This document discusses the key steps in a risk management process:
1. Identifying risks through risk statements that define the root cause, consequence, and downstream impact.
2. Analyzing and prioritizing risks by estimating their probability, impact, and exposure.
3. Planning risk actions by developing strategies to reduce exposure for high-priority risks.
4. Tracking risks and reporting changes in their status to ensure risk plans stay up-to-date.
5. Controlling risks by monitoring plans and taking corrective actions in response to triggering events.
2. AGENDA
• Introduction
• Why Bother about Risk Management?
• The Risk Management Cycle
• Indicators and Warnings
• Administrative Risk Mitigation Tools
• Conclusion
3. Introduction
One of the big challenges in an organization’s enterprise
risk management (ERM) process is determining how to
effectively and concisely communicate risk information
identified by the ERM process to the organization’s board
of directors. Given the complex y of the global business
world today, distilling risk information down to that which
is most pertinent for disclosure to the organization’s
board of directors can be difficult. ERM leaders have to
walk a fine line that avoids overwhelming the board w h
too much granular detail about risks without summarizing
risks at such a high level that no one is able to really
understand the underlying risk concern.
6. What is risk?
Risk is a concept that denotes a potential negative
impact to an asset.
7. WHAT IS A RISK (2) ?
The likelihood or probability that a loss of
information, resources or breach of security will
occur
8. RISK MANAGEMENT TERMINOLOGY?
The complete set of policies and procedures
which we have in place to manage, monitor and
control exposure to risk
The manner in which we set about addressing
the question “what can go wrong ?”
9. WHY BOTHER ABOUT RISK?
BE ABLE TO PUT MEASURES IN PLACE TO PREVENT RISK
FROM CRYSTALISING
BE PREPARED TO RESPOND SO AS TO MINIMISE LOSSES
WHEN DISASTER OCCURS
ENHANCE S PROF ABIL Y OF AN ENT Y
ENSURE BUSINESS CONTINU Y
ENHANCE STAKEHOLDERS CONFIDENCE
10.
11. Operational risk Operational risk is the risk of loss due to errors, interruptions, or
damages caused by people, systems, or processes. The operational
type of risk is low for simple business operations such as retail banking
and asset management, and higher for operations such as
sales/Treasury and Marketing.
Examples of Operational risk:
Cybersecurity Risk
cyber risks, including ransomware and phishing, have become more
frequent and influential, affecting their operational continuity.
Third-party Risk
Increasingly, financial institutions are relying on third-party providers,
which means they have to thoroughly identify, evaluate, and control
third-party risks throughout the lifecycle of their relationships with
those companies.
Internal Fraud and External Fraud
Business Disruptions and Systems Failures
Hardware or software system failures, power failures, and disruption
in telecommunications can interrupt any financial organization’s
business operations and lead to financial loss.
12. Examples of operational risks cont’d
Missed deadlines
Accounting and/or data entry errors
Vendor disagreements
Inaccurate client records
Loss of client assets through negligence
Losses from operational risks can be financially devastating to a
company. They can also negatively affect its business continuity,
reputation, and compliance position.
13. Systematic/ ecosystem
risk
Systematic risk refers to the risk inherent to the entire market
or market segment. Systematic risk, also known as
“undiversifiable risk,” “volatility” or “market risk,” affects the
overall market, not just a particular stock or industry.
(E.g Silicon Valley banl failure)
Examples of systematic risks include:
Macroeconomic factors, such as inflation, interest rates,
currency fluctuations.
Environmental factors, such as climate change, natural
disasters, resource, and biodiversity loss.
Social factors, such as wars, changing consumer perspectives,
population trends.
14. Basic Risk Management
Components
Risks Understand Risk event, Risk exposure, Risk driver
Strategies
•Avoid or eliminate the risk
•Transfer the risk to another party
•Accept or retain the risk
•Control the risk
Control
Tactics
•Actions / Processes / Mechanisms designed within the
institution to mitigate and manage the identified risk
Roles
•Assigning responsibilities to identify, mitigate, manage
and monitor the risk.
