure
financial, regulatory, legal, reputational, and strategic compliance with established regulations and
risks. avoid legal complications.
2. Assess Risks- the next step is to assess their 5. Incident Management Systems
likelihood and potential impact on the organization’s - They are established to monitor and address
objectives. This step involves an analysis of risks risk incidents to mitigate the impact they have.
based on their likelihood of occurrence, potential They facilitate learning from incidents and
impact, the speed at which the risk may affect the enhance responses to risks.
organization, and the effectiveness of the
organization’s existing controls to mitigate ENTERPRISE RISK MANAGEMENT
those risks IMPLEMENTATION
3. Prioritize Risks - next step is to prioritize the risks
based on their level of importance to the Why do organizations need ERM?
organization’s objectives. This step involves ERM will help any organization meet its business
identifying risks that require immediate intervention challenges by establishing oversight, control and
versus those that can be addressed in the long discipline to drive continuous improvement of risk
term. management capabilities in a changing operating
4. Develop Risk Mitigation Strategies - next step is to environment. It can redefine the value proposition of risk
develop risk management strategies that align with management by providing an organization with the tools
the organization’s objectives. This step involves the and resources it needs to become more anticipatory and
formulation of a risk management plan that defines effective at evaluating, embracing and managing
the organization's strategies for mitigating, avoiding, uncertainties.
transferring, or accepting each identified risk.
5. Implement Risk Mitigation Strategies - The next ERM will provide reasonable assurance to management
step is to implement the risk mitigation strategies and the board that its business objectives are being
identified in the previous step. This step involves achieved. By creating a common framework that can be
establishing the required processes, policies, and used by disparate areas within the organization, it also
procedures to effectively manage the identified risks. aligns and integrates varying views of risk management.
6. Report, Monitor and Review - The final step in the
ERM process is to report, monitor, and review the
effectiveness of the risk management strategies ERM Program Execution
implemented. This step involves ongoing risk The nature of the ERM solution should take into account
monitoring, assessing the effectiveness of risk a number of factors, including size of the organization,
management strategies, making necessary business objectives, strategy, structure, culture, risk
adjustments to strategies, and timely reporting of profile, competitive environment and financial
results to inform strategic planning. wherewithal. After that is decided, the implementation

5
solution should complete the following steps: assessing, and managing risks, which helps build
trust with stakeholders by providing clear insights
1. Identify and understand the organization’s priority into risk management practices. Implementing a
risks. robust ERM framework demonstrates an
2. Define the current state of the risk management organization's commitment to its mission and
capabilities with regard to key high- priority risks. enhances stakeholder confidence.
3. Define the future state of the risk management 5. Improved Business Continuity - ERM enables
capabilities. organizations to anticipate and prepare for
4. Analyze and articulate the size of the gap potential risks, reducing the likelihood and impact
between the current state and future state as well of costly incidents. By developing contingency
as the nature of the improvements needed to plans, implementing mitigation strategies, and
close that gap. enhancing communication and collaboration,
5. Develop a business case for addressing the organizations can build resilience.
gaps. 6. Effective Coordination of Regulatory and
6. Organize a plan that advances the desired ERM Compliance Matters - ERM provides valuable
infrastructure capabilities. data that bond rating agencies, auditors, and
7. Address any change issues that might be regulatory examiners use for monitoring and
associated with the existing plan. reporting. This data helps streamline audits and
8. Determine how to provide the oversight and reviews by documenting controls and mitigation
facilitation necessary to ensure effective efforts, reducing both the effort and cost
integration and coordination of the overall effort. associated with these processes.

