Chapter 7: Risk Assessment and Mitigation

Chapter Author: Sumisha Surendran

Introduction

Risk management is the process of detecting, preventing, assessing, and mitigating present and potential risks to an organization’s success. These risks can manifest themselves in various ways, including financial risk, strategic risk, reputation risk, liability risk, security and compliance risk, natural risk, and many others.

Broadly, the risk management process, depicted below in Figure 1, comprises three significant blocks: (1) risk assessment, (2) risk control and prioritization, and (3) risk review and monitoring. Each of these blocks can be broken into several sub-processes. Using this three-block approach to risk management (also known as an “aggregated approach”) is sometimes called Enterprise Risk Management (ERM) [1].

Risk Management Block 1: Risk Assessment

Risk assessment is comprised of two components: (1) identifying and classifying the risk(s) and (2) risk analysis.

(1) Identifying and Classifying Risks

Identifying and tracking risks that might arise in an organization offers significant benefits. Working on a project and detecting potential risks may initially appear to be a setback; on the contrary, anticipating potential risks well before their existence is highly beneficial to the prospective stakeholders. Being able to anticipate risks can help the system’s creators and developers plan for opportunities and difficulties. Identifying risks before implementation can also help reduce the costs of “fixes” that are found after the system is live.

To classify risk, it can be useful to think through the different types of risks that affect an organization. These categories include, but are not limited to [2]:

• Financial risks
• Strategic risks
• Operational risks
• Accidental risks
• Reputation risks
• Technical risks
• Procedural risks

(2) Risk Analysis

Risk analysis is the process of determining the likelihood of an unfavourable incident occurring. One of the most important parts of risk management is figuring out the likelihood. Risk analysis deals with unforeseen risks and uncertainties and addresses them before they become a liability. There are two types of risk analysis in most organizations: (1) qualitative risk analysis and (2) quantitative risk analysis.

Qualitative risk analysis is concerned with subjective interpretation of the risk’s potential severity.

The primary goal of qualitative risk analysis is to question the severity of what could happen. The Risk Assessment Matrix, Figure 2, is a graphical illustration of this goal.

The primary goal of quantitative risk analysis is to calculate an objective understanding of the risks, often using data that can be verified and analyzed [3].

Quantitative risk analysis focuses on objective understanding of the risks.

Calculating the risk value reveals the exact level of risk and aids in making better-informed decisions. Completing quantitative risk assessments can help organizations illustrate the significance and scale of risk. The formula below can be used to calculate risk value [4]:

Risk Value  =  Estimated Loss Due to Event  x  Probability of Event Occurrence

Let’s consider this formula with an example. Assume we’re in a circumstance where we must choose between two dangers before continuing to travel along a road. The two dangers are named Event A and Event B. Each event has a probability of occurrence and estimated loss due to the event. See below for the details:

Event A
 the probability of occurrence is 1%
the estimated loss due to event A is $10,000

Event B
the probability of occurrence is 5%
the estimated loss due to event B is $5,000

By using the risk value formula, we can see the following quantitative results for each event:

Event A risk value:  0.01 x 10000 = 100
Event B risk value:  0.05 x 5000 = 250

Although the estimated loss caused by Event B would be half of that caused by Event A, the magnitude of the loss caused by Event B is substantially greater due to the chance of occurrence. In this example, then, we would not want to take the added risk with Event B. We would therefore continue with Event A in this situation.

Risk Management Block 2: Risk Control and Prioritization

Once the risk has been identified and analyzed, the next stage is to prioritize the risk based on its significance and likelihood and then act on that information to manage the risk. Deciding which risks to work on first is known as risk prioritization. This should be based on the possibility of risk and its impact as determined during the risk analysis step. The risk evaluation matrix, which is calculated using the risk value, is used to prioritize risks.

And, after prioritization, the risks need to be managed. To do this, there are 4 common strategies [1]:

(1) Risk Acceptance:  Organizations may do this if they believe the risk’s likelihood to be low or the potential harm from the risk is insignificant. Organizations manage risk by comprehending the possible repercussions of risk and acknowledging the possibility of such effects without control or mitigation.

(2) Risk Transfer: The goal here is to transfer or shift the risk to other business areas or to outside entities accepting the risk, such as insurance firms. The idea is that the other entity that accepts the risk is already an expert in the topic and will handle it better.

(3) Risk Mitigation: Risk mitigation entails putting policies and processes in place to decrease the negative consequences of an event. Incident response plans, disaster recovery plans, and business continuity plans are examples of risk mitigation measures.

(4) Risk Avoidance: Applying safeguards that eliminate or decrease business risks that can hurt the organization’s assets is what risk avoidance is all about. While risk management works to control risks’ damages and financial repercussions, risk avoidance seeks to avoid the risks completely.

Risk Management Block 3: Review and Monitor Results

The final but most important element of the risk management cycle is to analyze the actions and regularly monitor the situation for any improvements and corrections. The key beneficial effect of this phase is learning from failed cases in order to improve for similar situations in the future. Another important takeaway: successful cases teach us the best tactics to emulate.

Importance of Risk Management

Risk management is critical. In an era of evolving technology, where we have numerous opportunities to sculpt new products, features, and services every day, new risks emerge regularly, many of which are related to or caused by the now-ubiquitous usage of digital technology. We must be prepared to confront the consequences and manage any risk. Consider the previous chapter on the ethics of emerging technology. Imagine how “risk assessment and management” become integral parts of ethical technologies.