•Distinguish between person who manages (operational)
and monitors (senior management) risks.
15. 15
The management of risk at strategic, programme and operational levels needs to
be integrated so that the levels of activity support each other. In this way the risk
management strategy of an organization will be led from the top and embedded in the
normal working routines and activities of the organization. All staff should be aware of
the relevance of risk to the achievement of their objectives and training to support staff
in risk management should be available.
Hierarchy of risk
16. Risk Management Cycle
• The typical risk management process is usually divided into four cyclic activities:
•Risk Identification &
definition
•Risk Categorization
Entity Level
Risk Mitigation
Approaches
Prepare and Implement
risk
Treatment plan
Risk Control
•Risk
Monitoring
• Risk
Reporting
Risk Measurement/ rating
Risk Prioritization
Risk Management Process
4. Risk
Monitoring/
Reporting
1. Risk
Identification
2. Risk
Assessment&
Quantification
3. Risk
Mitigation &
Control
17. Risk Management Process
Risk Identification Transparent processes for the identification of all
factors that may lead to divergences between
expectations and outcomes
Risk Assessment/
Measurement
Estimation of the likelihood of their occurrence and
the extent or sever y of their impact in the event of
occurrence
Risk Control Design of effective controls to minimize both the
likelihood and the impact of risk events
Risk Monitoring Establishment of procedures to ensure that these
controls are effective and are being complied w h.
Risk Reporting Provision of sufficient cap al to absorb the adverse
impact of expected and unexpected loss.
18. 18
Risks can affect a business in different ways and w h different magnitude. The dimensions of
Risk Sever y or Impact and Likelihood / Frequency of occurrence help you discover the total impact of
the risk to the business.
The Risk Assessment chart below in a visual and verbal way indicates the total impact of the risk
given different values of Risk Sever y / Impact and Likelihood / Frequency. This chart can be useful
in defining which risks need internal controls defined vs. those where the risk is acceptable without a
defined internal control.
20. … An Overview – RM Process Steps
Source:
https://technet.microsoft.com
21. … An Overview – RM Process
• Step 1: Identify
– Risk identification allows
individuals to identify risks so
that the operations staff becomes
aware of potential problems.
– Not only should risk identification
be undertaken as early as
possible, but also should be
repeated frequently.
22. … An Overview – RM Process
• Step 2: Analyze and Prioritize
– Risk analysis transforms the
estimates or data about specific
risks that developed during risk
identification into a consistent
form that can be used to make
decisions around prioritization.
– Risk prioritization enables
operations to commit resources to
manage the most important risks.
23. … An Overview – RM Process
• Step 3: Plan and Schedule
– Risk planning takes the
information obtained from risk
analysis and uses to formulate
strategies, plans, change requests,
and actions.
– Risk scheduling ensures that these
plans are approved and then
incorporated into the standard
day-to-day processes and
infrastructure.
24. … An Overview – RM Process
• Step 4: Track and Report
– Risk tracking monitors the status of
specific risks and the progress in their
respective action plans.
– Risk tracking also includes monitoring
the probability, impact, exposure, and
other measures of risk for changes that
could alter prior y or risk plans and
ultimately the availability of the
service.
– Risk reporting ensures that the
operations staff, service manager, and
other stakeholders are aware of the
status of top risks and the plans to
manage them.
25. … An Overview – RM Process
• Step 5: Control
– Risk control is the process of
executing risk action plans and
their associated status reporting.
– Risk control also includes initiating
change control requests when
changes in risk status or risk plans
could affect the availability of the
service or service level agreement
(SLA).
26. … An Overview – RM Process
• Step 6: Learn
–Risk learning formalizes the
lessons learned and uses
tools to capture, categorize,
and index that knowledge in
a reusable form that can be
shared w h others.