ADVANTAGES OF ENTERPRISE RISK POTENTIAL CHALLENGES OF ENTERPRISE RISK

MANAGEMENT IMPLEMENTATION MANAGEMENT IMPLEMENTATION
- Enterprise Risk Management (ERM) is a
The key advantages of implementing ERM include: comprehensive, top-down approach to managing
organization-wide risks, ensuring profitability,
1. Improved Decision-Making - ERM enhances performance, and regulatory compliance.
the structure, reporting, and analysis of risks by
providing standardized reports that track The key challenges faced by organizations in
enterprise risks. These reports improve decision- implementing ERM:
making for directors and executives by offering 1. Resistance to Change- Implementing ERM
timely, concise, and flexible data on key risk often necessitates changes to existing policies,
indicators, mitigation strategies, and emerging processes, and procedures. However, this can be
risks. met with resistance due to past experiences or
2. Enhanced Risk Awareness - ERM fosters a concerns about job security, especially when
cultural shift where risk discussions become automation or digital technologies are involved.
integral to strategic business processes, Such resistance can hinder the project's success
encouraging open communication across all and may even lead to sabotage.
organizational levels. This shift breaks down 2. Lack of Qualified Personnel - Effective ERM
silos, allowing operational units to manage risk implementation demands specialized domain
more formally. ERM also develops leading expertise and guidance from senior stakeholders,
indicators for early risk detection and uses key such as the Chief Risk Officer (CRO). A shortage
metrics to track changes in risk vulnerabilities, of qualified personnel with the necessary
enabling proactive risk management. expertise can significantly hinder the
3. More Efficient Use of Resources - ERM implementation process and put the success of
enhances the framework and tools for managing the ERM program at risk.
risk consistently across an organization. While it 3. Lack of Perceived Benefits of ERM -
does not replace day-to-day risk management, A common challenge in implementing ERM is that
ERM helps identify areas of inefficient resource it may not be perceived as a high-
allocation, eliminating redundant processes to value initiative, leading other organizational
optimize resource use. priorities to take precedence.
4. Increased Stakeholder Confidence - ERM 4. Lack of Management Support - Measuring and
involves a transparent process for identifying, reporting the impact of ERM on strategic goals

6
 can be challenging, especially in the early stages disclose to internal and external stakeholders, as
of a project. These reporting difficulties can well as how to effectively communicate these
impede trust- building with stakeholders and limit risks. It is essential to balance transparency with
their support, potentially undermining ERM the need to protect sensitive information,
implementation by reducing access to necessary ensuring that risk insights are shared without
resources and stakeholder buy-in. raising concerns with external regulators,
5. Difficulties in Defining / Quantifying Risks - stakeholders, or auditors, which could lead to
One of the most significant challenges in legal issues.
establishing a risk management program is
creating a formal framework and a unified risk STRATEGIES TO ADDRESS ENTERPRISE RISK
vocabulary. If a consistent risk definition and MANAGEMENT (ERM) IMPLEMENTATION
procedures are not established, it can threaten CHALLENGES
the program's success and exacerbate the
organization's overall risk exposure. To ensure ERM is effective, organizations need to
6. Challenging Regulatory Environment - The establish a robust foundation and strategies that
constantly evolving regulatory landscape includes:
presents challenges due to diverse norms across
jurisdictions, intense scrutiny, and the risk of 1.Gradual Implementation
compliance failures despite diligent efforts, often - Implementing ERM gradually through
due to human error or unforeseen events. In this incremental changes is a strategic approach that
volatile market and geopolitical climate, adopting, can significantly reduce risks, enhance agility,
customizing, and implementing ERM requires a and foster transparency within an organization.
highly vigilant approach to ensure compliance By setting realistic ambitions and focusing on
with multiple laws and regulations. small-scale changes, institutions can build
7. Cost Justification - In an ROI-driven credibility and ease the ERM implementation
environment, proving the value of an ERM process.
framework to justify its costs can be challenging. 2.Consistent Communication
Since ERM metrics for risk and reward are not - Consistent communication is a vital component in
strictly defined, they remain optional for many the successful implementation of ERM. By clearly
organizations. This lack of regulatory language articulating the benefits of ERM to all
and compliance incentives makes it difficult to stakeholders, including employees,
articulate a compelling value proposition for ERM. management, and the board of directors,
8. Planning Horizon - The planning horizon for an organizations can effectively overcome
ERM assessment depends on an organization's resistance to change. Regular reporting on how
commitment to investing in risk management. ERM impacts strategic goals, risk exposure, and
Many companies opt for a short-term planning decision-making processes helps maintain
horizon because it typically requires less training, transparency and demonstrates the value of
is less costly, and provides quicker risk ERM.
assessments compared to long-term 3.Support from Top Management
approaches. However, for successful ERM - Securing strong support from top management is
outcomes, organizations, including banks and crucial for the successful implementation of ERM
financial institutions, must consistently choose a within an organization. The team responsible for
solution that aligns with their strategic objectives. ERM can garner this support by clearly
9. Lack of Ownership - Determining ownership of highlighting the benefits of ERM and
an ERM framework is a significant challenge in its demonstrating how it aligns with the
development and implementation. This issue is organization's strategic objectives. By keeping
often debated and unclear among various top management informed and incorporating their
organizational levels, including the board, feedback, risk officers can ensure that ERM is
directors, audit committee, and management, seen as a valuable tool for achieving business
leading to confusion about who should goals.
ultimately be accountable for overseeing and 4.Diligent Needs Assessment
implementing ERM. - Conducting a diligent needs assessment is a
10. Risk Reporting - Organizations often face crucial step in implementing ERM across any
challenges in deciding what risk information to organization. This thorough evaluation helps

