Republic of the Philippines

POLYTECHNIC UNIVERSITY OF THE PHILIPPINES

Office of the Vice President for Branches and Satellite Campuses
SANTA ROSA CAMPUS
City of Santa Rosa Laguna

INSTRUCTIONAL
MATERIAL
FOR
RISK MANAGEMENT

Compiled by:
Prof. Pedro P. Nocon
Faculty / Instructor

PUP Santa Rosa

January 2021

1
 TABLE OF CONTENTS

UNIT I: INTRODUCTION TO RISK MANAGEMENT

Lesson 1 Definition of Risk Management
Lesson 2 History of Risk Management
Lesson 3 Principles and Concepts in Risk Management

UNIT II: THE TYPES OF RISK IN A BUSINESS

Lesson 1 What is a Business Risk?
Lesson 2 The Different Types of Risks that Every Business Should Plan For
Lesson 3 How to Identify and Manage the Causes of Business Risks?

UNIT III: DIFFERENT KINDS OF RISK MANAGEMENT

Lesson 1 The Basics of Risk
Lesson 2 Kinds of Risk Management

UNIT IV: RISK MANAGEMENT STRATEGIES AND APPROACHES

Lesson 1 The Risk Management Framework
Lesson 2 Risk Management Strategies and Approaches

UNIT V: PROCESSES AND STRUCTURES IN RISK MANAGEMENT

Lesson 1 Risk Management Tools and Techniques
Lesson 2 Risk Management Processes and Structures

UNIT VI: THE ROLES AND RESPONSIBILITIES OF A RISK MANAGER

Lesson 1 Job Description and Guide
Lesson 2 Duties and Responsibilities
Lesson 3 Job Qualifications and Requirements

UNIT VII: INTEGRATION OF RISK MANAGEMENT IN THE SOCIETY

Lesson 1 Risk Management in Entrepreneurship
Lesson 2 Risk Management in the Organization
Lesson 3 Risk Management in Finance

UNIT VIII: DEVELOPING A RISK MANAGEMENT PLAN

Lesson 1 Elements or Components of a Risk Management Plan
Lesson 2 Steps or Ways on Creating and Preparing a Risk Management Plan
Lesson 3 Best Practices for Maintaining a Risk Management Plan

2
 RISK MANAGEMENT

COURSE OVERVIEW

Peter L. Bernstein once said: "The essence of risk management lies in maximizing the
areas where we have some control over the outcome while minimizing the areas
where we have absolutely no control over the outcome." This course is designed for
future marketing professionals who will engage into real world challenges that will test
their abilities in diving through what is unknown in the field of business. This will cover
topics about the introduction to risk management, the types of risk in a business, the
different kinds of risk management, risk management strategies and approaches,
processes and structures in risk management, the roles and responsibilities of a risk
manager, integration of risk management in the society, and developing a risk
management plan.

UNIT I: INTRODUCTION TO RISK MANAGEMENT

UNIT OVERVIEW
"Risk management is a more realistic term than safety. It implies that hazards are ever-
present, that they must be identified, analyzed, evaluated and controlled or rationally
accepted." - Jerome F. Lederer
This unit will discuss the different definitions of risk management, what it really means,
and what are those things to consider in performing it. Also, this unit will allow the
students to grasp information about the history of risk management and how it started.
Likewise, this will also introduce students to the various principles and concepts in risk
management, which are all important to the overall risk management procedure.

LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:
• Describe the ways to achieve an effective risk management
• Understand the comparison of the earliest approach and modern form of risk
management
• Recognize the important principles and concepts in risk management

3
COURSE MATERIALS

Lesson 1: Definition of Risk Management

In every business, from the small corner store to the large manufacturer, there are
common challenges with insurance, claims, and risk in general. Buildings can be
damaged by fire, someone could slip and fall, vehicle accidents often occur, or losses
can occur as a result of defective products.
Now, more than ever, it is vital to the success of an organization to understand risk
management and to learn to control liability.
Contained below is all the information you need to understand the insurance market
and to get you started with risk management.

What is Risk Management?

Everyone knows what risk is; we use the word every day and take risks regularly,
whether we realize it or not. In every decision you make, when assessing the pros and
cons, you are also doing a risk assessment. The challenge is to make it a more
conscious process where your business is concerned. So what is risk management?
Risk management is the process of making and carrying out decisions that will
minimize the adverse effects of risk on an organization. The adverse effects of risk
can be objective or quantifiable like insurance premiums and claims costs, or
subjective and difficult to quantify such as damage to reputation or decreased
productivity. By focusing attention on risk and committing the necessary resources to
control and mitigate risk, a business will protect itself from uncertainty, reduce costs,
and increase the likelihood of business continuity and success.
A risk exists where there is an opportunity for a profit or a loss. In terms of losses, we
commonly refer to the risks as exposures to loss, or simply exposures. A fire is an
exposure. Defective products or defamation are liability exposures. The loss of
business that results from a damaged building or tarnished reputation is also an
exposure. The extent of a risk can be expressed as follows:
Risk management encompasses the identification, analysis, and response to risk
factors that form part of the life of a business. Effective risk management means
attempting to control, as much as possible, future outcomes by acting proactively
rather than reactively. Therefore, effective risk management offers the potential to
reduce both the possibility of a risk occurring and its potential impact. Risk
management is the process of identifying, assessing and controlling threats to an
organization's capital and earnings. These threats, or risks, could stem from a wide
variety of sources, including financial uncertainty, legal liabilities, strategic
management errors, accidents and natural disasters. IT security threats and data-
related risks, and the risk management strategies to alleviate them, have become a
top priority for digitized companies. As a result, a risk management plan increasingly
includes companies' processes for identifying and controlling threats to its digital

4
assets, including proprietary corporate data, a customer's personally identifiable
information (PII) and intellectual property.
Every business and organization faces the risk of unexpected, harmful events that can
cost the company money or cause it to permanently close. Risk management allows
organizations to attempt to prepare for the unexpected by minimizing risks and extra
costs before they happen.
A risk register is used to document risks, analysis and responses, and to assign clear
ownership of actions. Every business faces risks that could present threats to its
success. Risk is defined as the probability of an event and its consequences. Risk
management is the practice of using processes, methods and tools for managing
these risks. Risk management focuses on identifying what could go wrong, evaluating
which risks should be dealt with and implementing strategies to deal with those risks.
Businesses that have identified the risks will be better prepared and have a more cost-
effective way of dealing with them.

Lesson 2: History of Risk Management

A Brief Summary of the Long History of Risk Management

The study of risk management began after World War II. Risk management has long
been associated with the use of market insurance to protect individuals and companies
from various losses associated with accidents. Other forms of risk management,
alternatives to market insurance, surfaced during the 1950s when market insurance
was perceived as very costly and incomplete for protection against pure risk. The use
of derivatives as risk management instruments arose during the 1970s, and expanded
rapidly during the 1980s, as companies intensified their financial risk management.
International risk regulation began in the 1980s, and financial firms developed internal
risk management models and capital calculation formulas to hedge against
unanticipated risks and reduce regulatory capital. Concomitantly, governance of risk
management became essential, integrated risk management was introduced, and the
chief risk officer positions were created. Nonetheless, these regulations, governance
rules, and risk management methods failed to prevent the financial crisis that began
in 2007

How Did Risk Management Start?

Some historians believe that the earliest concept of managing risk arose because of
gaming. Thousands of years before Internet users could play online poker, people in
different ancient civilizations played games with dice and bones. Also, people played
games that evolved into chess and checkers well over two thousand years ago.
Some historical evidence that gaming gave rise to probability theory, important to risk
management, comes from writings by Dante and Galileo. The famous mathematicians,
Pascal and Fermat, wrote each other about games of chance in the 1600s, a
correspondence that is believed to have given rise to modern probability theory used
today.
If one were to consider the role of insurance in risk management, it is still possible to
trace it back to ancient times. For example, mutual aid and burial societies have been

5
documented as far back as the earliest days of ancient Rome. These are considered
the precursors of modern insurance companies.

When Did Risk Management Become a Career?

Corporate risk management has been a career before people actually called
themselves risk managers. For example, the first actuaries worked for the precursor
of a modern life insurance company in England as early as the 1700s. However, it is
probably possible to find even earlier examples. At any point in history when people
managed businesses, armies, or entire countries, there were certainly people
employed to manage risk with the tools that they had at the time.
According to "Risk Management: History, Definition, and Critique," the modern terms
for managing risk rose after World War II, but the discipline mostly began as a study
of using insurance to manage risk. Later, from the 1950s to the 1970s, risk managers
began to realize that it was too expensive to manage every risk with insurance, so the
discipline began to expand to alternatives to insurance. For example, training and
safety programs might be considered insurance alternatives.

Lesson 3: Principles and Concepts in Risk Management

We all hear about risk management (and risk assessment). The notion of trying to
determine up front all the various things that ‘could’ go wrong is definitely a difficult
task to undertake. Many a project that has hit rough times (or failed completely) can
often find its troubles attributed to an unforeseen problem that was not adequately
taken into account up front. Now while no one has a crystal ball and can foresee every
single issue that may (or may not) arise, it is important to still make a discerned effort
into assessing as many conceivable risks and derive action plans to contend with
them.
There are a whole slew of publications available regarding risk management and risk
assessment. Degree and certificate programs are also available to those wishing to
explore this area further. Truth be told, whole companies and careers are built around
the notion of cataloging risks and formulating plans of action should problems appear
as well as providing suggestions on how to proceed in order to mitigate potential risks.
Generally speaking, project managers are not formally schooled in the concept of risk
management. Their background encompasses aspects of risk assessment, but
depending on their role, it is likely to be one piece of the set of overall duties a project
manager may be required to perform.
With that being said, it is important to take a moment and define some of the key
concepts and definitions pertaining to risk management. What are some of the key
takeaways and ideas that a project manager should be mindful of if attempting to
perform a risk assessment on their project? What are some of the core principles that
they should be aware of in order to best handle their project?

6
Principles of Risk Management
There are specific core principles in regards to risk management. When looking to
perform an actual risk assessment, the following target areas should be part of the
overall risk management procedure (as defined by the International Standards
Organization; ISO):
The process should create value
1. It should be an integral part of the organizational process
2. It should factor into the overall decision making process
3. It must explicitly address uncertainty
4. It should be systematic and structured
5. It should be based on the best available information
6. It should be tailored to the project
7. It must take into account human factors
8. It should be transparent and all-inclusive
9. It should be dynamic and adaptable to change
10. It should be continuously monitored and improved upon as the project moves
forward
When first addressing a risk management procedure for a project, take note of the
aforementioned principles to ensure that your specific assessment is matching up with
the core ideals as defined by ISO.
The ISO 31000-2018 standard, Risk Management–Guidelines, lists the following eight
principles for any solid risk management program (see 31000-2018, Section 4,
Principles):
Integration
An organization should integrate its risk management efforts into all parts and activities
of the organization.
Structured and comprehensive
Creating and following a comprehensive, structured risk management approach leads
to the most consistent, desirable risk management outcomes.
Customized
An organization’s risk management approach should be customized to their own
needs, including the organization’s objectives and the external and internal context in
which the organization operates.
Inclusive
To be most effective, risk management should involve all stakeholders in appropriate
and timely ways. This allows the different knowledge sets, views, and perceptions of
all stakeholders to be considered and implemented into risk management efforts.

7
Dynamic
As the organization changes, including its external and internal context, the
organization’s risk management program and efforts should change, too. Change is
inevitable and successful organizations know how to work with change. A risk
management program should help the organization anticipate, identify, acknowledge,
and respond to changes in an appropriate and timely way.

Uses best available information

Effective risk management is done by considering information from the past and
present as well as anticipating the future. Therefore, (1) the information from the past
and present must be as reliable as possible, and (2) risk managers must consider the
limitations and uncertainties with that past and present information. All relevant
stakeholders should receive necessary information in a timely and clear manner.
Considers human and culture factors
Risk management is a human activity and it takes place within one or more culture
(organizational culture, etc.). Risk managers must be aware of the human and culture
factors that the risk management effort takes place in and know the influence that
human and culture factors will place on the risk management effort.
Practices continual improvement
Through experience and learning, risk managers must strive to continually improve an
organization’s risk management efforts.
Various organizations have laid down principles for risk management. There are risk
management principles by International standardization Organization and by Project
Management Body of Knowledge.
Meanwhile, the Project management body of knowledge (PMBOK) has laid down 12
principles. This article carries an amalgamation of both PMBOK and ISO
principles. The various principles are:
Organizational Context: Every organization is affected to varying degrees by various
factors in its environment (Political, Social, Legal, and Technological, Societal etc.).
For example, an organization may be immune to change in import duty whereas a
different organization operating in the same industry and environment may be at a
severe risk. There are also marked differences in communication channels, internal
culture and risk management procedures. The risk management should therefore be
able to add value and be an integral part of the organizational process.
Involvement of Stakeholders: The risk management process should involve the
stakeholders at each and every step of decision making. They should remain aware
of even the smallest decision made. It is further in the interest of the organization to
understand the role the stakeholders can play at each step.

8
Organizational Objectives: When dealing with a risk it is important to keep the
organizational objectives in mind. The risk management process should explicitly
address the uncertainty. This calls for being systematic and structured and keeping
the big picture in mind.
Reporting: In risk management communication is the key. The authenticity of the
information has to be ascertained. Decisions should be made on best available
information and there should be transparency and visibility regarding the same.
Roles and Responsibilities: Risk Management has to be transparent and inclusive.
It should take into account the human factors and ensure that each one knows it roles
at each stage of the risk management process.
Support Structure: Support structure underlines the importance of the risk
management team. The team members have to be dynamic, diligent and responsive
to change. Each and every member should understand his intervention at each stage
of the project management lifecycle.
Early Warning Indicators: Keep track of early signs of a risk translating into an active
problem. This is achieved through continual communication by one and all at each
level. It is also important to enable and empower each to deal with the threat at his/her
level.
Review Cycle: Keep evaluating inputs at each step of the risk management process
- Identify, assess, respond and review. The observations are markedly different in
each cycle. Identify reasonable interventions and remove unnecessary ones.
Supportive Culture: Brainstorm and enable a culture of questioning, discussing. This
will motivate people to participate more.
Continual Improvement: Be capable of improving and enhancing your risk
management strategies and tactics. Use your learning’s to access the way you look at
and manage ongoing risk.

