1/uts

Chapter I
Risk Management
Aim
The aim of the chapter is to:
introduce the concept of risk
discuss risk management
analyse the risk management process
Objectives
The objectives of the chapter are to:
classify the different types of risks
determine the need and aims of risk management
state the principles of risk management
Learning outcome
At the end of this chapter, the students will be able to:
explain pure, static, dynamic, fundamental, particular and speculative risk
discuss the role of reporting in risk management
recognise the importance of documentation in risk management
Risk Management
2/uts
1.1 Introduction
In general terms, the word 'Risk' means an apprehension or a threat of something unwanted happening. In the words
of James Neill, the concept of Risk usually refers to the probability of loss of a valued resource. The word 'Risk
' has multiple usages. For example, it may refer to a chance or a probability (risk of exposure), a consequence or
impact (the risk from smoking), or a perilous situation (a hazardous waste plant creates a risk). Interpretations
of the word risk have evolved linguistically on the basis of involuntary or voluntary events. For example, danger
is often used to describe an involuntary event, whereas peril may be used to describe a voluntary event.
Despite the widespread use of this word, there is no single universal defnition of the word.
Risk in the context of insurance business implies taking wise investment decisions with correct reading of the market
situation to offset probable losses with gains. Usage of the word risk in the context of health and environmental
risks integrates two ideas; frstly that the situation has the potential for detrimental consequences; and secondly that
there is some improbability associated with the circumstances.
There is an uncertainty of whether a hazardous event will occur; when or where it will occur; who or what will be
affected; and the magnitude of the consequences. Risk, in this sense, includes both the possibility and the character
of the detrimental event. A statement of risk based solely on one aspect of risk, such as the probability of occurrence,
has been referred to as a single dimensional risk. Financial or insurance risks are primarily single dimensional risks,
as are statements on health risks that are restricted to the chance of occurrence.
1.2 Types of Risks
The basic factors of risk management are:
Fig. 1.1 Types of risks
Risks under the pure risk category would be easily recognisable, noticeable and damages are based on the action
of perils. However, it will be very diffcult to understand and analyse the speculative risk.
Static risks are those which are on account of inherent physical properties of elements. Some elements would
cause more danger when they are kept under cover. On the other hand, some elements would cause more losses
when they are kept uncovered. Even though they are stationary, they are capable of causing losses.
Dynamic risk is a loss increasing on account of some activity being triggered as a chain of activities. It is like
a dynamo ftted to a bicycle, the basic activity is to pedal the cycle. While pedalling the bicycle, the wheel
moves and then with the movement of the wheel, another wheel attached to the dynamo also moves, with the
movement of that wheel the dynamo is working, with the working of the dynamo, electricity is produced, with
3/uts
the electricity produced, the headlight ftted to the bicycle is illuminated. Basically, the bicyclist is not pedalling
the bicycle for the light; he is pedalling the bicycle to travel. However, that action could lead to the production
of electricity.
There are certain fundamental risks which are built-in with the perils. Wherever the fundamental risk exists, they
would cause losses and a study will have to be made on a particular risk basis. Whichever subject or whichever
activity is taken for study, the entire consideration should be made particularly to that risk.
Risk management is necessary for each and everyone.
1.3 Risk Management
Understanding risk involves the governance function of risk management. Risk management means reducing
the threats posed by known hazards, whilst simultaneously accepting unmanageable risks, and maximising any
related benefts.
Organisations face different types of risks in a specifc and unconnected manner. There are methods of defnition
and control, which are collected in a systematic approach known as Risk Management, which provides
reasonable defence against the possible verifcation of harmful events.
Risk Management can therefore be defned as a group of actions that are integrated within the wider context
of a company organisation, which are directed toward assessing and measuring possible risk situations as well
as elaborating the strategies necessary for managing them.
It is also defned as The process of analyzing exposure to risk and determining how to best handle such
exposure.
Risk Management strategies can be targeted toward all or only some of the different types of potential risk,
that is, the specifc areas of possible uncertainty that affect the life of a company or organisation.