7
 determine the specific resources required for
successful ERM implementation, including Establishing Context
personnel, technology, and financial investments. - The scope for the risk management process and sets
Following the needs assessment, organizations the criteria against which the risks will be assessed.
must prioritize activities based on their strategic - By establishing the context, the organization
importance and allocate resources accordingly. articulates its objectives, defines the external and
This prioritization ensures that resources are internal parameters to be taken into account when
optimized and focused on the most critical risk managing risk, and sets the scope and risk criteria for
management tasks. the remaining process.

Why Establishing Context in Risk Management is

Important
TOPIC 3: CONTEXT, OBJECTIVES, AND RISK ● Lays Foundation for Risk Management
ASSESSMENTS ● Helps Set Clear Objectives
● Identifies Relevant Risks
Objectives ● Focuses on Critical Risks
An objective defines a clear and measurable goal ● Enhances Decision-Making
that aligns with an organization’s vision, guiding decision- ● Ensures Compliance with Laws and Regulations
making and prioritization to achieve strategic success. ● Improves Communication with Stakeholders

Common Areas of Company Objectives Three elements that are important to consider when
1. Financial establishing the context for a risk assessment:
- A for-profit corporation may prioritize revenue 1. External Context
growth and cost efficiency, while a non-profit 2. Internal Context
organization may focus on maximizing social 3. Risk Management Contex
impact with available resources.
2. Regulatory Establishing The External Context
- Highly regulated industries such as The external environment in which the
healthcare and finance must prioritize organization seeks to achieve its objectives.
adherence to legal standards, whereas a
tech startup may prioritize innovation and The External Context
market expansion. Can include, but is not limited to:
3. Operational ● Social and cultural, political, legal, regulatory,
- Manufacturing companies may focus on financial, technological, economic, natural and
minimizing downtime an optimizing supply competitive environment (international, national,
chains, whereas a service-based business regional, or local)
may emphasize customer satisfaction and ● Key drivers and trends having impact on the
service quality. organization’s objectives
4. Market Expansion ● Relationships with, perceptions and values of
- A multinational corporation may seek global external stakeholders
expansion, while a small local business may
focus on strengthening its regional presence. Establishing The Internal Context
The internal environment in which the
Characteristics of a “Good” Objectives organization seeks to achieve its objectives.

Specific – Clearly defined to avoid ambiguity. The Internal Context

Measurable – Quantifiable to track progress and Should be established because:
success. ● Risk management takes place in the context of
Achievable – Realistic given the company’s resources the organization’s objectives
and market conditions. ● Project/process/activity objectives should align
Relevant – Align with the organization’s overall vision and with overall organizational goals
strategy. ● Ignoring this may lead to missed opportunities,
Time-bound – Have a clear deadline to drive loss of commitment, trust, and value.
accountability and urgency.