REFERENCES
Dalto, J (2019). 8 principles of risk management: risk management basics.
Convergence Training. Retrieved from https://www.convergencetraining.com/blog/8-
principles-of-risk-management-risk-management-basics

Dionne, G (2013). Risk management: history, definition, and critique. Retrieved from
https://doi.org/10.1111/rmir.12016

Manage Risk (n.d). Info Entrepreneurs. Retrieved from

https://m.infoentrepreneurs.org/en/guides/manage-risk/

Principles of Risk Management (n.d). Managements Study Guide. Retrieved from

https://www.managementstudyguide.com/principles-of-risk-management.htm

9
Rhodes, A. (2015). A brief summary of the long history of risk management. Retrieved
from https://www.google.com/amp/s/blog.ventivtech.com/blog/a-brief-summary-of-
the-long-history-of-risk-management%3fhs_amp=true

Risk Management (n.d). Corporate Finance Institute. Retrieved from

https://corporatefinanceinstitute.com/resources/knowledge/strategy/risk-
management/

Risk Management and Why it is Important (n.d.). Search Compliance. Retrieved from
https://searchcompliance.techtarget.com/definition/risk-management?amp=1

Risk Management – Principles and Definitions (2011). Retrieved from

https://www.google.com/amp/s/programsuccess.wordpress.com/2011/05/29/risk-
management-principles-and-definitions/amp/

What is Risk Management (n.d.). ClearRisk. Retrieved from

https://www.clearrisk.com/what-is-risk-management

What is Risk Management (n.d). Retrieved from

https://www.apm.org.uk/resources/what-is-project-management/what-is-risk-
management/

ACTIVITIES / ASSESSMENTS

Essay
1. What do you think are the ways to achieve an effective risk management?
2. How can you compare the earliest approach and modern form of risk management?

10
 UNIT II: THE TYPES OF RISK IN A BUSINESS

UNIT OVERVIEW
"Managing risk is very different from managing strategy. Risk management focuses
on the negative-threats and failures rather than opportunities and successes."
- Robert S. Kaplan

This unit will tackle the definition of business risk first before understanding the further
concepts that it contains. Also, this unit will allow the students to know the different
types of risks that every business should plan for. Likewise, this will also introduce
students to the different ways on how to identify and manage the causes of business
risks.

LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:
• State the meaning of business risk
• Identify the importance of managing business risks
• Formulate on which has the most severe impact and how likely to occur among
the different types of risk

COURSE MATERIALS
Lesson 1: What is a Business Risk?

A business risk is a future possibility that may prevent you from achieving a business
goal. The risks facing a typical business are broad and include things that you can
control such as your strategy and things beyond your control such as the global
economy.

What Is Business Risk?

Business risk is the exposure a company or organization has to factor(s) that will lower
its profits or lead it to fail. Anything that threatens a company's ability to achieve its
financial goals is considered a business risk. There are many factors that can
converge to create business risk. Sometimes it is a company's top leadership or
management that creates situations where a business may be exposed to a greater
degree of risk.
However, sometimes the cause of risk is external to a company. Because of this, it is
impossible for a company to completely shelter itself from risk. However, there are
ways to mitigate the overall risks associated with operating a business; most
companies accomplish this through adopting a risk management strategy.

11
Understanding Business Risk
When a company experiences a high degree of business risk, it may impair its ability
to provide investors and stakeholders with adequate returns. For example, the CEO
of a company may make certain decisions that affect its profits, or the CEO may not
accurately anticipate certain events in the future, causing the business to incur losses
or fail.
Business risk is a broad category. It applies to any event or circumstance that has the
potential to prevent you from achieving your business goals or objectives. Business
risk can be internal (such as your strategy) or external (such as the global economy).
You should not manage or treat in the same way all types of risk. You should
understand what type of risk you are facing, before you consider how to deal with it.

Importance of Understanding Risk

Risk is often described by an event, a change in circumstances or a consequence. A
common definition of risk suggests that risk is the effect of uncertainty on achieving or
surpassing business objectives. This effect may be positive, negative or a deviation
from the expected, for example in forecasts and projections.
Without identifying risks, it is difficult to successfully define your objectives and set out
strategies for achieving them. It is best practice to integrate business risk management
with your strategy formulation and business planning processes.
Understanding and managing risks allows you to control, and often prevent, the
financial, organizational, legal and other ramifications associated with risks.
Business risk refers to a threat to the company’s ability to achieve its financial goals.
In business, risk means that a company’s or an organization’s plans may not turn out
as originally planned or that it may not meet its target or achieve its goals.
Such risks cannot always be blamed on the owner of the company, as risk can be
influenced by various external factors, which may include rising prices of raw materials
for production, growing competition, or changes or additions to existing government
regulations.
Businesses face all kinds of risks, some of which can cause serious loss of profits or
even bankruptcy. But while all large companies have extensive "risk management"
departments, smaller businesses tend not to look at the issue in such a systematic
way.
There is a risk to every business decision you make. So, instead of relying on gut
instinct, it's a good idea to use risk management to guide your business decisions.
Understand what risk management is and the types of risk that could affect your
business.

12
 Lesson 2: The Different Types of Risks that Every Business Should Plan For

Building a business takes work—and risks. But some risks are more dangerous than
others. Here are a few risks that every business owner should keep in mind.
Running a business takes hard work, which can reap the rewards of customers,
revenue and satisfaction. While success is the ultimate goal, business risk may stop
you from achieving the goals you set.
When it comes to risk management, there are steps you can take, however. Here are
seven types of business risk you may want to address in your company.
1. Economic Risk
The economy is constantly changing as the markets fluctuate. Some positive changes
are good for the economy, which lead to booming purchase environments, while
negative events can reduce sales. It's important to watch changes and trends to
potentially identify and plan for an economic downturn.
To counteract economic risk, save as much money as possible to maintain a
steady cash flow. Also, operate with a lean budget with low overhead through all
economic cycles as part of your business plan.
2. Compliance Risk
The second form of business risk is referred to as compliance risk. Compliance risk
primarily arises in industries and sectors that are highly regulated. For example, in the
wine industry, there is a three-tier system of distribution that requires wholesalers in
the U.S. to sell wine to a retailer (who then sells it to consumers). This system prohibits
wineries from selling their products directly to retail stores in some states.
Compliance risk involves companies having to comply with new rules that are set by
the government or by a regulatory body. For example, there may be a new minimum
wage that must be implemented immediately.
Are you complying with all the necessary laws and regulations that apply to your
business?
Of course you are (I hope!). But laws change all the time, and there’s always a risk
that you’ll face additional regulations in the future. And as your own business expands,
you might find yourself needing to comply with new rules that didn’t apply to you
before.
For example, let’s say you run an organic farm in California, and sell your products in
grocery stores across the U.S. Things are going so well that you decide to expand to
Europe and begin selling there.
That’s great, but you’re also incurring significant compliance risk. European countries
have their own food safety rules, labeling rules, and a whole lot more. And if you set
up a European subsidiary to handle it all, you’ll need to comply with local accounting
and tax rules. Meeting all those extra regulatory requirements could end up being a
significant cost for your business.

13
Even if your business doesn’t expand geographically, you can still incur new
compliance risk just by expanding your product line. Let’s say your California farm
starts producing wine in addition to food. Selling alcohol opens you up to a whole raft
of new, potentially costly regulations.
And finally, even if your business remains unchanged, you could get hit with new rules
at any time. Perhaps a new data protection rule requires you to beef up your website’s
security, for example. Or employee safety regulations mean you need to invest in new,
safer equipment in your factory. Or perhaps you’ve unwittingly been breaking a rule,
and have to pay a fine. All of these things involve costs, and present a compliance risk
to your business.
In extreme cases, a compliance risk can also affect your business’s future, becoming
a strategic risk too. Think of tobacco companies facing new advertising restrictions,
for example, or the late-1990s online music-sharing services that were sued for
copyright infringement and were unable to stay in business. We’re breaking these risks
into different categories, but they often overlap.
However, there are many U.S. states that do not have this type of distribution system;
compliance risk arises when a brand fails to understand the individual requirements of
the state that it is operating within. In this situation, a brand risks becoming non-
compliant with state-specific distribution laws.
Business owners face an abundance of laws and regulations to comply with. For
example, recent data protection and payment processing compliance could impact
how you handle certain aspects of your operation. Staying well versed in applicable
laws from federal agencies like the Occupational Safety and Health Administration
(OSHA) or the Environmental Protection Agency (EPA) as well as state and local
agencies can help minimize compliance risks.
Non-compliance may result in significant fines and penalties. Remain vigilant in
tracking compliance by joining an industry organization, regularly reviewing
government agency information and seeking assistance from consultants who
specialize in compliance.

3. Security and Fraud Risk

As more customers use online and mobile channels to share personal data, there are
also greater opportunities for hacking. News stories about data breaches, identity theft
and payment fraud illustrate how this type of risk is growing for businesses.
Not only does this risk impact trust and reputation, but a company is also financially
liable for any data breaches or fraud. To achieve effective enterprise risk management,
focus on security solutions, fraud detection tools and employee and customer
education about how to detect any potential issues.

14
4. Financial Risk
This business risk may involve credit extended to customers or your own company's
debt load. Interest rate fluctuations can also be a threat.
Most categories of risk have a financial impact, in terms of extra costs or lost revenue.
But the category of financial risk refers specifically to the money flowing in and out of
your business, and the possibility of a sudden financial loss.
For example, let’s say that a large proportion of your revenue comes from a single
large client, and you extend 60 days credit to that client (for more on extending credit
and dealing with cash flow, see our earlier cash flow tutorial).
In that case, you have a significant financial risk. If that customer is unable to pay, or
delays payment for whatever reason, then your business is in big trouble.
Having a lot of debt also increases your financial risk, particularly if a lot of it is short-
term debt that’s due in the near future. And what if interest rates suddenly go up, and
instead of paying 8% on the loan, you’re now paying 15%? That’s a big extra cost for
your business, and so it’s counted as a financial risk.
Financial risk is increased when you do business internationally. Let’s go back to that
example of the California farm selling its products in Europe. When it makes sales in
France or Germany, its revenue comes in euros, and its UK sales come in pounds.
The exchange rates are always fluctuating, meaning that the amount the company
receives in dollars will change. The company could make more sales next month, for
example, but receive less money in dollars. That’s a big financial risk to take into
account.
It's a good idea to understand the different types of risks your business may face so
you can recognize and plan ahead for them.
Financial risk is about the financial health of the company. Can the company afford to
offer installment payments to its customers? How many customers can it offer such
an installment scheme? Can it handle business operations when two or three of these
customers are not able to make their payments on time?
Making adjustments to your business plan will help you avoid harming cash flow or
creating an unexpected loss. Keep debt to a minimum and create a plan that will start
lowering that debt load as soon as possible. If you rely on all your income from one or
two clients, your financial risk could be significant if one or both no longer use your
services. Start marketing your services to diversify your base so the loss of one won't
devastate your bottom line.
5. Reputation Risk
Any time a company's reputation is ruined, either by an event that was the result of a
previous business risk or by a different occurrence, it runs the risk of losing customers
and its brand loyalty suffering. The reputation of HSBC faltered in the aftermath of the
fine it was levied for poor anti-money laundering practices.
There has always been the risk that an unhappy customer, product failure, negative
press or lawsuit can adversely impact a company's brand reputation. However, social

15
media has amplified the speed and scope of reputation risk. Just one negative tweet
or bad review can decrease your customer following and cause revenue to plummet.
There are many different kinds of business, but they all have one thing in common: no
matter which industry you’re in, your reputation is everything.
If your reputation is damaged, you’ll see an immediate loss of revenue, as customers
become wary of doing business with you. But there are other effects, too. Your
employees may get demoralized and even decide to leave. You may find it hard to
hire good replacements, as potential candidates have heard about your bad reputation
and don’t want to join your firm. Suppliers may start to offer you less favorable terms.
Advertisers, sponsors or other partners may decide that they no longer want to be
associated with you.
Reputational risk can take the form of a major lawsuit, an embarrassing product recall,
negative publicity about you or your staff, or high-profile criticism of your products or
services. And these days, it doesn’t even take a major event to cause reputational
damage; it could be a slow death by a thousand negative tweets and online product
reviews.
To prepare for this risk, leverage reputation management strategies to regularly
monitor what others are saying about the company online and offline. Be ready to
respond to those comments and help address any concerns immediately. Keep quality
top of mind to avoid lawsuits and product failures that can also damage your
company's reputation.
6. Operational Risk
The third type of business risk is operational risk. This risk arises from within the
corporation, especially when the day-to-day operations of a company fail to perform.
For example, in 2012, the multinational bank HSBC faced a high degree of operational
risk and as a result, incurred a large fine from the U.S. Department of Justice when its
internal anti-money laundering operations team was unable to adequately stop money
laundering in Mexico.
This business risk can happen internally, externally or involve a combination of factors.
Something could unexpectedly happen that causes you to lose business continuity.
So far, we’ve been looking at risks stemming from external events. But your own
company is also a source of risk.
Operational risk refers to an unexpected failure in your company’s day-to-day
operations. It could be a technical failure, like a server outage, or it could be caused
by your people or processes.
In some cases, operational risk has more than one cause. For example, consider the
risk that one of your employees writes the wrong amount on a check, paying out
$100,000 instead of $10,000 from your account.
That’s a “people” failure, but also a “process” failure. It could have been prevented by
having a more secure payment process, for example having a second member of staff

16
authorize every major payment, or using an electronic system that would flag unusual
amounts for review.
In some cases, operational risk can also stem from events outside your control, such
as a natural disaster, or a power cut, or a problem with your website host. Anything
that interrupts your company’s core operations comes under the category of
operational risk.
While the events themselves can seem quite small compared with the large strategic
risks we talked about earlier, operational risks can still have a big impact on your
company. Not only is there the cost of fixing the problem, but operational issues can
also prevent customer orders from being delivered or make it impossible to contact
you, resulting in a loss of revenue and damage to your reputation.
Operational risk occurs within the business’ system or processes. For example, one
of its production machines may break down when the target output is still unmet. What
will the company do if one of its machine operators has an accident during work hours?
That unexpected event could be a natural disaster or fire that damages or destroys
your physical business. Or, it might involve a server outage caused by technical
problems, people, or power cut. Many operational risks are also people-related. An
employee might make mistakes that cost time and money.
Whether it's a people or process failure, these operational risks can adversely impact
your business in terms of money, time and reputation. Address each of these potential
operational risks through training and a business continuity plan. Both tactics provide
a way to think about what could go wrong and establish a backup system or proactive
measures to ensure operations aren't affected.
For example, more businesses are using cloud storage to protect company data and
rely on remote team members to maintain operations. Automating more processes
also helps to reduce people failures.
7. Competition (or Comfort) Risk
While a business may be aware that there is always some competition in their industry,
it's easy to miss out on what businesses are offering that may appeal to your
customers.
In this case, the business risk involves a company leader becoming so comfortable
with their success and the status quo that they don't look for ways to pivot or make
continual improvements. Increasing competition combined with an unwillingness to
change may result in a loss of customers.
Enterprise risk management means a company must continually reassess their
performance, refine their strategy, and maintain strong, interactive relationships with
their audience and customers. Additionally, it's important to keep an eye on the
competition by regularly researching how they use online and social media channels.