27. … An Overview – RM Process
• Risk Lists
– the six steps described previously supply
information for a collection of risk lists.
– a risk list is a database of risk properties
and details designed to aid the process
of RM.
– not technology-dependent; can be in
any form – from a simple register to a
well-developed computer application to
provide customized views and queries
for operation staff and stakeholders.
28. … An Overview – RM Process
• Risk Lists
– Examples of customized views of risk list
include:
• Master Risk List –
– identifies the condition causing each risk, the
potential adverse effect (consequence),
outcome (aka. the downstream effect), and
the criterion used for ranking
– enables Assigning priorities; Identifying
critical actions; and highlighting
dependencies.
• Risks by Services List
• Top Risk List
• Retired Risks List.
29. EXERCISE 1: Form an RM Process
Model
Control
Learn
Identify
Analyze & Prioritize
Track & Report
Plan & Schedule
Use the blocks below:
31. Identifying Risks in Operations
• This is the 1st step in RM
process
• provides the opportunities,
indicators, and information that
allows an organization to raise
major risks before they
adversely affect operations and
hence the business.
• A major output of this step is
the Risk Statement.
33. …Risk Identification - Risk Statements
• Root Cause
– A Risk Statement must indicate the root
cause or origin of an identified risk.
– Understanding root causes can help to
identify additional, related risks
– Four major sources of risks in operations
are:
• People
• Process
• Technology
• Environment.
34. …Risk Identification - Risk Statements
• Downstream Effect
– Identification of the outcome of a risk is part of risk
identification process.
– Downstream effect (total loss or opportunity cost) of a risk
helps in appraising the impact of a consequence of a risk on
the business.
– Four major ways which operational risk consequences can
impact on business are:
• Cost
• Performance
• Capability
• Security.
– Understanding the downstream effects of
operational risks can help when ranking risks.
35. …Risk Identification
• Risks List
– The minimum output from risk identification
activities is a clear, unambiguous, consensus
statement of the risks being faced by the
operations staff, which is recorded as a risks
list.
– The risks list in tabular form is the main
input for the next stage (analysis) of the risk
management process and will become the
master risks list used during the subsequent
management process steps.
37. Root Cause Condition Consequence Downstream Effect
Inadequate staffing The service desk
cannot handle the
number of calls is
receiving.
The SLA will not be
met and customers
will have to wait
longer for support.
Reduced customer
satisfaction.
Technology change CRM software
vendor plans to
withdraw support
for the current
version of the
product.
Existing CRM system
will be unsupported.
Reduced sales force
capabilities because
cannot develop the
requested
enhancements or
make any system
changes.
New regulatory
requirement
All e-mails and
attachments need to
be stored for eleven
years.
Current backup and
archiving software
cannot
accommodate this
need.
May result in trading
restrictions being
imposed and
negatively affect the
organization's posit
ion and image in the
market.
39. Analyzing and Prioritizing Risks
• This is the 2nd step in RM process
• builds upon the output of risk
identification to derive information
that can aid decision making in RM
• Here, 3 more elements are added
to the master risks list:
– Risk’s probability,
– Impact; and
– Exposure.
This Photo by Unknown Author is licensed
under CC BY-SA
40. …Analyzing and Prioritizing Risks
• Risk’s Probability
– ’s a measure of likelihood that the consequences
defined in risks list would actually occur.
– Usually stated in numeric form that can include
ranges that are interpreted into natural language.
– Example:
Probability
Range
Probability
value used for
calculations
Natural
language
expression
Numeric score
1% - 35% 10% Low 1
36% - 65% 50% Medium 2
66% - 99% 85% High 3
41. …Analyzing and Prioritizing Risks
• Risk Impact
– ’s an estimate of severity of adverse effects, the
magnitude of a loss, or the potential opportunity
cost should a risk be realized.
– Where possible, measuring impact in financial term
is more desirable than subjective measurement
scale.
