6 Steps Risk Management Approach

In order to effectively manage risk a company should at least define strategic, operational, reporting and compliance objectives and should identify internal and external events that have the potential to effect the company’s operations by analyzing the workflows and processes and listing risks and causes, the extent of risk that is faced and the impact of identified risks on company’s operations.

It is important that the internal and external events that could affect the achievement of the objectives of the organization are identified, which distinguishes between risks and opportunities. Furthermore the company should first prioritize and assess risks on an inherent & residual basis and analyze and divide these into 2 main categories: which are probability and consequences per risk event.The company should identify control choices and select the appropriate risk control measures, determine risk priorities and make control decisions.

It is also very important that the company should first define a clear structure with processes & procedures and implement the risk control measures into its organization to establish coherent authority and responsibility and should define monitoring Infrastructures by developing control procedures that monitor and review business critical processes, The company should also have audit procedures in place to determine if those risks related control procedures are working effectively and should periodically perform audits on the control procedures to determine whether the risk monitoring processes are working effectively and as expected.

6 steps risk management process.

AAEAAQAAAAAAAAI7AAAAJDczYWNjYmY5LWFjMjctNDYyNy05N2I3LTRmOWQzM2JlZWRlNQ
Author: Sheraz Ali ( 2013 )

Step 1: Risk management objectives
In order to effectively identify risk a company should first at least define strategic, operational, reporting and compliance objectives.
What the organization wants to achieve and the external and internal factors that may affect success in achieving those objectives. This step is called establishing the context and is an essential precursor to risk identification.

A risk management strategy is also very significant and fundamental to effective risk management. As this establishes barriers against an accumulation of operational risks inherent in continuing operations. “Developing risk intelligence maximizes the return on value from information risk management investments”

Managing risk is about the logical sense making and implementing of a plan to deal with potential losses. The main purpose of risk management for a process or an activity owner is to avoid tortuous, contractual or statutory liability.

Management should establish four main categories of objectives related to the firm:
  • “Strategic – relating to high-level goals, aligned with and supporting the entity’s mission.
  • Operations – relating to effective and efficient use of the entity's resources
  • Reporting – relating to the reliability of the entity’s reporting
  • Compliance – relating to the entity's compliance with applicable laws and regulations.“

The framework of risk management is based on the context in which the organization-wide risk appetite is formulated and risk environment of an organization is defined.

The context examines:
  • Laws & regulations
  • Economics & Markets
  • Culture & Technologies
  • Natural environment
  • Stakeholders needs, issues and concerns
“The essence of risk management,” Bernstein concludes, “lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us.”

Step 2: Identifying risk
A company should identify internal and external events that have the potential to effect the company’s operations by analyzing the workflows and processes and listing risks and causes, the extent of risk that is faced, and the impact of identified risks on company’s operations. It is important that the internal and external events that could affect the achievement of the objectives of the organization are identified, distinguishing between risks and opportunities.

Opportunities are fed back to the strategy of the management or goal setting process. During the process of risk identification, the following questions should be answered.

What is the extent of risk faced?
What are the available options?
How large, and immediate are the outcomes resulting from the impact of risk?
Can the risk be controlled, reversed or avoided?
How do individuals and groups conceptualize risk?
What aspects of the problem seem most relevant?

Step 3: Risk assessment
A company should first prioritize and assess risks on an inherent & residual basis and analyze and divide these into 2 main categories: probability and consequences per risk event.
Companies must first prioritize risks to identify and limit and then assess further prioritize and address the rest of the risks based on the needs of the organization.

It is not surprising that man has always searched for methods to reduce uncertainty and through time, devised methods and skills are developed to deal with such uncertainties. The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk should reflect the type of risk. These types of risks should all be consistent with the risk criteria. Three main aspects of risk handling are presented: Risk identification, Risk estimation and Risk evaluation.

Risk assessment is the determination of quantitative or qualitative value of risk associated with a particular event as it happens; this involves the process of analysis and evaluation. Risk can be defined as the combination of the probability of an event and its consequences.

Step 4: Risk control measures
A company should identify control choices and select the appropriate risk control measures, determine risk priorities and make control decisions. This is where management requires deciding upon what risks to avoid, accept, reduce or transfer and development of a series of actions to tune the risks with the entity's risk tolerance level and appetite for risk. Once the risks are stated, the company must then proceed to prioritize such risks. It is improbable that a company is able to mitigate all the risks mentioned; therefore it is of importance that a firm identifies high priority risks and focuses first on them.

ISO 31000:2009 gives a set of general options to be considered when risk is handled. The order of the list reflects preferred. It is important that one of the options deal with both the risks that disadvantage and / or up-side effects.

The options are:
  • “Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  • Taking or increasing the risk in order to pursue an opportunity;
  • Removing the risk source;
  • Changing the likelihood;
  • Changing the consequences;
  • Sharing the risk with another party or parties (including contracts and risk financing);
  • Retaining the risk by informed decision.”

Step 5: Risk controls Implementation
A company should first define a clear structure with processes & procedures and implement the risk control measures into its organization to establish coherent authority and responsibility.

Control activities such as operational assessment and reporting, authorization, verification, approval and distribution of tasks need to be implemented in order to avoid the risks materializing. Identify control choices, determine priorities, and make control decisions. “There is comprehensive, fully defined, and fully accepted accountability for risks, controls, and risk treatment tasks”

Someone is responsible for something (actions, action consequences, states, tasks etc.) in relation to an addressee and towards a criterion, in the context of a given responsibility and action domain...”

Step 6 Monitoring and reviewing
A company should define monitoring Infrastructure by developing control procedures that monitor and review business critical processes, the company should also have audit procedures in place to determine if those risk related control procedures are working effectively and should periodically perform audits on the control procedures to determine or the risk monitoring process are working effectively and as expected, if necessary make adjustments or improvements to improve risk monitoring processes.

“COSO asserts the role of monitoring not only aids the financial reporting process, but also ultimately the organization’s overall system of governance, including operational decision-making”.

The monitoring shall include the assessment of the quality of control over time; this can be accomplished by monitoring individual evaluation or both.
  • Develop a strong understanding of the identified significant risks and develop control procedures to monitor or correct for these risks.
  • Create testing procedures to determine if those risk-related control procedures are working effectively.
  • Perform tests of the control procedures to determine if the risk- monitoring process tested is working effectively and as expected.
  • Make adjustments or improvements as necessary to improve risk-monitoring processes.

Strengths: conceptual risk assessment framework

The conceptual risk process mentioned is mainly divided into 3 major sections and 6 steps. It is a comprehensive stepwise approach to set risk management objectives, identify and assess risks as well as selecting and implementing appropriate risk controls and monitor and review activities. In summary the conceptual risk process helps the company to effectively identify, estimate and evaluate risks

Weaknesses: conceptual risk assessment framework

The conceptual risk process mentioned is mainly based on limited academic literature and is general of nature. Therefore it is not scientifically justified in a specific business environment, such as assessing risk of new business partnerships. Therefor it should be further researched in such business environment.

 
More on Phishing as a Service (PhaaS): 
http://www.phishingawareness.nl