8
Establishing the Context of the Risk Management ● Strategic Risks
Process - These arise from the organization's long-
term goals and plans, including market
Risk Management shifts, technological changes, and
Defining the context is essential to align risk competitive pressures
identification, assessment, and mitigation with ● Human Resource Risks
organizational priorities and resources. It helps justify - These relate to employee-related issues,
resource allocation while ensuring effectiveness and including talent acquisition, retention,
efficiency. and performance.
● Legal and Compliance Risks
Risk Criteria - These relate to non-compliance with
- Should reflect organization's values, objectives, laws, regulations, and ethical standards.
resources
- May include legal/regulatory requirements External
- Must align with risk management policy ● Market Risks
- Defined at the beginning and reviewed - These are external financial risks caused
continually. by market changes, fluctuations, and
unforeseen events.
Defining Risk Criteria ● Political and Social Risks
Factors to consider: - These relate to political instability, social
1. Nature and types of causes and consequences unrest, and government actions.
2. How likelihood is defined ● Natural Disasters
3. Timeframe(s) of consequences/likelihood – Level - These are events that can disrupt
of risk determination operations and cause significant
4. Stakeholder views damage.
5. Acceptable/tolerable risk level ● Technological Risks
6. Consideration of risk combinations - These relate to changes in technology,
including cybersecurity threats and
Risk Assessment disruptions in supply chains.
Three stages:
1. Risk Identification Process of Risk Identification
2. Risk Analysis
3. Risk Evaluation

A. Risk Identification
Process of systematically identifying risks that
may impact organizational objectives.
Includes:
● Recognizing sources of risk
● Areas of impact
● Events (including changes), causes, 1. Defining Project Scope
consequences 2. Consulting Historical Data
● Generating a comprehensive risk list 3. Utilizing Expertise
4. Engaging Stakeholders in Brainstorming
Sources of Risks 5. Interviews and Surveys
Internal
Risk Identification Methods
● Operational Risks
- These stem from internal processes, Brainstorming: A collaborative technique where a group
systems, and people, including errors, generates ideas and potential risks related to a specific
fraud, or inadequate controls. project or area.
● Financial Risks
- These relate to the financial health and SWOT Analysis: A tool to evaluate Strengths,
stability of an organization. Weaknesses, Opportunities, and Threats, helping to

9
identify both internal and external factors that could
impact a project or organization.

Root Cause Analysis: Investigates the underlying

causes of a problem or potential risk to understand how
to prevent or mitigate it.

B. Risk Analysis
Risk analysis involves developing an
1. Identify Risks
understanding of the risk. It provides an input to risk
2. Identify Uncertainty
evaluation and to decisions on whether risks need to be
3. Estimate Impact
treated, and on the most appropriate risk treatment
4. Build Analysis Models
strategies and methods.
5. Analyze and Implement Solutions
Types of Risk Analysis
Quantitative vs. Qualitative
● Cost-Benefit Analysis
Quantitative
Compares the benefits a company
- A risk model is built using simulation or statistics
receives to the financial and non-financial
- The model generates a range of outputs or
expenses related to the benefits in a cost-benefit
outcomes
analysis. The potential benefits may cause other
- Monte Carlo Simulation
types of potential expenses to occur.
Qualitative
- Written definition of uncertainties
● Risk-Benefit Analysis
- SWOT Analysis, Cause-and-Effect Diagram etc.
Risk-benefit analysis compares potential
benefits with
C. Risk Evaluation
associated potential risks. Benefits may be
Process of identifying potential risks and
ranked and evaluated based on their likelihood of
assessing their impact and likelihood. It helps in
success or the projected impact the benefits may
prioritizing risks and deciding on strategies to minimize or
have.
manage them effectively.
● Needs-Risk Analysis
Importance
Compares the benefits a company
Existing Controls: Assessing effectiveness and
receives to the financial and non-financial
efficiency.
expenses related to the benefits in a cost-benefit
Risk Interdependencies: Understanding how risks are
analysis. The potential benefits may cause other
connected.
types of potential expenses to occur.
Data & Uncertainty: Evaluating the reliability of
information.
● Business Impact Analysis
Stakeholder Considerations: Ensuring transparent
A business may see a potential risk
communication in decision-making.
looming and want to determine how the situation
may impact it. Consider the probability of a
Risk Evaluation Process – Steps
concrete worker strike and how it would affect a
1. Identify risks and their impact on objectives
real estate developer. The developer may
2. Assess existing controls and effectiveness
perform a business impact analysis to understand
3. Analyze data limitations and uncertainties
how each additional day of the delay may impact
their operations.
Significance of Risk Evaluation
Why it matters ?
Steps in Risk Analysis
● Helps organizations develop risk management
● strategies.
● Minimizes negative impacts.
● Ensures alignment with business goals.

10