Company risks are normally classifed within three large categories:
Risks inherent to the external context (e.g.: emergence of unfavourable laws and/or regulations; negative
changes to market conditions; technological innovations that favour competitors; etc.);
Risks inherent to operative management (e.g.: non compliance with contractual requirements; possible loss
of market share; possible loss of skills; possible physical damage to personnel; possible environmental
pollution; etc.);
Risks inherent to fnancial management (e.g.: diffculty in collecting accounts receivables; unfavourable
changes in exchange rates; imbalances in liquidity; etc.).
Each of these risks may lead to direct and/or indirect damage to the organisation, with economic implications
that may also be considerable in the short, medium and long term.
1.3.1 Aim of Risk Management
The basic aim of risk management is to arrive at the possible quantum of loss and then take a decision towards
avoidance. It also takes a decision to transfer, hedge and insure and further reinsure or it could be a combination
of all these.
The basic requirements in risk management study lie with the identifcation of perils, which may affect the
property in a situation under certain severe circumstances. Thus without identifying the perils, which may cause
loss, danger, accident, harm, injury, etc., it will not be possible to move further for quantifcation.
Thus, identifcation and a detailed study of perils is the most important basic factor of risk management. The
perils could be natural, what normally is called an Act of God. These perils could take place on the earth, for
instance, earthquake; in water, for instance, tsunami; they could also take place in the air, for instance, lightning
or in the sky like falling objects. The perils could be in property, in elements, in materials, in the stores, in the raw
materials. These could be on account of their physical, chemical, mechanical, biological, electrical properties.
Risk Management
4/uts
1.4 Principles of Risk Management
There are risk management principles by International standardisation Organisation and by Project Management
Body of Knowledge. A combined view of principles identifed by ISO and PMBK is as follows
Organisational Context: Every organisation is affected to varying degrees by various factors in its environment
(Political, Social, Legal, and Technological, Societal etc). For example, an organisation may be immune to
change in import duty whereas a different organisation operating in the same industry and environment may
be at a severe risk. There are also marked differences in communication channels, internal culture and risk
management procedures. The risk management should therefore be able to add value and be an integral part of
the organisational process.
Involvement of Stakeholders: The risk management process should involve the stakeholders at each and
every step of decision making. They should remain aware of even the smallest decision made. It is further in
the interest of the organisation to understand the role the stakeholders can play at each step.
Organisational Objectives: When dealing with a risk it is important to keep the organisational objectives in
mind. The risk management process should explicitly address the uncertainty. This calls for being systematic
and structured and keeping the big picture in mind.
Reporting: In risk management communication is the key. The authenticity of the information has to be
ascertained. Decisions should be made on best available information and there should be transparency and
visibility regarding the same.
Roles and Responsibilities: Risk Management has to be transparent and inclusive. It should take into account
the human factors and ensure that each one knows it roles at each stage of the risk management process.
Support Structure: Support structure underlines the importance of the risk management team. The team
members have to be dynamic, diligent and responsive to change. Each and every member should understand
his intervention at each stage of the project management lifecycle.
Early Warning Indicators: Keep track of early signs of a risk translating into an active problem. This is achieved
through continual communication by one and all at each level. It is also important to enable and empower each
to deal with the threat at his/her level.
Review Cycle: Keep evaluating inputs at each step of the risk management process - Identify, assess, respond
and review. The observations are markedly different in each cycle. Identify reasonable interventions and remove
unnecessary ones.
Supportive Culture: Brainstorm and enable a culture of questioning, discussing. This will motivate people to
participate more.
Continual Improvement: Be capable of improving and enhancing your risk management strategies and tactics.
Use your learnings to access the way you look at and manage ongoing risk.
1.5 Risk Management Perils
The perils could be man-made; they could be on earth or in water, or in the air or in the sky. Perils could also be on
account of different things as follows:
5/uts
Fig. 1.2 Risk management perils
1.5.1 Risk Management of Life Perils
Life perils could be due to several reasons. The reasons are depicted in the fgure below.
Fig. 1.3 Risk management of life perils
1.6 Risk Management Process
Different organisations use different approaches to organise their risk management activities. A commonly used
approach is as follows:
Risk Management
6/uts
Fig. 1.4 Risk management process
The risk management process is planned and structured.