17
8. Strategic Risk
Strategic risk arises when a business does not operate according to its business model
or plan. When a company does not operate according to its business model, its
strategy becomes less effective over time and it may struggle to reach its defined
goals. If, for example, Walmart strategically positions itself as a low-cost provider and
Target decides to undercut Walmart's prices, this becomes a strategic risk for Walmart.
Everyone knows that a successful business needs a comprehensive, well-thought-out
business plan. But it’s also a fact of life that things change, and your best-laid plans
can sometimes come to look very outdated, very quickly.
This is strategic risk. It’s the risk that your company’s strategy becomes less effective
and your company struggles to reach its goals as a result. It could be due to
technological changes, a powerful new competitor entering the market, shifts in
customer demand, spikes in the costs of raw materials, or any number of other large-
scale changes.
History is littered with examples of companies that faced strategic risk. Some managed
to adapt successfully; others didn’t.
A classic example is Kodak, which had such a dominant position in the film
photography market that when one of its own engineers invented a digital camera in
1975, it saw the innovation as a threat to its core business model, and failed to develop
it.
It’s easy to say with hindsight, of course, but if Kodak had analyzed the strategic risk
more carefully, it would have concluded that someone else would start producing
digital cameras eventually, so it was better for Kodak to cannibalize its own business
than for another company to do it.
Failure to adapt to a strategic risk led to bankruptcy for Kodak. It’s now emerged from
bankruptcy as a much smaller company focusing on corporate imaging solutions, but
if it had made that shift sooner, it could have preserved its dominance.
Facing a strategic risk doesn’t have to be disastrous, however. Think of Xerox, which
became synonymous with a single, hugely successful product, the Xerox photocopier.
The development of laser printing was a strategic risk to Xerox’s position, but unlike
Kodak, it was able to adapt to the new technology and change its business model.
Laser printing became a multi-billion-dollar business line for Xerox, and the company
survived the strategic risk.
Strategic risks can occur at any time. For example, a company manufacturing an anti-
mosquito lotion may suddenly see a decline in its sales because people’s preferences
have changed, and they now want a spray mosquito repellent rather than a lotion. To
deal with such risks, companies need to implement a real-time feedback system to
know what its customers want.
These categories of risks are not rigid and some parts of your business may fall into
more than one category. The risks attached to data protection, for example, could be
considered when reviewing both your operations and your business' compliance.

18
Risks can also be:
9. Opportunity-based risks
This type of risk comes from taking one opportunity over others. By deciding to commit
your resources to one opportunity, you risk:
• missing a better opportunity
• getting unexpected result.
Opportunity-based risks for a business include moving a business to a different
location, buying a new property, or selling a new product or service.
10. Uncertainty-based risks
This type of risk is from uncertainty around unknown or unexpected events. It’s hard
to predict these events and the damage they can cause. It’s also hard to control the
damage once they occur.
Examples of uncertainty-based risks include:
• damage by fire, flood or other natural disasters
• unexpected financial loss due to an economic downturn, or bankruptcy of other
businesses that owe you money
• loss of important suppliers or customers
• decrease in market share because new competitors or products enter the
market
court action.

11. Hazard-based risks

These types of risks come from dangerous situations in the workplace.
Some common examples include:
• physical hazards caused by high noise levels, extreme weather or other
environmental factors
• equipment hazards caused by faulty equipment or poor processes when using
equipment such as machinery
• chemical hazards caused by improper storage or use of flammable, poisonous,
toxic or carcinogenic chemicals

19
 Lesson 3: How to Identify and Manage the Causes of Business Risks?

Although you will never be able to completely eliminate business risk, proactively
planning for it can help. Awareness is key in helping you save money and time while
protecting the trust, reputation, and customer base you've worked so hard to achieve.
Business risk is influenced by a number of different factors including:
• Consumer preferences, demand, and sales volumes
• Per-unit price and input costs
• Competition
• The overall economic climate
• Government regulations
A company with a higher amount of business risk may decide to adopt a capital
structure with a lower debt ratio to ensure that it can meet its financial obligations at
all times. With a low debt ratio, when revenues drop the company may not be able to
service its debt (and this may lead to bankruptcy). On the other hand, when revenues
increase, a company with a low debt ratio experiences larger profits and is able to
keep up with its obligations.
To calculate risk, analysts use four simple ratios: contribution margin, operation
leverage effect, financial leverage effect, and total leverage effect. For more complex
calculations, analysts can incorporate statistical methods. Business risk usually occurs
in one of four ways: strategic risk, compliance risk, operational risk, and reputational
risk.
Business risk cannot be entirely avoided because it is unpredictable. However, there
are many strategies that businesses employ to cut back the impact of all types of
business risk, including strategic, compliance, operational, and reputational risk.
The first step that brands typically take is to identify all sources of risk in their business
plan. These aren't just external risks—they may also come from within the business
itself. Taking action to cut back the risks as soon as they present themselves is key.
Management should come up with a plan in order to deal with any identifiable risks
before they become too great.
Once the management of a company has come up with a plan to deal with the risk, it's
important that they take the extra step of documenting everything in case the same
situation arises again. After all, business risk isn't static—it tends to repeat itself during
the business cycle.
Finally, most companies adopt a risk management strategy. This can be done either
before the business begins operations or after it experiences a setback. Ideally, a risk
management strategy will help the company be better prepared to deal with risks as
they present themselves. The plan should have tested ideas and procedures in place
in the event that risk presents itself.

20
Causes of Business Risks
There are basically three causes of business risk:
1. Natural causes
Natural causes of risk include flooding, earthquakes, cyclones, and other natural
disasters that can lead to the loss of lives and property. For example, a delivery truck
is on its way to deliver the order of a customer but is met with a cyclone along the way,
causing an accident. In order to counter such causes, businesses need to take out
comprehensive insurance coverage.

2. Human causes
Human causes of risk refer to negligence at work, strikes, work stoppages, and
mismanagement.

3. Economic causes
Economic causes involve things such as rising prices of raw materials or labor costs,
rising interest rates for borrowing, and competition.

Other sources of business risk

Other factors can present certain threats to your business, including:
• environmental risks, such as natural disasters
• political and economic instability in any foreign markets you export goods to
• health and safety risks - see health and safety risk assessment
• commercial risks, including the failure of key suppliers or customers
• workforce risks, eg maintaining sufficient staff numbers and cover, employee
safety and up-to-date skills
Such risks cannot always be blamed on the owner of the company, as risk can be
influenced by various external factors, which may include rising prices of raw materials
for production, growing competition, or changes or additions to existing government
regulations.

How to Identify Business Risks

Risks are inherent to every environment and business. They cannot be avoided and,
therefore, must be addressed head-on to minimize their impact. The first step in risk
management is to identify the risks in order to come up with a risk management
strategy.

21
1. Analyze the sources that may trigger problems
It is important to identify and analyze the sources that can cause a problem. Risk
triggers can be internal or external.

2. Act now
Managers shouldn’t wait for potential problems to become actual problems before they
start doing something. The moment a problem is deemed to be a threat, it should
immediately be dealt with by the company’s executives by devising a plan of action in
the event that the risk becomes an actual full-blown concern facing the company.

3. Involve employees
Identifying risks is not the sole responsibility of the managers and top-ranking officials.
Management should involve their employees in identifying the risks that they see in
their respective departments and train them to handle such risks at their level.

4. Make a list of industry-specific risks

By looking into the industry where the company operates, managers will be able to
identify the possible risks that the business may face. If the same risks happen to other
companies in the same industry, there is a likely chance that it will happen to your
company as well. Therefore, businesses should be ready with a list of solutions or
steps to address the risks.

5. Create a record of risks

Sometimes, the same risks arise over and over. By creating a record of all the risks
experienced by the company since it started, management will be able to do a regular
review of past events in order to detect patterns that may better prepare the company
for future risks.

22
How to Manage Business Risks
Business risks may be inevitable, but there are several ways to minimize their impact,
such as:

1. Avoid the risk

It may sound ironic to suggest avoiding the risk when we say that it is inevitable. But
what is meant here is that companies should avoid specific risks when possible.
Managers should think of alternatives in order to not have to face the risk.

2. Prevent the risk

In the example of the delivery truck above, it would help prevent the risk if companies
check on the weather prior to sending out deliveries in order to make sure they reach
their destination safely. If there is a deemed risk, then they should act to prevent it
from happening – for example, by halting deliveries during severe weather.

3. Contain the risk

Sometimes, there are risks that cannot be avoided or prevented. Companies can
choose to contain said risks while putting up safety nets. For example, since all
businesses need to access the internet, where hackers abound, they may put stronger
firewalls and other protective measures in place to ensure their company’s safety.

How you can manage risk in your business

Begin by finding out about risk management practices and how you can use them.
You should also talk to others involved in your business (including your employees
and customers) to decide on the best way to manage risk in your business.
Before you decide what to do, you’ll need to work out what your risks are and which
ones are most urgent:
• Identify – work out what risks your business could face.
• Analyze – find the level of the risks and which ones are most urgent.
• Evaluate – compare the risk against set risk criteria to decide what to do.

23
Why manage risk?
By managing risk, you can reduce the impact of unexpected events on your business.
Managing risk can also help you to:
• improve your relationships with customers, suppliers, employees and the
community, by understanding and managing their expectations
• improve staff confidence in a safe work environment, through workplace health
and safety (WHS) and workers’ compensation insurance
• keep your business open during natural or economic disasters, by having
an emergency management plan
• reduce your compliance and insurance costs, by having a lower risk of
damages
You won't always have enough information or the resources to manage every risk. A
good risk management plan will allow you to change your approach if it isn't working,
or when unexpected risk happens.

Risks that you must manage

You're required by law to manage some risks. For example, you must manage or
reduce the risk of:
• accidents and injury by making your workplace safe under work health and
safety (WHS) laws
• customer complaints by treating customers fairly under Australian Consumer
Law
• injury or harm to employees by having workers' compensation insurance
• damaging the environment by meeting the environmental laws that apply to
you.

REFERENCES

Blackman, A. (2014). The main types of business risk. Envato Tuts Plus. Retrieved
from https://business.tutsplus.com/tutorials/the-main-types-of-business-risk--cms-
22693

Boitnott, J. (2019). 7 business risks every business should plan for. American Express.
Retrieved from https://www.americanexpress.com/en-us/business/trends-and-
insights/articles/7-business-risks-every-business-should-plan-for/

Business risks (2020). Business Gov Australia. Retrieved from

https://business.gov.au/risk-management/risk-assessment-and-planning/business-
risks

24
Business risk – Overview, how to identify, and how to manage (n.d). Corporate
Finance Institute. Retrieved from
https://corporatefinanceinstitute.com/resources/knowledge/finance/business-risk/

Kenton, W. (2020). Business risk definition. Investopedia. Retrieved from

https://www.investopedia.com/terms/b/businessrisk.asp

Spacey, J. (2015). 20 types of business risk. Simplicable. Retrieved from

https://www.google.com/amp/s/simplicable.com/amp/business-risk

Types of risk your business faces (n.d). Northern Ireland Business Info UK. Retrieved
from https://www.nibusinessinfo.co.uk/content/types-risk-your-business-faces

ACTIVITIES / ASSESSMENTS
Essay
1. Among the different types of risk, which do you think has the most severe impact
and how likely are they to occur?
2. Why is it important to identify and manage business risks?

25
 UNIT III: DIFFERENT KINDS OF RISK MANAGEMENT

UNIT OVERVIEW
"Let's be honest: starting, owning and running a business is inherently risky. Creating
the right systems is what helps you manage the risk. And risk management is
incredibly important." - Tom Corson-Knowles
This unit gives an overview about the basics of risk, riskless securities, and the
connection of risk and time horizons. Also, this unit will allow the students to know
more about the different kinds of risk management. Likewise, this will also introduce
students to some examples of riskless investments and securities.

LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:
• Discuss the differences between the kinds of risk management
• Summarize the significance or relevance of various kinds of risk management

COURSE MATERIALS
Lesson 1: The Basics of Risk
Everyone is exposed to some type of risk every day – whether it’s from driving, walking
down the street, investing, capital planning, or something else. An investor’s
personality, lifestyle, and age are some of the top factors to consider for individual
investment management and risk purposes. Each investor has a unique risk
profile that determines their willingness and ability to withstand risk. In general, as
investment risks rise, investors expect higher returns to compensate for taking those
risks.1

Individuals, financial advisors, and companies can all develop risk

management strategies to help manage risks associated with their investments and
business activities. Academically, there are several theories, metrics, and strategies
that have been identified to measure, analyze, and manage risks. Some of these
include: standard deviation, beta, Value at Risk (VaR), and the Capital Asset Pricing
Model (CAPM). Measuring and quantifying risk often allows investors, traders, and
business managers to hedge some risks away by using various strategies including
diversification and derivative positions.

Riskless Securities
While it is true that no investment is fully free of all possible risks, certain securities
have so little practical risk that they are considered risk-free or riskless.

Riskless securities often form a baseline for analyzing and measuring risk. These
types of investments offer an expected rate of return with very little or no risk.
Oftentimes, all types of investors will look to these securities for preserving emergency
savings or for holding assets that need to be immediately accessible.

Examples of riskless investments and securities include certificates of deposits (CDs),

government money market accounts, and U.S. Treasury bills. 3 The 30-day U.S.

26
Treasury bill is generally viewed as the baseline, risk-free security for financial
modeling. It is backed by the full faith and credit of the U.S. government, and, given
its relatively short maturity date, has minimal interest rate exposure. 4 5

Risk and Time Horizons

Time horizon and liquidity of investments is often a key factor influencing risk
assessment and risk management. If an investor needs funds to be immediately
accessible, they are less likely to invest in high risk investments or investments that
cannot be immediately liquidated and more likely to place their money in riskless
securities.

Time horizons will also be an important factor for individual investment portfolios.
Younger investors with longer time horizons to retirement may be willing to invest in
higher risk investments with higher potential returns. Older investors would have a
different risk tolerance since they will need funds to be more readily available.

Lesson 2: Kinds of Risk Management

• Interest Rate Risk: It is the risk of adverse effect of interest rate movements
on a firm’s profits or balance sheet.
• Credit Risk: It is the risk which may arise due to default of the counter-party.
• Liquidity Risk: It is the risk which arises if the given asset or fund is not traded
at right time in the market.
• Internal Business Risk: it is due the inefficiency of management in the
business.
• External Business Risk: This type of risk arises due to external environment
in the business.
• Financial Risk: This risk originates due to improper composition of the
operations.
• Market Risk: This is the risk which occurs due to market conditions which
results in reduction in returns expected on investment. It is also referred to as
price risk.
• Basis Risk: This risk is due the price of the asset and the hedged instrument
are not perfectly correlated.
• Volatility Risk: Risk of suffering losses from changes in implied volatility of the
market.
• Personnel Risk: This risk is the one which may occur due to inefficient or
incapable personnel in the business.
• Country or Sovereign Risk: When a country is in difficulty in terms of making
its financial commitments for that country as well as for other countries then this
type of risk is Country or Sovereign Risk.
• Technology Risk: Type of risk which arises due to failure in technology.
• Operational Risk: This risk is due to any type of operational failure like,
inadequate monitoring, systems failure, management failure, human error.
Operational Risk includes Model risk, people risk, legal and compliance risk.
• Foreign Exchange Risk: It is due the changes in the foreign exchange rate,
currency values etc. which affects the firm

27
 REFERENCES

Chen, J (2020). Risk Definition. Investopedia. Retrieved from

https://www.investopedia.com/terms/r/risk.asp

What is risk management (n.d). EducBa. Retrieved from

https://www.educba.com/what-is-risk-management/

ACTIVITIES / ASSESSMENTS

Essay
1. What are the differences between Internal and External Business Risk? Justify your
answer.
2. Why is there a need for various kinds of risk management and not a single one
only?