– Either case, a high value of impact is an indication of
a potential high loss.
– Risk impact should be a direct measure of the risk
consequence as defined in the risk statement.
42. …Analyzing and Prioritizing Risks
Score Criterion
Schedule
impact
Technical impact
1 Low Slip 1 week Slight effect on
performance
2 Medium Slip 2 weeks Moderate effect on
performance
3 High Slip 1 month Severe effect on
performance
4 Critical Slip more
than 1
month
Mission cannot be
accomplished
100 Catastrophic Unable to
deliver
Mission cannot be
accomplished
Sample Alternative Scoring Scale
43. …Analyzing and Prioritizing Risks
• Risk Exposure
– is a measure of an overall threat of a risk,
combining the risk probability with the
impact
– Exposure = (Probability x Impact)
– Where probability and impact are measured
in numbers, it’s convenient to present
exposure in a matrix, and each cell
represents a level of risk exposure – low-
risk, medium-risk, high-risk.
46. Planning and Scheduling Risk Actions
• This is the 3rd step in RM process
• This is where outcome of risk analysis &
prioritization translate into actionable plans.
• Detailed strategies and actions for each of the
top risks are developed
• Integrated risk management plans are created
for prioritized risk actions.
• Scheduling ensures integration of the tasks
required to implement the risk action plans
into day-to-day operations activities
– by assigning them to individuals or roles and actively
tracking their status.
47. …Planning and Scheduling Risk Actions
• Consider the following when developing plans to
reduce risk exposure:
– Focus on high-exposure risks.
– Address the condition to reduce the probability.
– Look for root causes as opposed to symptoms.
– Address the consequences to minimize the
impact.
– Determine the root cause, then look for similar
situations in other areas that may arise from
the same cause.
– Be aware of dependencies and interactions
among risks.
48. …Planning and Scheduling Risk Actions
• operations should consider the following
points when developing risk action plans:
– Research
– Accept
– Avoid
– Transfer
• Insurance.
• Using external consultants w h greater
expertise.
• Purchasing a solution instead of building .
• Outsourcing services.
– M igate
– Contingency.
50. Tracking and Reporting Risk
• This is the 4th step in RM process
• During tracking, operations adopts data
gathering method to capture information on
changes in risks.
• Identify changes are prepared for actions in
the next step of the RM process (Control).
• Risk tracking monitors 3 major changes:
– Trigger values
– The risk's condition, consequences, probability, and
impact
– The progress of a mitigation plan
• Monitoring is done on 3 main time frames:
– Constant; Periodic; and as-needed.
51. …Tracking and Reporting Risk
• Risk Status Reporting
– operations regular risk status reports should
consider four possible risk management
situations for each risk:
• Resolution - A risk is resolved, completing the risk
action plan.
• Consistency - Risk actions are consistent w h the
risk management plan, in which case the risk plan
actions continue as planned.
• Variance - Some risk actions are at variance w h
the risk management plan, in which case corrective
measures should be defined and implemented.
• Changeability - The situation has changed
significantly w h respect to one or more risks and
will usually involve re-analyzing the risks or re-
planning an activity
53. Controlling Risk
• This is the 5th step in RM process
• During this step, individuals carry out activities
related to contingency plans because triggers have
been reached.
• Corrective actions are initiated based on risk
tracking information.
• Controlling risk applies strategies to:
– Mon or risk action plans.
– Correct for variations from plans.
– Respond to triggering events.
• The results and lessons learned from
implementation of contingency plans are then
incorporated into a contingency plan status and
outcome report so that the information becomes
part of the operations risk knowledge base.
55. Learning from Risk
• This is the 6th step in RM process
• Risk learning should be a continuous activity
throughout the entire risk management
process and may begin at any time.
• focuses on three key objectives:
– Providing quality assurance on the current risk
management activities so that the operations group
can gain regular feedback.