The risk process is integrated with the acquisition process.
Developers, users, procurers, and all other stakeholders work together closely to implement the risk process.
Risk management is an ongoing process, with continual monitoring and reassessment.
A set of success criteria is defned for all cost, schedule, and performance elements of the project.
Metrics are defned and used to monitor effectiveness of risk management strategies.
An effective test and evaluation program is planned and followed.
All aspects of the risk management program are formally documented.
Communication and feedback are an integral part of all risk management activities.
7/uts
Although the risk management program should be modifed as per the organisations needs, it should incorporate
the basic characteristics mentioned.
Planning
Risk planning includes developing and documenting a structured, proactive, and comprehensive strategy to deal
with risk. Key to this activity is the establishment of methods and procedures to do the following:
Establishing an organisation to take part in the risk management process.
Identify and analyse risks.
Develop risk-handling plans.
Monitoring or tracking risk areas.
Assigning resources to deal with risks.
Assessment
Risk assessment involves two primary activities, risk identifcation and risk analysis. Risk identifcation begins
early in the planning phase and continues throughout the life of the project. The following methods are often used
to identify possible risks:
Brainstorming.
Evaluations or inputs from project stakeholders.
Periodic reviews of project data.
Questionnaires based on taxonomy, the classifcation of product areas and disciplines.
Interviews based on taxonomy.
Analysis of the Work Breakdown Structure (WBS).
Analysis of historical data.
When identifying a risk it is essential to do so in a clear and concise statement. It should include three
components:
Condition - A sentence or phrase briefy describing the situation or circumstances that may have caused concern, 1.
anxiety, or uncertainty.
Consequence A sentence describing the key negative outcomes that may result from the condition. 2.
Context Additional information about the risk to ensure others can understand its nature, especially after the 3.
passage of time.
Another part of assessment is risk analysis. It is the procedure of examining each risk to refne the risk description,
isolate the cause, calculate the probability of occurrence, and determine the nature and impact of possible effects.
The result of this process is a list of risks rated and prioritised according to their probability of occurrence, severity
of impact, and relationship to other risk areas
Handling
Risk handling is the process that identifes, evaluates, selects, and implements options for mitigating risks. There
are two approaches that are used in handling risk.
Employ options that reduce the risk itself.
(It usually involves a change in current conditions to lessen the probability of occurrence.)
Use options that reduce the negative impact to the project if the risk condition should occur.
(It is often employed where risk probability is high.)
Monitoring
The process of continually tracking risks and the effectiveness of risk handling options to ensure risk conditions do
not get out of control is known as Risk Monitoring. This is achieved by identifying the baseline risk management
plans, understanding the risks and risk handling options, establishing meaningful metrics, and evaluating project
performance against the established metrics, plans, and expected results throughout the acquisition process. Continual
monitoring also enables the identifcation of new risks that may become apparent over time. It also discovers the
Risk Management
8/uts
interrelationships between various risks.
Documentation
Risk documentation consists of recording, maintaining, and reporting risk management plans, assessments, and
handling information. It also includes recording the results of risk management activities, providing a knowledge
base for better risk management in later stages of the project and in other projects. It is absolutely essential for the
current, as well as future, projects. Documentation should include as a minimum the following information:
Risk management plans.
Project metrics to be used for risk management.
Identifed risks and their descriptions.
The probability, severity of impact, and prioritisation of all known risks.
Description of risk handling options selected for implementation.
Project performance assessment results, including deviations from the baseline plans.
A record of all changes to the above documentation, including newly identifed risks, plan changes, etc.
1.7 Risk Management - Construction Style
Some of the perils are on account of construction styles like:
BT Build and Transfer
BTO Build, Transfer, Operate
BOT Build, Operate and Transfer
BOOT Build, Own, Operate and Transfer
BOONT Build, Own, Operate and No Transfer
Some of the infrastructure projects of high value, which are being executed now-a-days, are on the BOOT and the
BOONT systems. With this contractors, who were earlier responsible for only the construction activity and got
rid of their responsibilities once the property was completely handed over on receipt of payment, now have to be
responsible for not only owning such property but also for operating and allowing the owner to avail the facility
for his purpose.