28
 UNIT IV: RISK MANAGEMENT STRATEGIES AND APPROACHES

UNIT OVERVIEW
"Total enterprise risk management is critical, but implementing it is both expensive and
easier said than done. Even the most sophisticated financial institutions are still
basically silo risk managers." - Danny Klinefelter

This unit unravels a more complex topic about studying risk management which is the
Rich Management Framework. In this framework, the five management components
were explained thoroughly for the students. Also, this unit will allow the students to
equipped themselves with knowledge about the different risk management strategies
and approaches. Likewise, this will also provide students with an authentic lesson as
it gives an example on how risk management strategies are being practiced in both
large and small organizations.

LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:

• Appraise the contribution and purpose of risk management framework to the

organization
• Plan on ways on how to stay current on the latest strategies and approaches
in risk management

COURSE MATERIALS
Lesson 1: The Risk Management Framework
The Risk Management Framework (RMF) is a set of criteria that dictate how the United
States government IT systems must be architected, secured, and monitored.
Originally developed by the Department of Defense (DoD), the RMF was adopted by
the rest of the US federal information systems in 2010. Today, the National Institute of
Standards and Technology (NIST) maintains NIST and provides a solid foundation for
any data security strategy. The RMF builds on several previous risk management
frameworks and includes several independent processes and systems. It requires that
firms implement secure data governance systems and perform threat modeling to
identify cyber risk areas.

What Comprises the Risk Management Framework?

The general concept of “risk management” and the “risk management framework”
might appear to be quite similar, but it is important to understand the distinction
between the two. The risk management process is specifically detailed by NIST in
several subsidiary frameworks. The most important is the elegantly titled “NIST SP

29
800-37 Rev.1”, which defines the RMF as a 6-step process to architect and engineer
a data security process for new IT systems, and suggests best practices and
procedures each federal agency must follow when enabling a new system.
In addition to the primary document SP 800-37, the RMF uses supplemental
documents SP 800-30, SP 800-53, SP 800-53A, and SP 800-137:
NIST SP 800-30, entitled Guide for Conducting Risk Assessments, provides an
overview of how risk management fits into the system development life cycle (SDLC)
and describes how to conduct risk assessments and how to mitigate risks.
NIST SP 800-37 discusses the risk management framework itself and contains much
of the information we’ll cover in the remainder of this guide.
Finally, NIST SP 800-39, titled Managing Information Security Risk, defines the multi-
tiered, organization-wide approach to risk management crucial for reaching
compliance with the RMF.

The 5 Risk Management Components

30
When getting started with the RMF, it can be useful to break the risk management
requirements into different categories. These categories provide a way of working
toward an effective risk management system, from identifying the most critical risks
you face to how you will mitigate them.
Risk Identification
The first, and arguably the most important, part of the RMF is to perform risk
identification. NIST says, “the typical risk factors include threat, vulnerability, impact,
likelihood, and predisposing condition.” During this step, you will brainstorm all the
possible risks you can imagine across all of your systems and then prioritize them
using different factors:
Threats are events that could potentially harm the organization by intrusion,
destruction, or disclosure. Vulnerabilities are weaknesses in the IT systems, security,
procedures, and controls that can be exploited by bad actors (internal or external).
Impact is a measurement of how severe the harm to the organization would be if a
particular vulnerability or threat is compromised.
Likelihood is a measurement of the risk factor based on the probability of an attack on
a specific vulnerability.
Predisposing conditions are a specific factor inside the organization that either
increases or decreases the impact or likelihood that a vulnerability will come into play.
Risk Measurement and Assessment
Once you have identified the threats, vulnerabilities, impact, likelihood, and
predisposing conditions, you can calculate and rank the risks your organization needs
to address.
Risk Mitigation
Organizations take the previous ranked list and start to figure out how to mitigate the
threats from the greatest to the least. At some point in the list, the organization can
decide that risks below this level are not worth addressing, either because there is little
likelihood of that threat getting exploited, or if there are too many greater threats to
manage immediately to fit the low threats into the work plan.
Risk Reporting and Monitoring
The RMF requires that organizations maintain a list of known risks and monitor known
risks for compliance with the policies. Statistics on data breaches indicate that many
companies still do not report all of the successful attacks they are exposed to, which
could impact their peers.
Risk Governance
Finally, all of the steps above should be codified into a risk governance system.

31
 The 6 Risk Management Framework (RMF) Steps

At the broadest level, RMF requires companies to identify which system and data
risks they are exposed to and implement reasonable measures to mitigate them. The
RMF breaks down these objectives into six interconnected but separate stages.
1. Categorize Information Systems
Use NIST standards to categorize information and systems so you can provide an
accurate risk assessment of those systems.
NIST tells you what kinds of systems and information you should include.
And what level of security you need to implement based on the categorization.

2. Select Security Controls

Select the appropriate security controls from the NIST publication 800-53 to “facilitate
a more consistent, comparable, and repeatable approach for selecting and specifying
security controls for systems.”

32
3. Implement Security Controls
Put the controls you selected in the previous step in place and document all the
processes and procedures you need to maintain their operation.

4. Assess Security Controls

Make sure the security controls you implemented are working the way they need to so
you can limit the risks to your operation and data.

5. Authorize Information Systems

Are the security controls working correctly to reduce the risk to the organization? Then
that control on that system is authorized! Congrats!

6. Monitor Security Controls

Continuously monitor and assess the security controls for effectiveness and make
changes during operation to ensure those systems’ efficacy. Document any changes,
conduct regular impact analysis, and report security controls’ status to your designated
officials.
How Can An Effective Risk Management Framework Benefit A Business?
Though the RMF is a requirement for businesses working with the US Government,
implementing an effective risk management system can benefit any companies. The
ultimate goal of working toward RMF compliance is the creation of a data and asset
governance system that will provide full-spectrum protection against all the cyber risks
you face. More specifically, developing a practical risk management framework will
provide a company with several specific benefits:
Asset Protection
An effective risk management framework will prioritize understanding the risks that
your business faces to take the necessary steps to protect your assets and your
business. This means that a comprehensive risk management framework will help you
protect your data and your assets.

33
Reputation Management
Reputation management is an essential part of modern business practices, and
limiting the detrimental consequences of cyber attacks is an integral part of ensuring
that your reputation is protected. Consumers in the US are increasingly aware of data
privacy’s importance, not just because US privacy laws are becoming increasingly
strict. A data breach will damage your business’ reputation. An effective risk
management framework can help companies quickly analyze gaps in enterprise-level
controls and develop a roadmap to reduce or avoid reputational risks.
IP Protection
Almost every company has intellectual property that must be protected, and a risk
management framework applies just as much to this property as your data and assets.
If you sell, offer, distribute, or provide a product or service that gives you a competitive
edge, you are exposed to potential Intellectual Property theft. A risk management
framework helps protect against potential losses of competitive advantage, business
opportunities, and even legal risks.
Competitor Analysis
Finally, developing a risk management framework can have beneficial impacts on the
fundamental operation of your business. By cataloging the risks you face and taking
measures to mitigate them, you will also be gathering a wealth of valuable information
on the market that you operate within, and this – in itself – can give you a competitive
advantage over your peers.

Lesson 2: Risk Management Strategies and Approaches

What is a Risk Management Strategy?
A risk management strategy provides a structured and coherent approach to
identifying, assessing and managing risk.
It builds in a process for regularly updating and reviewing the assessment based on
new developments or actions taken. A risk management strategy can be developed
and implemented by even the smallest of groups or projects or built into a complex
strategy for a multi-site international organization.
The process of identifying and reviewing the risks that you face is known as risk
assessment. By assessing risks you are able to be actively aware of where
uncertainty surrounding events or outcomes exists and identifying steps that can be
taken to protect the organization, people and assets concerned. How this is achieved
and the level of detail which is considered can vary between organizations. In many
circumstances, where staff or volunteers have a more hands-on role in the
organization, the Management Committee may not carry out the risk assessment
themselves.

34
Example 1:
Implementing a risk management strategy in a small organization
Lone Fathers Action Group set aside one committee meeting per year to review the
major risks faced by the group. One committee member has responsibility for risk
management and facilitates the discussion. They ensure that the discussion is
documented and use subsequent meetings to check progress against actions are then
followed up in subsequent meetings. Every 6 months this committee member reports
to the committee on any changes in the levels of risk faced.
Example 2:
Implementing a risk management strategy in a large organization
In Tree Conservation International, risk management is one of the key responsibilities
of the Assistant Director. They provide training for each manager within the
organization to ensure that risk assessment is built into their working practices and to
enable them to carry out annual risk assessments of each project, using the
organization’s templates. These are then collated by the Assistant Director to enable
Senior Managers to discuss and assess the overall risks to the organization. A
prioritized profile of the top 30 risks is then presented to the Management Committee
for their consideration to ensure they are happy to accept the risks to the organization
and approve the actions being taken. This process usually takes 2 months. Progress
is reviewed after 6 months with a report sent to the Management Committee. Risks
are reassessed annually.
Conducting risk assessment
Regardless of who carries it out, risk assessment should be:
• systematic;
• recorded; and
• regularly reviewed.

As a Management Committee, you will want to concern yourself most with identifying
and managing major risks.
"Major risks are those risks which have a high likelihood of occurring and would, if they
occurred, have a severe impact on operational performance, achievement of aims and
objectives or could damage the reputation of the charity, changing the way
management committee members, supporters or beneficiaries might deal with the
charity."
(Charity Commission for England and Wales Guidance)
However, it is sensible and good practice to ensure that risk assessment forms an
integral part of management and planning for the whole organization and its projects.

35
 REFERENCES

Petters, J. (2021). Risk management framework (RMF): An overview. Varonis.

Retrieved from https://www.varonis.com/blog/risk-management-framework/

What is a Risk Management Strategy? (n.d). DIY Committee Guide. Retrieved from
https://www.diycommitteeguide.org/resource/what-a-risk-management-
strategy#:~:text=A%20risk%20management%20strategy%20provides,new%20devel
opments%20or%20actions%20taken.

ACTIVITIES / ASSESSMENTS
Essay

1. How do you think risk management framework contribute to the organization?

What’s its purpose?

2. What can you do to stay current on the latest strategies and approaches in risk
management?

36
 UNIT V: PROCESSES AND STRUCTURES IN RISK MANAGEMENT

UNIT OVERVIEW
"Here's the essence of risk management: Risk no more than you can afford to lose,
and also risk enough so that a win is meaningful. If there is no such amount, don't
play." - Ed Seykota

This unit will unfold further concepts and terms about risks and risk management. Also,
this unit will allow the students to explore and be acquainted with the different risk
management tools and techniques. Likewise, this will also educate students about the
effectiveness of risk management structures and procedures.

LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:

• Develop understanding and awareness of the tools and techniques in risk

management
• Assess ways on how risk managers and project members can ensure that the
risk management processes and structures are being followed and practiced
correctly

COURSE MATERIALS
Lesson 1: Risk Management Tools and Techniques

Risk is a part of every project that an organization takes on. If companies do not take
risks as a part of their project management strategy, they become more likely to miss
their project deadline. This is why planning for risks as a part of a project management
strategy is crucial. Only 27% of organizations can say that they ‘always’ use risk
management practices in their project, while 35% use them only ‘sometimes’.

To be able to successfully manage risks within projects, there are a few techniques
organizations can implement as a part of their project management process listed
below.

Risk Management Tools & Techniques for Project Management

Mentioned below are some of the most widely used tools and techniques by project
managers to ensure that they implement risk management along with their project
management strategies successfully. This will help in protecting projects against the
many risks they could face as well as other issues and challenges.

37
Brainstorming
Before any project begins, the first step is to plan a strategy. For this, the team
members conduct brainstorming sessions with the project manager. This
brainstorming session needs to include all the risks that could impact the project’s
completion and success.

The steps involved in this brainstorming process are:

• Reviewing all project documentation

• Overseeing all historic data and information about risks from previous projects
that are similar to the current one
• Reading over articles related to the risks involved
• Understanding all organizational process assets
• Any information available that will give insight into the issues that might occur
while the project is going on
The project manager can also get in touch with experts, team members and other
stakeholders who might have experience with handling risk in similar projects.

Root Cause Analysis

This is a technique to help project members identify all the risks that are embedded in
the project itself. Conducting a root cause analysis shows the responsiveness of the
team members in risk management. It is normally used once a problem arises so that
the project members can address the root cause of the issue and resolve it instead of
just treating its symptom. It answers questions such a: What happened? Why did it
happen? How? Once these questions are answered, it becomes easier to develop a
plan of action so that it does not happen again in the future.

SWOT Analysis
SWOT is an analysis to measure the strengths, weaknesses, opportunities, and
threats to a project. This tool can be used to identify risks as well. The first step is to
start with the strengths of the project. Then team members need to list out all the
weaknesses and other aspects of the project that could be improved. Here is where
the risks of the project will surface. Opportunities and threats can also be used to
identify positive risks and negative risks respectively.

All findings need to be put on a grid to make analysis and cross-referencing easier.

Risk Assessment Template for IT

66% of financial institutions believe that collaboration between business operations,
such as projects, and risk management is a top priority when it comes to enterprise

38
risk management. There are some techniques that are used for other departments that
can be used to manage risks within a project as well.
A risk assessment template is usually made for IT processes in an organization, but it
can be implemented in any project in the company. This assessment gives a list of
risks in an orderly fashion. It is a space where all the risks can be collected in one
place. This is helpful when it comes to project execution and tracking risks that become
crises.

The risk assessment template comes with figures and probabilities of any risk
occurring, along with the impact it will have on the project. This way the project
manager and the team members are fully aware of the potential harm of any risk and
the likelihood of it occurring.

Probability and Impact Matrix

Project managers can also use the probability and impact matrix to help in prioritizing
risks based on the impact they will have. It helps with resource allocation for risk
management. This technique is a combination of the probability scores and impact
scores of individual risks. After all the calculations are over, the risks are ranked based
on how serious they are. This technique helps put the risk in context with the project
and helps in creating plans for mitigating it.