– Capturing knowledge and best practices, especially
around risk identification and successful mitigation
strategies-this contributes to the risk knowledge base.
– Improving the risk management process by capturing
feedback from the organization.
56. …Learning from Risk
• Risk learning uses risk classification to
establish useful information for future
risk assessments.
• Classification is done around these 2
key aspects:
– New risks
• If operations encounters an issue that had not been
identified earlier as a risk, should review whether
any signs (leading indicators) could have helped to
predict the risk. You may need to update the existing
risk lists to help identify risks in the future.
– Mitigation strategies
• to capture experiences of strategies that have been
used successfully (or even unsuccessfully) to m igate
risks.
57. Conclusion
• Risk Management is an essential process
of the operations
• RM process, irrespective of model
adopted, has a common objective of
safeguarding the business from unwanted
risks that could originate from the business
people, process, technology and
environment.
• Risk Management is a continuous process
consistently carried out throughout the life
time of a business by constant monitoring,
tracking, reviewing and controlling.
61. Shed no tears for investors in Silicon Valley Bank (svb). On March 10th the bank,
which had $212bn of assets, failed with spectacular speed, making it the biggest
lender to collapse since the global financial crisis of 2007-09. Most of svb’s
depositors were Bay Area tech startups with accounts holding well in excess of the
$250,000 that is insured by the federal government. They had fled and their panic
was rational. By loading up on long-term bonds, svb had taken an enormous
unhedged bet on interest rates staying low. That bet went wrong, leaving the bank
insolvent (or near enough). The fact that shareholders have been wiped out and
bondholders will take big losses is not a failure of the financial system. A bad
business has been allowed to go bust.
It is what happened next that reveals the flaws in America’s banking architecture.
svb probably had enough assets for depositors to have got all or almost all of their
money back—but only after a long wait. This left many tech firms facing life in a
financial deep-freeze; Roku, a streaming giant, had nearly $500m tied up in svb.
Across the technology sector, lay-offs and bankruptcies loomed. And America’s
regulators and government seemed to fear that depositors were losing faith in
other banks, too. On March 12th they judged svb too big to fail and guaranteed all
the bank’s deposits. If the sale of its assets does not cover the costs of the
depositor bail-out, a fund that is financed by all banks will have to chip in,
penalising the whole industry for the recklessness of a single institution.
Case Study
62. Here’s how the second-biggest bank collapse in U.S. history happened in just 48 hours
KEY POINTS
The company’s downward spiral began late Wednesday, when it surprised
investors with news that it needed to raise $2.25 billion to shore up its
balance sheet.
“This was a hysteria-induced bank run caused by VCs,” Ryan Falvey, a
fintech investor of Restive Ventures, told CNBC.
All told, customers withdrew a staggering $42 billion of deposits by the end
of Thursday, according to a California regulatory filing.
Now, those who remained with SVB face an uncertain timeline for
retrieving their money.
On Wednesday, Silicon Valley Bank
was a well-capitalized institution seeking to raise some
funds.
Within 48 hours, a panic induced by the very venture capital
community that SVB had served and nurtured ended the
bank’s 40-year-run.
https://www.cnbc.com/2023/03/10/silicon-valley-bank-collapse-how-it-happened.html
Study contacted through interviews with 800 + risk experts across 40 countries. More than one risk can be selected so all %s won’t add to 100%
For the nature of the company, it is important to know the size, their industry, and their goals and objectives. Management should be transparent and knowlegable. If there is a lot of executive level turnover (or a lot of turnover in general) then that may be a red flag that management is not of high quality and may not enforce policies and procedures well. This can be a great risk that statements may be misstated. When speaking with employees and observing on-site, it is important to notice the culture, and how employees feel about management, current policies and processes, and their overall attitude. It is important to interview and observe employees at all levels in the business to get the whole picture. Trend analysis, ratio analysis, reasonableness, and looking at old audit results are all good ways to analyze a company’s past reputation and possible risks.