Quantifcation
Loss could be material damage; it could be total loss or partial loss. The loss could be life damage, again it
could be total loss or partial loss, the loss of life and material can also lead to consequential losses, like business
interruption. Though the factory becomes silent on account of the accident, while other expenses are on hold,
some of the expenses continue during that period like rent, tax, etc.
Therefore, consequential loss policies have to cover these. Further damage caused by an accident within the
premises of a plant could also lead to certain damages beyond the premises, like a car on the road meeting an
accident, could not only itself be damaged, injure people within the car but can also cause damage to others
property and injuries to others life. This is the third party liability.
Risk management calls for quantifcation of own losses, consequential losses and third party losses. The losses
have to be estimated with the sequence of damage or incidents taking place and the chain reactions based on
these.
Analysis
Having analysed, the quantum of possible loss based on the data of past happenings and history, the estimated
loss could be reasonably arrived at a realistic level. Thus we arrive at the quantum of loss on account of a set
of perils acting at any time under a set of circumstances.
Having arrived at the quantum of loss, it is necessary to take appropriate decisions. The decisions could be either
to bear all losses without bothering any further or to fnd a partner who will share the losses for transferring the
risk, losses to another company that is an insurance company. Risk management decides the quantum of possible
loss, at any plant, the level of losses, which could be borne, the level to which he can arrange somebody to
9/uts
share and the quantum to be transferred to the insurance company. Risk management decides to bear, to share,
to transfer.
The insurance company will also have to make a thorough risk management study to accept the risk, to bear
such losses on behalf of somebody and further they may have to make a study of the extent, they can bear, they
can share and they have to transfer. The share here is basically called co-insurance and the transfer is called
reinsurance.
Risk management study could now become necessary for the reinsurance people. They will make an in-depth
study of the quantum of losses, that could be and based on their capacity, they may have to decide to the extent
they would like to bear, the extent they would like to share and extent they are required to transfer and their
transfer would be to the pool. It is for the individual owner to initially study the possible perils at strike, the
hazardous conditions they can create, the quantum of losses they could make and to take a decision to the extent
to which he would like to bear, he would like to share, he would like to transfer.
Similarly, for the insurance companies, when a decision is taken to transfer the risk to somebody, some
consideration would become necessary to insure for the loss. The insured has cover from an insurance company
by paying a premium that is the consideration, based on the property identifed against a set of perils, at a rate
decided by the company for such transfer of risk. The rate could be a tariff rate or agreed rate or a market rate
or a rate based on risk management study.
Insurance
Identifcation of perils
Identifcation of property / materials / machines / life, etc.
Identifcation of values
Arrival at sum insured/assured/identifed/agreed/estimated
Arrival at premium
All based on inspection
Inspection
To be of authentic nature, risk management suggests estimation of loss only on inspection, which literally means
looking at the object at the place of its location that is on-site view. However, before going to the actual site or plant
or place of the activity, it is necessary to inspect the site with reference to various detailed data and maps.
The frst inspection would be of the world map especially designed by Swiss-re, Munich-re, natural disasters like
volcanoes, earthquakes, wind movements, storms, and cyclones. We would be in a position to understand, the
quantum of perils or the type of disaster to which the plant is subjected.
Example: Inspection of a plant at Balewadi, Pune, Maharashtra, India
it would be necessary to inspect the map of India with regard to the coastal line, river line, mountain line,
hill range, wind direction, seasons of the year, monsoons, cyclone direction, etc.
Then it would become necessary to study the map of Maharashtra, so that the surroundings of Pune would
also been known very clearly.
Then we should study the map of Pune and special attention should be paid to the location of fre brigades,
the route from those fre brigades to the plant, the width of such approach roads, the distance would also
be necessary.
Then the source of water at that location. A study of the law and order situation of Pune city would also
become necessary.
Then a detailed study should be made of Balewadi itself, this will help us know the number of industries,
plants, manufacturing units, located around the plant, which we are going to inspect for the Risk management
study. Special attention should be given to the reserve quantum of water, the system established for security,
the force adopted, engaged for fre fghting and the number of fre fghting engines they have and all such
details. This will help us further to have a mutual aid system; So that whenever any incident takes place in
any plant, all resources put together, can fght for a quick release.