Risk Data Quality Assessment

When project managers use the risk data quality assessment method, they utilize all
the collected data for identified risks and find details about the risks that could impact
the project. This helps project managers and team members understand the accuracy
and quality of the risk based on the data collected.

The data quality assessment is used to improve the project manager’s understanding
of the risks the project could face as well as collect all the information about the risk
possible. By examining these parameters, they can come up with an accurate
assessment of the risk.

Variance and Trend Analysis

Just like other control processes in the project, it helps when project managers look
for variances that exist between the schedule of the project and cost and compare
them with the actual results to see if they are aligned or not. If the variances rise,
uncertainty and risk also rise simultaneously. This is a good way of monitoring risks
while the project is underway. It becomes easy to tackle problems if project members
watch trends regularly to look for variances.

39
Reserve Analysis
While planning the budget for the project, contingency measures and some reserves
should be in place as a part of the budget. This is to keep a safeguard if risks occur
while the project is ongoing. These financial reserves are a backup that can be used
to mitigate risks during the project.

Final Thoughts
The techniques mentioned above can be used to manage risks in the project. Some
of them are used before the project even begins, and some can be used while the
project is ongoing. To be able to understand the risks to the project and utilize these
tools and techniques to their full potential, the project members need to be fully aware
of the risks present. This can only happen when they have prior knowledge and
training in managing risks in a project. This way they can easily understand the issues
and risks to a project and take appropriate action on time.

Lesson 2: Risk Management Processes and Structures

Managing risks on projects is a process that includes risk assessment and a mitigation
strategy for those risks. Risk assessment includes both the identification of potential
risk and the evaluation of the potential impact of the risk. A risk mitigation plan is
designed to eliminate or minimize the impact of the risk events—occurrences that
have a negative impact on the project. Identifying risk is both a creative and a
disciplined process. The creative process includes brainstorming sessions where the
team is asked to create a list of everything that could go wrong. All ideas are welcome
at this stage with the evaluation of the ideas coming later.

Risk Identification

A more disciplined process involves using checklists of potential risks and evaluating
the likelihood that those events might happen on the project. Some companies and
industries develop risk checklists based on experience from past projects. These
checklists can be helpful to the project manager and project team in identifying both
specific risks on the checklist and expanding the thinking of the team. The past
experience of the project team, project experience within the company, and experts in
the industry can be valuable resources for identifying potential risk on a project.

Identifying the sources of risk by category is another method for exploring potential
risk on a project. Some examples of categories for potential risks include the following:

• Technical
• Cost
• Schedule
• Client
• Contractual

40
 • Weather
• Financial
• Political
• Environmental
• People

The people category can be subdivided into risks associated with the people.
Examples of people risks include the risk of not finding the skills needed to execute
the project or the sudden unavailability of key people on the project. David
Hillson1 uses the same framework as the work breakdown structure (WBS) for
developing a risk breakdown structure (RBS). A risk breakdown structure organizes
the risks that have been identified into categories using a table with increasing levels
of detail to the right.

Risks in John’s Move

In John’s move, John makes a list of things that might go wrong with his project and
uses his work breakdown structure as a guide. A partial list for the planning portion of
the RBS is shown in Figure 11.1.

Figure 11.1 Risk Breakdown Structure (RBS)

41
The result is a clearer understanding of where risks are most concentrated. Hillson’s
approach helps the project team identify known risks, but can be restrictive and less
creative in identifying unknown risks and risks not easily found inside the work
breakdown structure.

Risk Evaluation

After the potential risks have been identified, the project team then evaluates the risk
based on the probability that the risk event will occur and the potential loss associated
with the event. Not all risks are equal. Some risk events are more likely to happen than
others, and the cost of a risk event can vary greatly. Evaluating the risk for probability
of occurrence and the severity or the potential loss to the project is the next step in the
risk management process.

Having criteria to determine high impact risks can help narrow the focus on a few
critical risks that require mitigation. For example, suppose high-impact risks are those
that could increase the project costs by 5% of the conceptual budget or 2% of the
detailed budget. Only a few potential risk events met these criteria. These are the
critical few potential risk events that the project management team should focus on
when developing a project risk mitigation or management plan. Risk evaluation is
about developing an understanding of which potential risks have the greatest
possibility of occurring and can have the greatest negative impact on the project.
These become the critical few.

42
Figure 11.2 Risk and Impact

There is a positive correlation—both increase or decrease together—between project

risk and project complexity. A project with new and emerging technology will have a
high-complexity rating and a correspondingly high risk. The project management team
will assign the appropriate resources to the technology managers to assure the
accomplishment of project goals. The more complex the technology, the more
resources the technology manager typically needs to meet project goals, and each of
those resources could face unexpected problems.

Risk evaluation often occurs in a workshop setting. Building on the identification of the
risks, each risk event is analyzed to determine the likelihood of occurring and the
potential cost if it did occur. The likelihood and impact are both rated as high, medium,
or low. A risk mitigation plan addresses the items that have high ratings on both
factors—likelihood and impact.

43
Risk Analysis of Equipment Delivery
A project team analyzed the risk of some important equipment not arriving to the
project on time. The team identified three pieces of equipment that were critical to the
project and would significantly increase the costs of the project if they were late in
arriving. One of the vendors, who was selected to deliver an important piece of
equipment, had a history of being late on other projects. The vendor was good and
often took on more work than it could deliver on time. This risk event (the identified
equipment arriving late) was rated as high likelihood with a high impact. The other two
pieces of equipment were potentially a high impact on the project but with a low
probability of occurring.

Not all project managers conduct a formal risk assessment on the project. One reason,
as found by David Parker and Alison Mobey2 in their phenomenological study of
project managers, was a low understanding of the tools and benefits of a structured
analysis of project risks. The lack of formal risk management tools was also seen as
a barrier to implementing a risk management program. Additionally, the project
manager’s personality and management style play into risk preparation levels. Some
project managers are more proactive and will develop elaborate risk management
programs for their projects. Other managers are reactive and are more confident in
their ability to handle unexpected events when they occur. Yet others are risk averse,
and prefer to be optimistic and not consider risks or avoid taking risks whenever
possible.

On projects with a low complexity profile, the project manager may informally track
items that may be considered risk items. On more complex projects, the project
management team may develop a list of items perceived to be higher risk and track
them during project reviews. On projects with greater complexity, the process for
evaluating risk is more formal with a risk assessment meeting or series of meetings
during the life of the project to assess risks at different phases of the project. On highly
complex projects, an outside expert may be included in the risk assessment process,
and the risk assessment plan may take a more prominent place in the project
execution plan.

On complex projects, statistical models are sometimes used to evaluate risk because
there are too many different possible combinations of risks to calculate them one at a
time. One example of the statistical model used on projects is the Monte Carlo
simulation, which simulates a possible range of outcomes by trying many different
combinations of risks based on their likelihood. The output from a Monte Carlo
simulation provides the project team with the probability of an event occurring within a
range and for combinations of events. For example, the typical output from a Monte
Carlo simulation may reflect that there is a 10% chance that one of the three important
pieces of equipment will be late and that the weather will also be unusually bad after
the equipment arrives.

44
Risk Mitigation

After the risk has been identified and evaluated, the project team develops a risk
mitigation plan, which is a plan to reduce the impact of an unexpected event. The
project team mitigates risks in the following ways:

• Risk avoidance
• Risk sharing
• Risk reduction
• Risk transfer

Each of these mitigation techniques can be an effective tool in reducing individual risks
and the risk profile of the project. The risk mitigation plan captures the risk mitigation
approach for each identified risk event and the actions the project management team
will take to reduce or eliminate the risk.

Risk avoidance usually involves developing an alternative strategy that has a higher
probability of success but usually at a higher cost associated with accomplishing a
project task. A common risk avoidance technique is to use proven and existing
technologies rather than adopt new techniques, even though the new techniques may
show promise of better performance or lower costs. A project team may choose a
vendor with a proven track record over a new vendor that is providing significant price
incentives to avoid the risk of working with a new vendor. The project team that
requires drug testing for team members is practicing risk avoidance by avoiding
damage done by someone under the influence of drugs.

Risk sharing involves partnering with others to share responsibility for the risk
activities. Many organizations that work on international projects will reduce political,
legal, labor, and others risk types associated with international projects by developing
a joint venture with a company located in that country. Partnering with another
company to share the risk associated with a portion of the project is advantageous
when the other company has expertise and experience the project team does not
have. If the risk event does occur, then the partnering company absorbs some or all
of the negative impact of the event. The company will also derive some of the profit or
benefit gained by a successful project.

Risk reduction is an investment of funds to reduce the risk on a project. On

international projects, companies will often purchase the guarantee of a currency rate
to reduce the risk associated with fluctuations in the currency exchange rate. A project
manager may hire an expert to review the technical plans or the cost estimate on a
project to increase the confidence in that plan and reduce the project risk. Assigning
highly skilled project personnel to manage the high-risk activities is another risk
reduction method. Experts managing a high-risk activity can often predict problems
and find solutions that prevent the activities from having a negative impact on the
project. Some companies reduce risk by forbidding key executives or technology
experts to ride on the same airplane.

45
Risk transfer is a risk reduction method that shifts the risk from the project to another
party. The purchase of insurance on certain items is a risk transfer method. The risk
is transferred from the project to the insurance company. A construction project in the
Caribbean may purchase hurricane insurance that would cover the cost of a hurricane
damaging the construction site. The purchase of insurance is usually in areas outside
the control of the project team. Weather, political unrest, and labor strikes are
examples of events that can significantly impact the project and that are outside the
control of the project team.

Contingency Plan

The project risk plan balances the investment of the mitigation against the benefit for
the project. The project team often develops an alternative method for accomplishing
a project goal when a risk event has been identified that may frustrate the
accomplishment of that goal. These plans are called contingency plans. The risk of a
truck drivers’ strike may be mitigated with a contingency plan that uses a train to
transport the needed equipment for the project. If a critical piece of equipment is late,
the impact on the schedule can be mitigated by making changes to the schedule to
accommodate a late equipment delivery.

Contingency funds are funds set aside by the project team to address unforeseen
events that cause the project costs to increase. Projects with a high-risk profile will
typically have a large contingency budget. Although the amount of contingency
allocated in the project budget is a function of the risks identified in the risk analysis
process, contingency is typically managed as one line item in the project budget.

Some project managers allocate the contingency budget to the items in the budget
that have high risk rather than developing one line item in the budget for contingencies.
This approach allows the project team to track the use of contingency against the risk
plan. This approach also allocates the responsibility to manage the risk budget to the
managers responsible for those line items. The availability of contingency funds in the
line item budget may also increase the use of contingency funds to solve problems
rather than finding alternative, less costly solutions. Most project managers, especially
on more complex projects, will manage contingency funds at the project level, with
approval of the project manager required before contingency funds can be used.

KEY TAKEAWAYS

• Risk management is a creative process that involves identifying, evaluating,

and mitigating the impact of the risk event.
• Risk management can be very formal, with defined work processes, or informal,
with no defined processes or methods. Formal risk evaluation includes the use
of checklists, brainstorming, and expert input. A risk breakdown structure (RBS)
can follow the work breakdown structure (WBS) to identify risk by activity.

46
 • Risk evaluation prioritizes the identified risks by the likelihood and the potential
impact if the event happens.
• Risk mitigation is the development and deployment of a plan to avoid, transfer,
share, and reduce project risk. Contingency planning is the development of
alternative plans to respond to the occurrence of a risk event.

REFERENCES

Brown, L. (n.d). Risk management tools and techniques. Invensis Global Learning
Services. Retrieved from
https://www.google.com/amp/s/www.invensislearning.com/blog/risk-management-
tools-techniques-in-pm/amp/

Risk Management Process (n.d). Pressbooks. Retrieved from

https://pm4id.org/chapter/11-2-risk-management-process/#navigation

ACTIVITIES / ASSESSMENTS
Essay
1. Why is there a need to understand and be aware of the risks to the project and
utilize tools and techniques?
2. How can a risk managers and project members ensure that the risk management
processes and structures are being followed and practiced correctly?

47
 UNIT VI: THE ROLES AND RESPONSIBILITIES OF A RISK MANAGER

UNIT OVERVIEW
"The first step in the risk management process is to acknowledge the reality of risk.
Denial is a common tactic that substitutes deliberate ignorance for thoughtful
planning." - Charles Tremper

This unit talks about the job description and guide of a risk manager. Also, this unit
clarifies the duties and responsibilities of a risk manager especially in dealing with
unexpected troubles in the organization. Likewise, this will also introduce students to
the important job qualifications and requirements that a future risk manager must
attain.
LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:
• Interpret the job description of a risk manager
• Differentiate the duties and responsibilities of a risk manager
• Review the job qualifications and requirements for a risk manager
COURSE MATERIALS
Lesson 1: Job Description and Guide

The role of a Risk Manager is to communicate risk policies and processes for an
organization. They provide hands-on development of risk models involving market,
credit and operational risk, assure controls are operating effectively, and provide
research and analytical support. Risk Managers must have excellent quantitative and
analytical skills, along with the ability to apply those skills across a variety of business
processes.
A Risk Manager is held accountable for analyzing, assessing, and handling the risks
faced by the organization. They assist the organizations regarding any sort of risks
that might affect the profitability of the organization and develop strategies and
processes for managing those business risks and ensure successful business
continuity. The job role of Risk Manager is quite essential for successful running of a
business.
The foremost task of the Risk Manager is to gather the data and carry out
investigations to recognize the risks that an organization might be exposed to. As a
part of the investigation process, the Risk Managers should analyze key risk indicators
(KRI) and conduct what-if-analyses to determine the concerns if the risks identified in
the process are about to occur. A few of the concerns/consequences include
threat/leaking organization’s confidential information, financial loss, and damage to the
organization’s assets.

Risk Managers are also involved in implementing control systems and action plans for
safeguarding the organization’s assets and resources. This is done through mitigating
risks and potential damage caused.

48
The steps taken by the Risk Manager in mitigating the risk varies from organization to
another. Some of the measures taken include defining crisis management, designing
business continuity plans, introducing operation protocols, insurance coverage, and
updating the procedures correlating to the latest best practices.