Risk management is the best strategy to prepare for unforeseen events that impede progress and growth. A competent risk management program identifies the risk and investigates the relationship between risks and the possibility for cascade effects. Using a risk management strategy, stakeholders may identify potential risks, the likely impact of those risks, and how to eliminate or reduce the impact of those risks. Furthermore, progressive risk management guarantees that high-priority risks are dealt with as aggressively as possible [5].

Risk management is critical in an organization because a company cannot establish its long-term goals without it. If a corporation specifies its objectives without considering the risks, it will likely lose focus whenever any risks become reality. And, as we stated in the previous section, organizations must move quickly to deal with risks as they emerge, which cannot be accomplished if risk management is delegated to the back office.

Correlating Values to Business Case

As we discussed in the previous section, risk management is vital for an organization and can benefit it in many ways. The most significant source of uncertainty in any organization is risk in its many forms. Risk management is critical, and failing to have a plan can create severe consequences for a company. The consequences of failing to manage risk can vary depending on the risk event. Still, it might include financial loss, employee harm, company interruption, tarnished reputation, or failure to meet corporate objectives. There are several other potential repercussions for failing to manage risk, each one specific to the risk occurrence, and all of them will damage corporate performance. This emphasizes the importance of successful risk management for an organization. As a result, businesses are increasingly focusing on detecting and controlling risks before they impact the business.

The capacity to manage risk will allow businesses to form more confident business decisions within the future. Organizational understanding of the risks they face will provide the organization with many options for coping with future issues.

The organization can significantly reduce or eliminate collateral harm and losses if a plan is in place and the relevant individuals know how to activate it. Knowing which risks are most likely to arise helps paint a more accurate picture of the corporate insurance landscape. A successful risk management plan can save the firm a significant amount of human labour, time, and income loss. In addition, many risk management failures help organizations to create and implement the right policies. So, whether it succeeds or fails, having a risk management plan in place can support organizational goals.

Organizations can gain more leverage from technological breakthroughs if they are prepared to deal with risks ahead of time through a risk management plan. Emerging technologies like machine learning and artificial intelligence hold considerable promise for assisting risk managers in identifying specific threats and developing speedier solutions. Among other advantages, these technologies can help managers focus their efforts on severe dangers to vital sections of the company by reducing lower-risk regions.

In summary, the benefits of creating a risk management plan are as follows:

• Risk management generates financial gains
• Risk management reduces the occurrence of unplanned events and prepares the organization for handling a risk event
• Project success is enabled through risk management
• Risk management allows organizations to save time and effort
• Risk management helps to avoid reputation difficulties
• Decisions are guided by risk management

Managing the Risks of Risk Management

Organizations must tread cautiously when implementing risk management. Risk management involves complex calculations, making it difficult to handle without automated technologies. Further, such a comprehensive risk management process may not be feasible for all organizations. Its implementation may occasionally be more expensive than the loss caused by the anticipated risks.

There are a few scenarios in which devoting too much time to identifying and controlling an unlikely risk diverts resources that could have been used more efficiently and profitably. And, if the risk is unlikely to occur, it may be preferable to retain the risk and deal with the consequences more simply.

Time spent on development and research must be allocated for training to accomplish proper risk management execution. Furthermore, acquiring information for strategic planning takes a long time in risk management. And if not done correctly, it might result in losses that exceed the risk itself [6].

As we saw in the previous section, risk management demands extensive calculations, which mandate the use of well-designed software. Training is frequently required because risk management software can be challenging to grasp. If this is not done correctly, the risk management plan will not function as intended. To avoid this, businesses should devise a well-structured training program for employees on software and procedures. Employees who have been adequately trained are less likely to misuse it and misinterpret the results.

Another factor that many organizations may find to be a roadblock in implementing a risk management plan is the cost of the software. To effectively manage this, firms can determine which modules are essential and helpful to the organization and select only those software modules that can cut costs to some extent [6].

A Case Study

“How Evaluating Risk Can Prepare You for the Worst of Climate Change”

Link to read about it: https://commercialobserver.com/2022/01/how-evaluating-risk-can-prepare-you-for-the-worst-of-climate-change/

References

[1] L. Tucci, “What is Risk Management and Why is It Important?” SearchCompliance, October 12, 2021. [Online]. Available: https://searchcompliance.techtarget.com/definition/risk-management. [Accessed: January 1, 2022].

[2] T. Six, “15 Categories for Project Risks,” Ten Six Consulting, February 18, 2019. [Online]. Available: https://tensix.com/15-categories-for-project-risks/. [Accessed: 02-Jan-2022].

[3] I. Horvath, “Difference between Qualitative and Quantitative Risk Analysis,” Invensis Learning Blog, July 16, 2021. [Online]. Available: https://www.invensislearning.com/blog/qualitative-vs-quantitative-risk-analysis/. [Accessed: 01-Jan-2022].

[4] P. Khirieva, S. A. Martynov, А. А. Bystritskiy, L. V. Adamyan, W. Beni, G. Tellechea, and S. M. Najjar, “There is a Definition of Risk by a Formula: ‘risk = probability X loss’. What Does It Mean?,” ResearchGate, November 12, 2020. [Online]. Available: https://www.researchgate.net/post/There_is_a_definition_of_risk_by_a_formula_risk_probability_x_loss_What_does_it_mean. [Accessed: 02-Jan-2022].

[5] “Risk Management,” Corporate Finance Institute, April 27, 2021. [Online]. Available: https://corporatefinanceinstitute.com/resources/knowledge/strategy/risk-management/. [Accessed: January 1, 2022]

[6] C. Larmore, “The Disadvantages of Risk Management Software,” Bizfluent, February 11, 2019. [Online]. Available: https://bizfluent.com/. [Accessed: January 1, 2022].

Instructor Guide