Risk Management
10/uts
Then the actual layout plan of the plant should be studied. Before surveying from inside, a survey should also
be made along the periphery of the compound wall from outside the ground. This will enable to understand
the possible perils which can strike unnoticed from outside, even though they are just on the other side of
the compound wall, they are not visible to us, they could be in a greater position to damage the property
which is inside.
There could be some gutter, natural fow of water, and some authorised residences, some unauthorised
residences and some people might even use the compound wall itself, as the wall of their houses. A study
from along the periphery from outside would give us various inputs, which should be useful while making,
while analysing, while evaluating the quantum of losses or the chances of danger.
Then a complete study within the entire boundary wall of the plants must be made very carefully. A study
should be made along with the well detailed layout plan, examining each and every building, plant, godown,
workshop, scrap yard, store yard, dump yard, in gate, out gate, reserve water tank, hazardous goods storage,
fnished goods storage, raw material storage, overhead tank and if any installation of smoke detectors, fre
detectors, smell detectors, weather detectors and installation of sprinklers, raisers, automatic wet raisers,
sprinklers, etc.
The system adopted for maintaining the premises is the most important aspect; in addition to that the condition
of the building, the quality of the structure would give additional inputs. Having seen the entire plant very
carefully, having evaluated the quantum of value of estate, category wise, duly listed, it becomes necessary
to study the fow chart. The fow chart would indicate the entire process or the activity of the plant.
With the incoming raw materials from various directions being fnished, adjusted and then moving towards
the manufacturing unit to come out as the fnal output. All actions one after one, would lead us to understand
the scope of all activities and the system adopted in any section.
All of the plants would need some type of energy to undergo the process of manufacture. It could be boilers,
pressure vessels, coal, gas, petrol, diesel or electricity or it could be to some extent very rarely, solar or
electricity generated by wind. The study of the source of energy, the level of that energy and the quantum
of energy utilised for a day, will give an indication and help understand the gravity of the situation.
Further, if it is a chemical reaction plant, where many types of raw materials, under different processes
being brought to one central processing unit for the fnal product, the study calls for very high skills. Where
it goes through the chemical reactive manufacturing system and then comes out altogether a new product.
It maybe that it cant be seen with the naked eye, as it is completely sealed and covered and concealed
in a container, wherein we are not in a position to check what is going inside and what has come out and
unable to check what is really happening during that manufacturing process, an in-depth study knowledge
is a must for the risk manager.
An in-depth study of the physical, chemical, biological, characters of these raw materials, should be made
very carefully, in case either the energy or the fnished material or the raw material is of hazardous nature.
Then a team of engineers, who are prepared to undergo this hazardous inspection, should make further
detailed study based on actual inspection of the manufacturing process very thoroughly.
The atmosphere within the plant will not be so cosy, the inspectors will have to undergo all sorts of diffculties,
dangerous situations, be uncomfortable, be uneasy while doing the inspection. Without such proper inspection,
the risk manager would not be in a position to evaluate the quantum of losses or the chain of reactions.
So the team of engineers should be well prepared, well taught, well guided, well treated and well
examined.
For actual site inspection in the plant they may have to wear helmets, they may have to wear thick heavy
shoes, put on goggles, or some uniform. They have to skip their smoking, chewing habits and they cannot
carry any restricted items. It will be diffcult to look up or look down, so easily in such situations. Morning to
evening they will have to be moving from one end to the other end, carefully observing, critically watching,
mentally analysing all the processes which are taking place in that plant.
Team
The team of inspectors depending upon the type of activity or the process of manufacture will consist of various
professionals, like
11/uts
Engineers: civil, mechanical, electrical, chemical, automobile computer, electronics, structural architecture,
etc.
Scientists: physicists, chemists, biologists, etc.
Dreamers, imaginers, pessimists, optimists, realists, averagists, standardists.
Accountants: standard, chartered, cost, professional
Lawyers/Advocates, legal experts
Doctors, Chemists.
Thus, the well-prepared team should thoroughly inspect the plant for identifying the perils, the circumstances, the
sequence in which the incident could have taken place and to identify the property at risk and estimate the loss.