Lesson 2: Duties and Responsibilities

The duties under a Risk Management job description include the following:

• Designing and implementing an overall risk management process for the

organization, which includes an analysis of the financial impact on the company
when risks occur
• Performing a risk assessment: Analyzing current risks and identifying potential
risks that are affecting the company
• Performing a risk evaluation: Evaluating the company’s previous handling of
risks, and comparing potential risks with criteria set out by the company such
as costs and legal requirements
• Establishing the level of risk the company are willing to take
• Preparing risk management and insurance budgets
• Risk reporting tailored to the relevant audience. (Educating the board of
directors about the most significant risks to the business; ensuring business
heads understand the risks that might affect their departments; ensuring
individuals understand their own accountability for individual risks)
• Explaining the external risk posed by corporate governance to stakeholders
• Creating business continuity plans to limit risks
• Implementing health and safety measures, and purchasing insurance
• Conducting policy and compliance audits, which will include liaising with internal
and external auditors
• Maintaining records of insurance policies and claims
• Reviewing any new major contracts or internal business proposals
• Building risk awareness amongst staff by providing support and training within
the company
• Provide a methodology to identify and analyze the financial impact of loss to
the organization, employees, the public, and the environment.
• Examine the use of realistic and cost-effective opportunities to balance
retention programs with commercial insurance.
• Prepare risk management and insurance budgets and allocate claim costs
and premiums to departments and divisions.
• Provide for the establishment and maintenance of records including insurance
policies, claim and loss experience.
• Assist in the review of major contracts, proposed facilities, and/or new
program activities for loss and insurance implications.
• In cooperation with General Counsel, maintain control over the claims process
to assure that claims are being settled fairly, consistently, and in the best
interest of the entity.
• Identifying and analyzing various risks (e.g. business, financial)

49
 • Developing risk management controls and contingency plans
• Communicating recommendations to management
• Conduct assessments to define and analyze possible risks
• Evaluate the gravity of each risk by considering its consequences
• Audit processes and procedures
• Develop risk management controls and systems
• Design processes to eliminate or mitigate potential risks
• Create contingency plans to manage crises
• Evaluate existing policies and procedures to find weaknesses
• Prepare reports and present recommendations
• Help implement solutions and plans
• Evaluate employees’ risk awareness and train them when necessary

Lesson 3: Job Qualifications and Requirements

A degree in the following subjects is not vital but can be included in a job description:

• Risk Management
• Management or Business Studies
• Finance or Economics
• Science
• Statistics
• Engineering
• Law

Postgraduate degrees are not mandatory, but may also be beneficial.

If a candidate does not have a degree, a career in risk management is certainly still
possible, but would mean working up the career path, likely starting at an
administrative level.

When compiling a Risk Management job description, it’s important to also display the
following skills:

• Analytical skills and an eye for detail

• Commercial awareness
• Numerical skills
• Planning and organizational skills
• Ability to understand broader business issues
• Communication and presentation skills

50
To kick start your career as a Risk manager, typically you need to possess a degree
in-

• Statistics
• Business and Finance
• Economics
• IT
• Mathematics
In addition to having a degree in the above fields, it’s equally essential to have
knowledge in wide areas like corporate governance, internal audit quality assurance,
security, regulatory compliance, risk management, and data analytics. This job role
requires ample experience in risk management roles.

Organization in the IT and engineering domain requires Risk Managers to have

technical knowledge and specialized qualification in the field. Risk Managers should
think outside the box otherwise the risks might be unnoticeable to others.

Having a post-graduation can be advantageous though it is not essential. Even if you

don’t have a degree still it’s possible to start your career in risk management, but with
the administrative role before you start progressing towards higher levels. Employers
expect equivalent qualification/experience to enter this position.

What skills do you need to become a Risk Manager?

Now let’s take a look at the specific skills need to become a risk manager

• Should possess ample knowledge of risk assessment models.

• Should possess awareness of statistical tools and auditing and reporting
procedures.
• Should possess the ability to execute office automation tools and risk
monitoring and testing procedures.
• Should possess attention to minute details.
• Should possess exceptional verbal and communication skills.
• Should possess time management and organizational skills.
• Should possess negotiation and diplomacy skills.
• Proven experience as a Risk Manager
• Knowledge of risk assessment and control
• Experience with auditing and reporting procedures

51
 • Familiarity with industry compliance standards and regulations (e.g.
Occupational Safety and Health Act)
• Strong computer and research skills; knowledge of analysis software is
preferred
• Analytical mind with problem-solving aptitude
• Excellent communication and presentation skills
• BSc/BA in Law, Business, Finance or a related field
• Professional Risk Manager (PRM) certification is a plus

Apart from having these key skills to become a Risk Manager, professionals need to
reskill and upskill by taking part in widely-recognized IT Security and Governance
courses to gain a competitive edge in the job market and also to have a holistic
understanding of enterprise risk management.

REFERENCES
Horvath, I. (n.d). Roles and Responsibilities of a Risk Manager. Invensis Learning.
Retrieved from https://www.google.com/amp/s/www.invensislearning.com/blog/risk-
manager-roles-and-responsibilities/

Risk Management Job Description Guide (n.d). Retrieved from

https://www.roberthalf.com.au/employers/financial-services/risk-management-
jobs#:~:text=Risk%20Management%20job%20description%20guide,provide%20res
earch%20and%20analytical%20support.

Risk manager Job Description (n.d). Workable. Retrieved from

https://resources.workable.com/risk-manager-job-description#

Risk Management Job Description Guide (n.d). Retrieved from

https://www.roberthalf.com.au/employers/financial-services/risk-management-
jobs#:~:text=Risk%20Management%20job%20description%20guide,provide%20res
earch%20and%20analytical%20support

Roles and Responsibilities in Risk Management (n.d). Marquette University. Retrieved

from https://www.marquette.edu/riskunit/riskmanagement/roles.shtml

ACTIVITIES / ASSESSMENTS
Essay
Imagine yourself as an aspiring risk manager and answer the following questions
below:
1. Can you accurately explain the main role of a risk manager? Expound your answer.
2. How can you mitigate risk?

52
 UNIT VII: INTEGRATION OF RISK MANAGEMENT IN THE SOCIETY

UNIT OVERVIEW

"In financial services, if you want to be the best in the industry, you first have to be the
best in risk management and credit quality. It's the foundation for every other measure
of success. There's almost no room for error." - John G. Stumpf

This unit will describe how risk management works in the different areas of the
corporate world. Also, this unit will allow the students to understand how risk
management is being valued and implemented in Entrepreneurship, Organization, and
Finance. Likewise, this will also introduce students to some basic concept and
information regarding the integration of risk management in the society.

LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:
• Relate how risk management is being practiced in the society
• Explain the advantages and benefits of risk management in different areas
• Distinguish the importance of risk management in Entrepreneurship,
Organization, and Finance

COURSE MATERIALS

Lesson 1: Risk Management in Entrepreneurship

Businesses face many risks, therefore risk management should be a central part of
any business' strategic management. Risk management helps you to identify and
address the risks facing your business and in doing so increase the likelihood of
successfully achieving your businesses objectives.
A risk management process involves:
• methodically identifying the risks surrounding your business activities
• assessing the likelihood of an event occurring
• understanding how to respond to these events
• putting systems in place to deal with the consequences
• monitoring the effectiveness of your risk management approaches and controls

As a result, the process of risk management:

-improves decision-making, planning and prioritization
-helps you allocate capital and resources more efficiently
-allows you to anticipate what may go wrong, minimizing the amount of
firefighting you have to do or, in a worst-case scenario, preventing a
disaster or serious financial loss
- significantly improves the probability that you will deliver your business
plan on time and to budget
Risk management becomes even more important if your business decides to try
something new, for example launch a new product or enter new markets. Competitors

53
following you into these markets, or breakthroughs in technology which make your
product redundant, are two risks you may want to consider.

When you're just getting started and attempting to evaluate the risks involved with the
particular business you want to launch, it's important to understand that
every business venture--regardless of economic climate, market conditions, products,
personnel and capitalization--has risks. Once you assess those risks, you can begin
taking steps to reduce them. Start by taking these actions:
Research similar businesses. Look at their locations, advertising, staff
requirements, hours they're open and their equipment. This preliminary analysis of
your competition is a gold mine of important information.

Evaluate current market trends. What seemed like a hot idea over the past few
months might have been a fad. Find last year's phone book and call several new
businesses. Are they still around? (If you live in a small community or want to expand
your research, your local telephone company or local library may have phone books
from other cities.)

Know your strengths and preferences. Is this type of business a good fit? Does it
capitalize on your strengths? To compensate for areas that you have little or no
expertise in, can you fill in the gaps either with staff members, partners, or consultants?

Examine your family budget. How big a financial cushion do you have, in case your
financial projections show that you won't be able to draw a paycheck for the first year?
What other income can you reasonably expect while you're in the start-up phase? It
always helps if your spouse or partner has a full-time job with health-
insurance coverage and other benefits through his or her employer. Remember that
you're not in this alone and realize that your family is there for you, to share the benefits
as well as the risks. To ensure their support, make sure they understand exactly what
you're doing, and why.

Know how changes in the economy will affect your business. What would happen
to a business in your industry if inflation rose by two points? How has your type of
business performed in various economic conditions? If the business is a seasonal one,
will patrons of your business travel or spend less?

Write a business plan. Your business plan will help you shape your business,
determine your financing needs, evaluate your competition, and figure out marketing
strategies. It enables you to foresee problems and make a plan to avoid them-in short,
becoming a valuable management tool in running your business.

54
Once you've launched your business, recognizing the risks in all areas of your
business--management, marketing, contracts, personnel, and the particular
ramifications of your product or service on customers and the market--is the first step
in effective risk management. Follow these steps before talking to an insurance
representative about the type of coverage you need for your business:

• Make a list of the risks your business faces.

• Evaluate your liabilities from your customers' point of view.
• Chart the customers' path as they come into contact with your shop--across the
sidewalk, through the door, under the ceiling fan, up to your counter, and so on.

After identifying the risks inherent to your business, estimate the probability of financial
loss in various situations that could go wrong. Develop a worst-case scenario and put
a price tag on it: shop damage, employee injuries or harm to a customer because of
your product or service. Next, determine the most economical way to handle the
possible losses, considering the following avenues:

Assumption means assuming the risk and the accompanying financial

burdens. Sometimes absorbing a risk is prudent. If you're a one-person graphic-
design business, no employees are going to be injured on the job. Nor are you likely
to be sued for personal injury if clients infrequently visit your office. However, if you
own a bakery that employs 30 people, you'd best not assume any risks pertaining to
employees getting injured on the job or a customer tossing their cookies because of
eating one of yours.

Avoidance means removing the cause of risk. If a caustic material is making

employees hesitant and fearful, replace it with a nonhazardous substance. The cost
is small compared to what you'd pay if an accident happened. An organized company
safety program that implements suggestions from employees and insurance safety
representatives can also help eliminate potentially dangerous situations in your
business.
Loss reduction is the transfer of the risk to another party altogether. When your
own delivery service has problems--tardiness, damaged goods, mechanical
breakdowns, and employee hassles-consider contracting a delivery service to take all
the headaches away. Similar circumstances include contracting for maintenance,
electrical, plumbing, carpentry, bookkeeping, landscaping, and security. Such actions
are a form of insurance because you have shifted the risk and responsibility to another
party for a negotiated fee.

However, shifting the risk and responsibility doesn't necessarily shift the
liability. When the new landscaping crew improperly installs a sprinkler head causing

55
water damage to the inside of a nearby Jaguar, you can hold the landscaping firm
liable, but the man who falls into the cactus plant by the front office and injures himself
will hold you liable for planting it there. Know what your potential liabilities are and
make sure you're covered.

Self-insurance entails setting aside a specified amount of money into a reserve

fund each year to cover any losses incurred. The owner holds the cash in this
reserve fund, rather than paying premiums to an insurance company. In practice, this
method is risky for small firms that could experience a large loss. If the reserve fund is
not large enough to cover that loss, the company will be sunk. A growing business
with several geographically diverse units is more suited for self-insurance, as are big
nonprofit organizations like school systems.

These methods can be used to offset some of risks a business faces. Some
areas of risk, however, require the transfer of that risk through insurance, to make sure
your business is protected and not overly exposed.

Sound insurance planning requires attention on all fronts. The usual, plain-vanilla
insurance packages need to be complemented by additional special coverages
relevant to your business. Cover your largest loss exposure first: the lives and health
of you and your employees, the most valuable assets your company has.

Entrepreneurship generally entails a certain degree of risk-taking. As

such, entrepreneurs understand that they must be willing to take a risk in pursuit of
potential profits. They realize that in order to achieve their strategic plan, some degree
of risk-taking is necessary.

Risk management is often thought of as the mitigation of uncertainty in the market,

including aspects such as consumer behavior and the response of competitors. While
entrepreneurs should clearly strive to prevent or avoid certain risks, they should also
remember that some risk is inevitable, necessary, and — when well-managed —
beneficial in the long run.

First-time startup leaders and more seasoned entrepreneurs must develop a mindset
for risk management. Here are a few suggestions for approaching and reducing
unpredictable variables in business.

1. Understand that risk is opportunity

From the earliest stages of a new business idea, risk and opportunity are inseparably
linked. Entrepreneurs can make this connection when comparing their personal goals
with possible entry points into the market. Preliminary research will almost always yield
insight on both sides, which is why startup leaders need to have an understanding of
their industry.

56
Along with identifying opportunities, doing your research can ultimately help to mitigate
and manage risk. The entrepreneur who closely observes consumer sentiment, for
example, will have a better idea of how to steer clear of costly missteps. The same
individual will also have a better frame of reference for what risks come with the
territory.

Recognizing the many benefits that come from developing an understanding of the
demands of the market can make a notable difference for new business owners. On
the opposite end of the spectrum, trying to identify opportunities without risk can lead
to less-than-desirable results.

2. Trust the process

Not every visionary entrepreneur will have a grasp of risk management from the outset,
and that’s fine. In fact, one Halle Institute for Economic Research study demonstrated
that most aspiring entrepreneurs consider themselves pretty conservative when it
comes to taking risks. The paper also points out that entrepreneurs gain more tolerance
for risk as they progress in their careers.

Fortunately, each decision and change made by a business leader will bring some form
of risk, which offers a valuable experience. One entrepreneur might launch his venture
while employed elsewhere as a way to test the waters and slowly make the transition,
while another might take a more direct approach. Either way, taking risks, which often
means failure at some level, is generally worthwhile.

3. Turn risk on its head

Another way to conceptualize risk management is risk selection. Market research will
help in determining where and how to incur risk for a business, but on a much more
basic level. Entrepreneurs who decide to start their own companies face more risk than
those who opt to stay in their current or most recent position. The question, then, comes
down to what holds greater uncertainty: security in an established job or potential
success with a startup?

Either choice will have its own set of risks, but the one major difference lies in the ability
of entrepreneurs to call the shots for their companies. However, entrepreneurs must
also realize that starting their own companies entails the possibility of failure. Thus,
entrepreneurs will have to weigh the risks as they brainstorm possible business models.

The risks associated with staying in one position or taking a new direction apply inside
companies, as well, and perhaps more frequently so. Sometimes the only way to reach
new heights is to make sacrifices, and this can be difficult to face, especially when a
business has performed well. Going from a good situation to a better one will always
involve risk, so business owners will have to ask themselves whether it’s worth it.

57
4. Avoid complacency
Just as one should generally avoid business opportunities that present themselves as
risk-free, so too should one continue finding ways to stretch in a company even after
achieving success. While this doesn’t mean taking on risk for the sake of it, it does
mean finding a balance between organic growth and reckless expansion. The organic
model may never propel a business forward, while the latter may mean that it does not
survive at all.

