Every time a businessman takes a decision, he deliberately or unknowingly carries out an assessment of its success.
He assesses probability of the decision failing to achieve the desired results.
The Problem, or a “decision situation” can be “One time” or “Continuous”, that is a decision impacting longer period or just once.
For example, selecting a particular manufacturing process is a decision which has impact for a longer period, whereas a decision to participate in a particular tender can be a “ one time” situation.
For every problem, a businessman evaluates more than one options and selects the most profitable (or least damaging). In other words, he selects the safest or less risky option
Every decision situation has risk associated with it. No decision in our life, in general, and a Management decision in particular, is 100 per cent risk free. But every risk can be given good treatment, or a risk can be managed.
In very simple words, this Probability that the decision taken may not give desired result can be termed as “Risk”. Risks are uncertainties that affect the achievement of business objectives, so risks cannot fully be identified if these objectives and strategies are unclear. Risk is an event which results in Loss or damage to the Business, Profits or Assets of the business
The delicate factors or weak points existing in a situation are known as Vulnerability. For example when you do not have any Antivirus program installed is a “Vulnerability”. Just presence of some vulnerability does not mean causing damage. Every vulnerability has a “Threat” associated with it. Only when the vulnerable situation triggers, one is exposed to threat. Taking the same example forward, when you do not have Antivirus and a virus is sitting in your computer, then there is a threat.
Probability of a Threat damaging you is a risk. Higher the probability, higher the risk.
The risks can be managed so that the damages can be avoided or reduced. In general, the cost of managing the risks needs to be commensurate with the benefits obtained. Process of managing risk involves many stages.
1. Identify the risk by gathering information and discuss with others. Factors causing risk can be internal or external.
Similarly some of them may be controllable some may be out of one’s control.
Some tools to identify the risks is to ask
b. How could we fail?
c. What must go right for us to succeed?
2. Gathering Information :
Information should be relevant, adequate, reliable and
3. Discuss the information with others. If possible there should be brain storming sessions before coming
to any conclusions. Business owner should be receptive to the people and staff members
4. Analyse and evaluate
a. What is the probability of wrong things taking place?/
b. Intensity of the vulnerability
c. What are the actual threats
d. Analyse the controls you have put in your system
e. Test the effectiveness of existing controls
f. Test the actual working of the control
2. Reviewing the CCTV footage
g. Assess residual consequences, What is the most probable impact of
the risk event if it were to occur within the current control environment? Assume
that the controls are operating at their assessed strength, rather than the maximum
consequence if the controls were to fail.
5. Treat the risk
i. This means choosing alternate and more acceptable approach to the problem which is less risky.
b. Reduce/ Mitigate : there are many ways to mitigate the risk. For example insisting on Penalty clause in a service contract
is a good mitigant.
c. Share : Sharing and transferring the risk can be done by carrying out the business in Joint venture/ outsourcing part
of the process or the most popular method of sharing is Insurance
d. Accept : accepting means taking most informed decision. Accepting the risk depends on the
Risk appetite of the business owner, fall back arrangements. This option is also relevant in situations where the residual
risk remains, after other treatment options have been put in place.
6. Monitor and review
examples of testing controls.
b. Obtaining further information to improve risk assessment
c. Analysing and learning lessons from risk events, including near-misses, changes, trends, successes and failures
d. Detecting changes in the external and internal context, including changes to risk criteria and to
the risks, which may require revision of risk treatments and priorities
e. Identifying emerging risks.
As part of the monitoring process, the thresholds for the risk criteria should be reviewed at the
commencement of each risk assessment cycle to identify the processes that may be subject to increased
risks and, as such, would derive the greatest value from the risk assessment.
the effectiveness of the risk management framework implemented needs to be periodically reviewed to ensure continuous improvement
of risk management in the firm.
The purpose of the framework is to embed a risk aware culture within the firm. This can be evaluated in light of breaches
and near misses, the effectiveness of communication, and assessing what lessons have been learned and remedial actions taken.
The framework is only effective if the context remains relevant to the firm, as this sets the scope for risk management.
Ensure the practice objectives and the internal and external context for risk management are current and accurate.