This document discusses risk management and risk treatment. It defines risk treatment as selecting and implementing responses to risks in line with an organization's risk approach and appetite. Common risk treatment methods include risk avoidance, reduction through internal controls, sharing through insurance, diversification, hedging and outsourcing, and acceptance. Risk reduction can lower the likelihood and severity of risks through activities like internal controls. Risk sharing transfers parts of risk through methods such as insurance, diversification of assets/activities, and hedging. The document also provides examples of a risk register and risk reporting.

1. Risk Management
University of Economics, Kraków, 2012
Tomasz Aleksandrowicz

2. Risk Treatment
Risk monitoring & reporting
Ryanair case study

3. Process
of RM

4. risk treatment (risk mitigation)
• selecting and implementing response to risks
• in line with organizations risk approach and risk
appetite
• decisions as to whether particular risks should be
avoided, reduced, shared (transferred) or accepted

5. risk treatment common methods
• avoidance
• reduction – internal control
• sharing (transfer)
– insurance
– portfolio diversification
– hedging
– outsourcing
• acceptance
• other less common methods

6. risk avoidance
• hold back or exit risk related activities
• in terms of product, geographical region, customer
segment, etc.
• result of organization goals and strategy
• simple and commonly used method

7. risk reduction
• based on prioritization of risks by risk matrix
• activities to reduce:
– likelihood (probability) of a risk
– severity (consequences) of a risk
– both aspects
• costs and benefits taken into consideration
• implemented mostly by internal control
• could be performed by risk function (run by CRO),
internal audit or compliance activities

8. risk reduction – internal control
• system established to provide reasonable
assurance of effective and efficient operation
• internal controls:
– financial (e.g. financial ratios, budgets, variance analysis)
– non-financial quantitative (e.g. customer satisfaction,
wastage, personnel rotation)
– qualitative (e.g. plans, procedures, rules, access to
computers or buildings, project management, corporate
culture)

9. risk sharing – insurance
• protection against hazards by taking out an insurance
policy against an uncertain event
• involves payment of a premium to an insurer
• insurer will compensate the loss in case of event
occurrence
• used only for insurable risks
• internal approach: self-insurance

10. risk sharing – diversification
• using idea of ”don't put all your eggs in one basket”
• wider range of activities/investments lowers the risk
• holding a portfolio of assets/activities/customers
• need of low correlation between portfolio items

11. risk sharing – hedging
• in relation to ‘underlying’ factor (e.g. interest rate,
currency exchange, commodity, share or bond price)
• implemented by instruments with opposite-value
movements to the ‘underlying’ (i.e. negative
correlation)
• protection from unfavorable movement of an
‘underlying’ while still benefit from favorable
movement

12. risk sharing – outsourcing
• transfer activities or processes to third party
• release organization sources
• possible process improvement and expertise

13. risk acceptance
• precise definition what could be accepted
• no action taken in relation to the risk
• should be covered by day-to-day business activities
and its budget

14. risk treatment pro-active methods
• performance and quality management
• public relations
• lobbying
• strategic alliances
• mergers and acquisitions
• public aid utilization

15. RM process
Risk treatment
Ryanair case – create risk treatment ideas

16. risk list
company related
1. fuel costs and availability
2. rapid growth of the company
3. website or check-in systems breakdown
industry related
1. some of government air travel taxes
2. threat of terrorism
3. currency exchange fluctuations

17. risk monitoring
• continuous process based on risk framework
• undertaken by risk owners, management and the
board (or equivalent)
• many methods, commonly used: checklists, risk
register, information scanning, media monitoring
• risk register
– commonly used by organizations
– no standardized format
– most important items form risk register are subject of risk
reporting

18. risk register – examples of criteria
• risk number (an unique identifier)
• risk category
• description of risk
• date risk identified
• name of person who identified risk
• likelihood
• consequences
• a monetary value, if such can be allocated to the risk
• interdependencies with other risks

19. risk reporting
• based on monitoring process
• in line with financial reporting
• reporting for internal audience: management and the
board
• reporting for external audience:
– investor relations (quarterly and annual reporting)
– regulatory reporting (e.g. SOX or Basel II)
• reporting covers:
– identified risks and its treatment
– prioritized actions for decision makers
– process of risk management review