Complacency can also come in the form of optimism. In other words, entrepreneurs
often tend to have a positive outlook on their life and their business ventures in
particular. Yet, one’s hope that a company is on its way toward sustainable growth and
success will only move it so far. Once again, staying informed and conducting market
research are crucial to managing and mitigating risk. In the end, startup leaders must
strive to achieve their objectives in the face of uncertainty.

Risks management is an important process because it empowers a business with the

necessary tools so that it can adequately identify and deal with potential risks. Once a
risk’s been identified, it is then easy to mitigate it. In addition, risk management
provides a business with a basis upon which it can undertake sound decision-making.
For a business, assessment and management of risks is the best way to prepare for
eventualities that may come in the way of progress and growth. When a business
evaluates its plan for handling potential threats and then develops structures to
address them, it improves its odds of becoming a successful entity.
In addition, progressive risk management ensures risks of a high priority are dealt with
as aggressively as possible. Moreover, the management will have the necessary
information that they can use to make informed decisions and ensure that the business
remains profitable.

No business is short on challenges in its quest to further its growth and development,
particularly in its early stages. You could in fact argue that there are two sides to a
ledger that businesses exist upon: on one sits the small and early-stage businesses,
with the odds of long-term survival set against them, and on the other sit big,
established companies, with seemingly every advantage to perpetuate their existence.
To navigate those long odds, the startup or small business has to navigate carefully
through treacherous waters, spotting and steering clear of dangers as the present
themselves.

Managing the risks that come with any business is not something that anyone
particularly enjoys; we’d rather be rid of them entirely, free to focus all of our energies
on more productive efforts rather than preventative. But risk insists itself upon us
regardless of our desires, and dealing with it becomes another of the less-than-
pleasant tasks asked of us as entrepreneurs. So what is required in a responsible
handling of the risks that imperil your company’s future?

Identify. Any attempt to bring risk under control requires knowing what those risks are.
Finding and identifying those risks requires a thorough consideration of all aspects of

58
your business. Some risks are easily identified, both in terms of the physical actions
and tasks required of your job and/or the nature of the work you do as it rests against
security. It’s the risks that remain unseen unless searched for that can pose the
greatest threat if left uncovered. In an effort to protect your company’s prospects, it’s
crucial to be both honest and thorough in identifying all potential risks; simply not
thinking about them won’t make them go away.

Assess. Once you’ve identified the risks presented, you have to assess the nature
and severity of each risk. How likely is each to happen, and what would be the potential
impact of such an occurrence? Here again honesty is required; the task is assessment,
not assignment, and grading a risk low isn’t going to change the nature of it to
something less than it is simply by giving it a lesser score. Take all measures into
account in noting a risk: frequency and repetition add to a potential risk, and severity
can range from a basic harm to catastrophe, depending on the nature of your work.
Control. You’ve assessed the various risks extant at your work; now comes the time
to try and control and mitigate those risks. Some risks are easy to all but eliminate —
if there’s a set of actions wholly unnecessary to your work that present a risk, simply
forbid employees from those behaviors. Likewise, some tasking has safer alternatives
to achieve the same means, and those safe alternatives should be insisted upon by
you and your management teams. Other instances of risk are not so easily avoided,
but steps can be taken to lessen the risk and the potential harm that might be caused.
While risks might still exist, you are at least aware of them, and have done what you
can to lessen them.

Monitor. Vigilance is the watchword of safety, and consistent monitoring is required

to maintain the standards put in place. Everyone is guilty of getting a bit lax and sloppy
in the absence of pressure or reminders to follow assigned practices to the letter, and
the lack of incidents that highlight risks serve to breed complacency. Timely reminders
of what best practices are for safety and security and risk management might seem
tedious for all involved, and without a guarantee that the message will stick with any
in the audience, particularly those afflicted with said complacency. But you have to
make the effort to continually hammer those points home, and if education won’t work,
taking disciplinary measures might be required for repeat offenders. No one enjoys
being the taskmaster doling out punishment, but establishing and maintaining
standards requires employees to know that someone is there upholding the rules.

The nature of risk is such that none of what you fear might happen ever comes to
pass, or that things entirely unforeseen might beset you. Like any sort of plan, a
strategy of risk management can only do so much before you reach the outer limits of
things within your ability to control. Faced with the terrifying potential of the unknown,
it’s tempting to throw your hands up and consign your fate to higher powers. But
business is ultimately about what we can do, taking what control we can, and
managing the risks to the best of our ability is what we owe ourselves in our effort to
build a lasting company

59
 Lesson 2: Risk Management in the Organization

Risk management is the process of identifying, assessing and controlling threats to an

organization's capital and earnings. These threats, or risks, could stem from a wide
variety of sources, including financial uncertainty, legal liabilities, strategic
management errors, accidents and natural disasters. IT security threats and data-
related risks, and the risk management strategies to alleviate them, have become a
top priority for digitized companies. As a result, a risk management plan increasingly
includes companies' processes for identifying and controlling threats to its digital
assets, including proprietary corporate data, a customer's personally identifiable
information (PII) and intellectual property.

Every business and organization faces the risk of unexpected, harmful events that can
cost the company money or cause it to permanently close. Risk management allows
organizations to attempt to prepare for the unexpected by minimizing risks and extra
costs before they happen.
Importance
By implementing a risk management plan and considering the various potential risks
or events before they occur, an organization can save money and protect their future.
This is because a robust risk management plan will help a company establish
procedures to avoid potential threats, minimize their impact should they occur and
cope with the results. This ability to understand and control risk enables organizations
to be more confident in their business decisions. Furthermore, strong corporate
governance principles that focus specifically on risk management can help a company
reach their goals.

Other important benefits of risk management include:

• Creates a safe and secure work environment for all staff and customers.
• Increases the stability of business operations while also decreasing legal
liability.
• Provides protection from events that are detrimental to both the company
and the environment.
• Protects all involved people and assets from potential harm.
• Helps establish the organization's insurance needs in order to save on
unnecessary premiums.

The importance of combining risk management with patient safety has also been
revealed. In most hospitals and organizations, the risk management and patient safety
departments are separated; they incorporate different leadership, goals and scope.
However, some hospitals are recognizing that the ability to provide safe, high-quality
patient care is necessary to the protection of financial assets and, as a result, should
be incorporated with risk management.

60
In 2006, the Virginia Mason Medical Center in Seattle, Washington integrated their risk
management functions into their patient safety department, ultimately creating the
Virginia Mason Production System (VMPS) management methods. VMPS focuses on
continuously improving the patient safety system by increasing transparency in risk
mitigation, disclosure and reporting. Since implementing this new system, Virginia
Mason has experienced a significant reduction in hospital professional premiums and
a large increase in the reporting culture.
Risk managers know the purpose of their role and the value they bring to any
organization. However, other employees may not understand what the risk department
does or the widespread benefits of their strategy and actions. In many cases, they
might be unable to accurately define risk management! This creates a problem. It’s
harder for risk managers to get the buy-in to implement mitigation procedures when
risk management isn’t common knowledge. To illustrate the importance of risk, here
are 10 reasons all employees should care about risk management. We encourage you
to share this with your team!

10 Reasons Risk Management Matters for All Employees

1. Everyone has to manage risk

Every organization faces risks. As most business people know well, sometimes risk is
inevitable in order to achieve success. In spite of this, risk management is sometimes
seen as “the department of no” — those who deny any project plan that seems to have
any potential risk. This is the opposite of the truth. The purpose of risk management
is not to eliminate all risks. It is to minimize the potential negative consequence of
risks. By working with risk managers, employees can make smart risk decisions to
improve the chance of reward.

2. Risk management makes jobs safer

Health and safety are critical parts of a risk manager’s role. They actively seek out
problem areas in the organization and look to address them. They use data analysis
to identify loss and injury trends and implement strategies to prevent them from
reoccurring.. This clearly benefits employees in physical work environments, such as
construction, but can also help office employees and those in similar positions through
methods such as ergonomics. A safer workplace is better for everyone and is
dramatically impacted by risk management.

3. Risk management enables project success

No matter the department, risk managers can help employees succeed with their
projects. Just as they assess risks and develop strategies to maximize organizational
success, they can do the same for individual projects. Employees can reduce the
likelihood and severity of potential project risks by identifying them early. If something
does go wrong, there will already be an action plan in place to handle it. This helps
employees prepare for the unexpected and maximize project outcomes.

61
4. Risk management reduces unexpected events
Most people don’t like surprises, especially when it has an organizational impact A risk
manager’s goal is to map out all potential risks and then work to prevent them or best
manage them. It’s impossible to think of every possible risk scenario and address them
all, but a risk manager makes unpleasant surprises less likely and severe. Risk
manager or the risk management department should be the first place an employee
turns to when it seems like something serious could go wrong. Here’s a good chance
a plan is already in place for it.

5. Risk management creates financial benefits

The risk department should not be viewed as a cost centre for the organization. In fact,
it directly creates value. With trend analysis, risk managers can spot high-frequency
events and work to minimize repetitive losses. Incidents will be less likely to occur and
have less of an impact when they do, potentially saving the organization thousands if
not millions of dollars. Risk managers are also the experts who procure the appropriate
levels of insurance to maximize the financial impact of the risk management program.

6. Risk management saves time and effort

Employees at all levels spend time submitting data into the risk management
department when incidents occur. These tasks are often completed in disjointed and
inefficient ways. By streamlining these tasks, the risk department is able to alleviate
the burden of tedious data submission from employees, allowing them to direct time
and energy towards their true roles. With a solid process in place, it is easy for
employees to buy-in to high ROI risk management initiatives and facilitate risk
managers’ roles and reap the benefits of a formal risk management program.

7. Risk management improves communication

Horizontal and vertical communication are essential for organizational and employee
well-being. They promote understanding of internal and external issues and help
everyone work together effectively. While many employees know this, it can be difficult
to put into practice if some parties don’t understand the impact it can have. Risk
managers can help. They aid horizontal communication by providing a centralized
touchpoint for all risk data and providing reports and analysis. Risk managers promote
vertical communication by setting expectations and relating data to organizational
goals. Each additional method of communication benefits employees.
8. Risk management prevents reputational issues
Many risks involve a reputation factor: something happens that causes the public to
negatively view the organization. Reputational issues could impact individual
employees as well, even if they weren’t actually involved. A formal risk department
greatly decreases the likelihood of this fallout. When an incident inevitably occurs, a
formal risk management program and processes will quickly contain the event and
lower the chance of escalation and widespread negative consequences.

62
9. Risk management benefits culture
A strong risk management culture is better for all parties: frontline employees, risk
managers, executives, and decision-makers. It creates a mindset of prevention and
safety that permeates the organization and influences the actions of employees. It sets
expectations of performance and sends a positive image to the public.

10. Risk management guides decision-making

Decision-making is a challenging process, especially when making significant choices
that will have a large impact on future success. Risk management data and analytics
can guide employees in making wise strategic decisions that will help meet and
exceed company objectives. They can also advise on the strengths and weaknesses
of a decision alternative and provide recommendations on what risks to pursue and
which to avoid. The risk department is an excellent source of guidance for employees
in all areas.

Lesson 3: Risk Management in Finance

In the financial world, risk management is the process of identification, analysis, and
acceptance or mitigation of uncertainty in investment decisions. Essentially, risk
management occurs when an investor or fund manager analyzes and attempts to
quantify the potential for losses in an investment, such as a moral hazard, and then
takes the appropriate action (or inaction) given the fund's investment objectives
and risk tolerance.

Risk is inseparable from return. Every investment involves some degree of risk, which
is considered close to zero in the case of a U.S. T-bill or very high for something such
as emerging-market equities or real estate in highly inflationary markets. Risk is
quantifiable both in absolute and in relative terms. A solid understanding of risk in its
different forms can help investors to better understand the opportunities, trade-offs,
and costs involved with different investment approaches.
Risk is inherent in any business operation and good risk management is essential if
you're going to identify and stop revenue leakage from your business. Of the various
types of risks your business might face, financial risk has the most immediate impact
on your cash flows and bottom line. You can anticipate these risks and head them
off at the pass with a solid financial risk management plan.

What Is Financial Risk Management?

Financial risk management is the process of understanding and managing the
financial risks that your business might be facing either now or in the future. It's not
about eliminating risks, since few businesses can wrap themselves in cotton wool.
Rather, it's about drawing a line in the sand. The idea is to understand what risks
you're willing to take, what risks you'd rather avoid, and how you're going to develop
a strategy based on your risk appetite.
The key to any financial risk management strategy is the plan of action. These are
the practices, procedures and policies your business will use to ensure it doesn't take
on more risk than it is prepared for. In other words, the plan will make it clear to staff

63
what they can and cannot do, what decisions need escalating, and who has overall
responsibility for any risk that might arise.

How Do You Implement Financial Risk Control?

Organizations manage their financial risk in different ways. This process depends on
what the business does, what market it operates in and the level of risk it is prepared
to accept. In this sense, it's up to the business owner and directors of the company
to identify and assess the risk and decide how the company is going to manage
them.
Some of the stages in the financial risk management process are:

Identifying the risk exposures

Risk management starts by identifying the financial risks, and their sources or
causes. A good place to start is with the company's balance sheet. This provides a
snapshot of the debt, liquidity, foreign exchange exposure, interest rate risk and
commodity price vulnerability the company is facing. You should also examine the
income statement and the cash flow statement to see how income and cash flows
fluctuate over time, and the impact this has on the organization's risk profile.
Questions to ask here include:

• What are the main sources of revenue of the business?

• Which customers does the company extend credit to?
• What are the credit terms for those customers?
• What type of debt does the company have? Short-term or long-term?
• What would happen if interests rates were to rise?

Quantifying the exposure

The second step is to quantify or put a numerical value on the risks you've identified.
Of course, risk is uncertain, and putting a number on risk exposure will never be
exact. Analysts tend to use statistical models such as the standard deviation and
regression method to measure a company's exposure to various risk factors. These
tools measure the amount by which your data points differ from the average or mean.

For small businesses, computer software like Excel can help you to run some
straightforward analysis in an efficient and accurate way. The general rule is the
greater the standard deviation, the greater the risk associated with the data point or
cash flow you're quantifying.

Making a "hedging" decision

After you've analyzed the sources of risk, you must decide how you will act on this
information. Can you live with the risk exposure? Do you need to mitigate it or hedge
against it in some way? This decision is based on multiple factors such as the goals
of the company, its business environment, its appetite for risk and whether the cost
of mitigation justifies the reduction in risk.
Generally, you might consider the following action steps:
• Reducing cash-flow volatility.
• Fixing interest rates on loans so you have more certainty in your
financing costs.
• Managing operating costs.

64
 • Managing your payment terms.
• Putting rigorous billing and credit control procedures in place.
• Saying farewell to customers who regularly abuse your credit terms.
• Understanding your commodity price exposure, that is, your
susceptibility to variations in the price of raw materials. If you work in the
haulage industry, for example, a rise in oil prices can increase costs and
reduce profits.
• Making sure the right people are given the right jobs with the right degree
of supervision, to reduce the risk of fraud.
• Performing due diligence on projects, for example, considering the
uncertainties associated with a partnership or joint venture.

Who Manages Financial Risk?

In a small business, the business owner and senior managers are responsible for
risk management. It's only when the business grows to include multiple departments
and activities that you may wish to bring in a dedicated Financial Risk Manager to
manage risk — and make recommendations for action — on behalf of the company.

The Global Association of Risk Professionals is recognized globally as the premier

accreditation for Financial Risk Management professionals. To receive the FRM
certification, candidates must have two years' work experience and pass a rigorous
exam risk on the subjects of market risk, credit risk, operational risk and investment
management. Details are available on the GARP website.

REFERENCES

Juetten, M. (2019). Risk management in business. Forbes. Retrieved from

https://www.forbes.com/sites/maryjuetten/2019/07/31/risk-management-in-
business/?sh=4b39bae379b5age-risk-5d55210deb3f

Kenton, W. (2021). Risk management in finance. Investopedia. Retrieved from

https://www.investopedia.com/terms/r/riskmanagement.asp

Krach, K. (2016). 4 ways entrepreneurs can manage risk. Retrieved from

https://medium.com/@KeithKrach/4-ways-entrept (n.d). Corporate Finance Institute.
Retrieved from
https://corporatefinanceinstitute.com/resources/knowledge/strategy/risk-
management/

Manage Risk (n.d). Info Entrepreneurs. Retrieved from

https://m.infoentrepreneurs.org/en/guides/manage-risk/

Risk Management (n.d). Entrepreneur Asia Pacific. Retrieved from

https://www.entrepreneur.com/encyclopedia/risk-management

Thompson, J. (2019). What is financial risk management? Chron. Retrieved from

https://smallbusiness.chron.com/financial-risk-management-43326.html

65
What is risk management and why is it important? TechTarget. Retrieved from
https://www.google.com/amp/s/searchcompliance.techtarget.com/definition/risk-
management%3famp=1

Webb, R. (2021). 10 Reasons Risk Management Matters for All Employees. ClearRisk.
Retrieved from https://www.clearrisk.com/risk-management-blog/risk-management-
matters-for-all-employees-0-0-0

ACTIVITIES / ASSESSMENTS
Essay

1. Aside from the given examples from the lesson, what are some situations or
scenarios in which risk management is being practiced in the society?
2. Why do you think risk management is important in Entrepreneurship, Organization,
and Finance?

66
 UNIT VIII: DEVELOPING A RISK MANAGEMENT PLAN

UNIT OVERVIEW
"The key to risk management is never putting yourself in a position where you cannot
live to fight another day." - Richard S. Fuld, Jr.
This unit elucidates the different elements or components of a risk management plan.
Also, this unit will allow the students to identify the steps or ways on creating and
preparing a risk management plan. Likewise, this will also introduce students to the
best practices for maintaining a risk management plan.

LEARNING OUTCOME: After a successful completion of this unit, you should be able
to:
• List the elements or components of a risk management plan and what are their
functions
• Analyze how can one person develop an effective and successful risk
management plan
• Recall the best practices for maintaining a risk management plan

COURSE MATERIALS

Lesson 1: Elements or Components of a Risk Management Plan

The Risk Management Plan describes how you will define and manage risk on the
project. This document does not actually describe the risks and the responses. This
document defines the process and techniques you will use to define the risks and the
responses.

For every web design and development project, construction project or product design,
there will be risks. That’s truly just the nature of project management. But that’s also
why it’s always best to get ahead of them as much as possible by developing a risk
management plan. There are typically a handful of elements that make up a risk
management plan, and they are outlined below:
• Roles and responsibilities. This section describes the leading and supporting
roles in the risk management process. The project manager typically has overall
responsibility for risk management, unless the team is large enough that this
role can be delegated to another team member – perhaps a specialist. Third-
party risk management teams may also be able to perform more independent,
unbiased risk analyses of project than those from the sponsoring project team.
• Budgeting. Discuss your budget for risk management for the project. Since
you may not know enough to request budget for risk management you can also
describe the process that you will use to determine a risk management budget
estimate.

67
 • Timing. Defines when the initial risk assessment will be performed, as well as
how often the risk management process will be conducted throughout the
project life cycle. Results should be developed early enough to affect decisions.
• Scoring and interpretation. You should define risk scoring and interpretation
methods appropriate for the type of the qualitative and quantitative risk analysis
being performed. Methods and scoring must be determined in advance to
ensure consistency.
• Thresholds. The threshold level is how you determine which risks are
important enough to act upon. The project manager, client, and sponsor may
have a different risk threshold. The acceptable threshold forms the target
against which the project team will analyze risks.
• Communication. Describe how the information on risk will be documented and
communicated. This includes the risks themselves, the risk responses and the
risk status.
• Tracking and Auditing. Document how all facets of risk activities will be
recorded for the benefit of the current project, future needs, and lessons
learned. Also describe if and how risk processes will be audited.

Lesson 2: Steps or Ways on Creating and Preparing a Risk Management Plan

To create a plan that's tailored for your business, start with these steps:

1. Identify risks
What are your risks and how likely are they to occur? Some will cause major disruption
while others will be a minor irritation. You must make an educated assessment of both
the likelihood and potential severity of each risk to prioritize your planning efforts.
Risk identification occurs at the beginning of the project, as well as throughout the
project. While many risks are considered “known risks”, others might require additional
research to discover.
To identify risks, create a risk identification checklist that is specific to your project
type. You can do this by interviewing all stakeholders and industry experts.
Additionally, create a risk repository that you can share with everyone you interviewed
for a centralized location of all known risks revealed during the identification phase.
This can be conveniently done on an online project management software
Many risks can be divvied up into categories, like technical or organizational, and listed
out by specific sub-categories like technology, interfaces, performance, logistics,
budget, etc.
There are many different ways you can identify risks and which strategy you use will
come down to your resources, team, and the size of your project. To get started, try a
few of these:

1. Interviews. Set time aside to speak with key project stakeholders, outside
experts, and other teammates who might be able to shed light on some of the
more unknown risks.
2. Brainstorming sessions. Your team is one of the best sources of information
on potential risks. In many cases, they’ve worked on similar projects and will
know where things broke down. Like any other group meeting, a brainstorming
session needs to be carefully planned and run to keep it on track. Send out an

68
 agenda and context beforehand and set the tone when people arrive. You want
to invite discussion but keep it focused on what risks people have experienced
in the past on similar projects.
3. Risk checklists. Does your company already have a workflow in place for
identifying risks? If so, they probably have a checklist of areas and categories
for you to explore. If not, this is a great tool to build and use in later projects.
4. Assumption analysis. Every assumption is a source of potential risk
(remember the cognitive biases we listed above?) Take a few minutes and think
about everything you’re assuming to be true or real about this project. Are your
thoughts valid? Do you have proof?

2. Minimize or eliminate risks

Once risks have been identified you need to either eliminate or minimize those risks.
You should provide specific strategies for minimizing risk for each of the six subgroups.
As you prioritize your risks you’ll naturally ask three questions:

1. What will happen if this situation takes place?

2. How likely is it that this will happen?
3. How bad will the resulting impact be on the project?
These factors—consequence, probability, and impact—give context and importance to
each of your risks. Instead of just being a simple statement, you’re able to understand
exactly how bad they are and how much you should be planning ahead for them.
In this step, you’re going to review the qualitative and quantitative impact of the risk
and then assign a likelihood score (from low to high probability) and a risk impact
score (either low, medium, or high).
If you have a lot of risks, you might use a more complex system to score the likelihood
and impact of them. For example, you might use percentages or a modified version
of the RICE method.
Once you’ve scored your risks, many people like to use what’s called a risk assessment
matrix to plot them out visually.

3. Identify who has to do what should a disaster occur

One of the simplest and most powerful tools for a speedy recovery from a disaster is
a clear picture of, and clear directions about, who has to do what should your disaster
plan have to be enacted.
It’s not enough to just write risks down and hope they don’t come up. Each risk needs
to be assigned to a team member, prioritized, and given an estimate of the resources
needed to handle it.
The designated team member will be responsible for taking ownership if the risk
becomes an actual issue. As part of this, they need to understand the risk triggers or
warning signs that signify they need to jump into action.
A risk trigger might be identified in advance (when it’s a knowable risk), while in other
cases it’ll be pretty much impossible to pinpoint its exact cause. For example, you might
know that there are risks to your brand when you change your pricing structure, but

69
you won’t necessarily be able to identify the exact trigger, such as a Facebook post or
blog from a customer.
This is where using a project management tool is so important. While your risk
management plan can live as a wiki page, transferring individual risks into issues
means you can assign and track their progress alongside the rest of your project tasks.
While risks should be assigned to a single person, they should be visible to all. This
way, everyone is aware of what to watch out for and who to contact if they see one of
the triggers.

4. Determine and plan your recovery contingencies

Recovery contingencies should be determined by the type, style and size of your
business and by the extent of the damage.
Use our Emergency Contingency Planner to make sure you cover all bases.
The point of a risk management plan is to give you a clear path towards solving any
potential issues that come up. For each of the identified risks, the project manager and
the assigned teammate should brainstorm a proper response.
In most cases, you’ll handle a risk that has become an issue in one of four ways:

1. Avoid: Change your plan to bypass the issue. In other words, remove the cause
of the threat altogether.
2. Transfer: Outsource the risk (or a portion of it) to a different team or agency.
Think of this as a typical “insurance” policy.
3. Mitigate: Take immediate steps to reduce the impact of the risk. This could
mean reviewing your requirements, going through additional testing, or looking
for different options.
4. Accept: Assume the chance of a negative impact or eventually budget in the
cost of dealing with it.
When writing out your risk response plan your depth of details should match the
significance of the risk. There’s no point in creating an in-depth response to a low
impact, low probability risk.
Lastly, you can also escalate a risk if the response feels like it’s beyond the scope of
your project. This takes us to our next step...

5. Communicate the plan to all the people it refers to

This stage of planning is all about ensuring that all people within your business sphere
(staff, suppliers, contractors, service providers) are made aware of the strategies you
have put in place to either mitigate or recover from a disaster situation. Make decisions
about whether the physical communication will be done by phone, email, text or other
means. Once these decisions are made, procedural statements can be created and
relevant people can be informed. The next part is to train staff and ensure everyone
practices what has been done so if a disaster occurs the process can take over and
guide the staff.
During day to day operations, any number of risks can pop up in a business so it is
important to know how to identify any potential risks before they escalate. This will
help you develop realistic and effective strategies for dealing with risks if they occur.

70
In the case that you’re accepting the potential fallout of a risk, you should know what to
do if it becomes realized. This is called a contingency plan. In other words, you’re
answering the question: “What do we do now?”
Contingency plans should be saved for risks that are high priority and high impact but
without an obvious solution for what to do if they happen. In this case, you’ll want to
have a workflow mapped out that follows a few steps:

1. Find and document resources that can be used in an emergency. This could
mean moving team members off a different task, diverting budget, or increasing
the scope.
2. Know who will need to be notified in the case of this issue. You can use
your communication plan to help find these people.
3. Create a plan of action for dealing with this issue. Are there alternatives you can
propose or flexibility you can add to your current project plan? Do you know who
to bring in and where to ask for help? A checklist can help keep you focused
when you’re in crisis mode.
4. Keep an eye on the risk triggers for these issues (especially deadlines).
Of course, the balance of contingency planning is that these are usually issues with a
small probability of actually happening. It’s easy to get sucked into imagining every
terrible situation that might creep up. However, if the potential downfall of one of these
risks could threaten your project, it’s worth thinking it through early on.
While every project comes with some level of risk, there are ones where the potential
negative outcomes are just too much to gamble on. This is what’s known as your risk
threshold—the amount of risk your company or stakeholders are willing to take on.
As you create your risk management plan, it’s important to stay in contact with your key
stakeholders and sound out how they’re feeling.
Is there too much risk to justify the project as scoped? Can you make changes to
your project plan before you start to reduce the risks?
While this might feel annoying, it’s better to make changes early on rather than hit
serious issues once you’ve already committed time and energy.

6. Prepare a risk management plan

A risk management plan can help minimize the impact of cash flow issues, damage to
brand and other risks. It will also help create a culture of sensible risk awareness and
management in your business. Our Crisis planning for business template below
includes a risk management plan.

Lastly, risk management is a circle, not a linear path. Because you’re dealing with
unknowns, your risk management plan needs to be a living document.
Whoever owns the risk needs to be responsible for tracking it, updating it in your project
management tool, and making sure other people are aware of what’s going on. As your
project progresses, there is a good chance new risks will come up or current ones will
evolve and change.
Maybe what seemed like a low-probability risk early on is suddenly much more likely.
By using a tool like Planio to keep track of your risks, you can quickly update them and
keep everyone up-to-speed with what’s going on.

71
Project risk management can’t be done in a silo. To have the best chance of hitting
project success it needs to be an integrated part of your project management process.

Lesson 3: Best Practices for Maintaining a Risk Management Plan

Risk management plans only fail in a few ways: incrementally because of insufficient
budget, via modelling errors or by ignoring your risks outright.

Your risk management plan is one that is constantly evolving throughout the course of
the project, from beginning to end. So the best practices are to focus on the monitoring
phase of the risk management plan. Continue to evaluate and reevaluate your risks
and their scores, and address risks at every project milestone.

Project dashboards and other tracking features can be a life saver when it comes to
maintaining your risk management plan. Watch the video below to see just how
important project dashboards, live data and project reports can be when it comes to
keeping your projects on track and on budget.

In addition to your routine tracking, at each milestone, conduct another round of

interviews with the same checklist you used at the beginning of the project, and re-
interview stakeholders, project members, customers (if applicable) and industry
experts.

Record their answers, adjust your matrix if necessary, and report all relevant updates
of your risk management plan to key stakeholders. This process and level of
transparency will help you to identify any new risks to be assessed and will let you
know if any previous risks have expired.

REFERENCES

MacKay, J. (2020). 7 Steps to write a risk management plan for your next project.
Retrieved from https://plan.io/blog/risk-management/

Prepare a risk management plan (2020). Business Victoria. Retrieved from

https://www.business.vic.gov.au/disputes-disasters-and-succession-planning/how-to-
manage-risk-in-your-business/prepare-a-risk-management-plan

Scavetta, A. (2019). How to make a risk management plan. Project Manager.

Retrieved from https://www.projectmanager.com/blog/risk-management-plan

Seven components to a risk management plan (2017). TenStep. Retrieved from

https://tenstep.com/seven-components-to-a-risk-management-plan-2/

ACTIVITIES / ASSESSMENTS

Essay

1. What are the elements or components of a risk management plan and what are
their functions?
2. How can one person develop an effective and successful risk management plan?

72