Thus the entire process is to identify the peril and property and estimation of quantity.
Risk Management
12/uts
Summary
Risk in the specifc context of insurance business implies taking wise investment decisions with correct reading
of the market situation to offset probable losses with gains. Usage of the word 'Risk' in the context of health and
environmental risks integrates two ideas; frstly that the situation being discussed has the potential for detrimental
consequences; and secondly that there is some improbability associated with the circumstances.
There is uncertainty whether a hazardous event will occur; when or where it will occur; who or what will be
affected; and the magnitude of the consequences. 'Risk', in this sense, includes both the possibility and the
character of the detrimental event. A statement of risk based solely on one aspect of risk, such as the probability
of occurrence, has been referred to as a single dimensional risk.
Types of risks are: pure risk, speculative risk, dynamic risk, static risk, fundamental risk, particular risk.
Risk Management can be defned as a group of actions that are integrated within the wider context of a company
organisation, which are directed toward assessing and measuring possible risk situations as well as elaborating
the strategies necessary for managing them
The basic aim of Risk Management is to arrive at the possible quantum of loss and then take a decision towards
avoidance. It also takes a decision to transfer, hedge and insure and further reinsure or it could be a combination
of all these.
Risk planning includes developing and documenting a structured, proactive, and comprehensive strategy to
deal with risk
Risk assessment involves two primary activities, risk identifcation and risk analysis. Risk identifcation begins
early in the planning phase and continues throughout the life of the project
Risk handling is the process that identifes, evaluates, selects, and implements options for mitigating risks.
The process of continually tracking risks and the effectiveness of risk handling options to ensure risk conditions
do not get out of control is known as Risk monitoring
Risk documentation consists of recording, maintaining, and reporting risk management plans, assessments, and
handling information.
References
Fundamentals of risk management. Available at: <http://www.ewf.be/media/documentosDocs/doc_16_ewf-
644-08-fundamentals-of-risk-management.pdf> Accessed 1
st
March 2011
Risk Management Chapter 5. Condensed GSAM Handbook. Available at: < http://www.ewf.be/media/
documentosDocs/doc_16_ewf-644-08-fundamentals-of-risk-management.pdf> Accessed 1
st
March 2011
Risk Management. Available at: <http://www.investorwords.com/4304/risk_management.html> Accessed 1
st

March 2011
Understanding risk: concepts and elements. IGNOU. Available at: <http://www.egyankosh.ac.in/
bitstream/123456789/3142/1/Unit%2002.pdf> Accessed 1
st
March 2011
Recommended Reading
Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management
[Paperback]. Paul Hopkin. Publisher: Kogan Page (June 28, 2010).Paperback: 384 pages.
The Complete Idiots Guide to Risk Management [Paperback].Annetta Cortez. Publisher: Alpha (February 2,
2010). Paperback: 368 pages
The Essentials of Risk Management [Hardcover].Michel Crouhy, Dan Galai, Robert Mark. Publisher: McGraw-
Hill; 1st ed. (December 14, 2005). Hardcover: 416 pages.
15/uts
Chapter II
Risk Assessment, Analysis and Evaluation
Aim
The aim of this chapter is to:
provide an in-depth view of risk assessment, analysis and evaluation
examine steps in risk assessment
determine statistical methods used in risk evaluation
Objectives
The objectives of this chapter are to:
familiarise with risk categorisation
classify different techniques in to risk identifcation and risk analysis
get acquainted with risk estimation
Learning outcome
At the end of this chapter, the students will be able to:
prioritise key risks that need to be analysed using risk description table
recognise the signifcance of reporting and communication in risk management
enlist PML techniques
Risk Management
16/uts
2.1 Introduction
Risk assessment, analysis and evaluation are important components of risk management process. Theses components
need to be studied in detail to apply them effectively in practice.
Risk assessments include detailed quantitative and qualitative understanding of risk, its physical, social, economic
and environmental factors and consequences. It is a necessary frst step for any serious consideration of disaster
reduction strategies. Risk assessment encompasses the systematic use of available information to determine the
likelihood of certain events occurring and the magnitude of their possible consequences.
2.2 Risk Assessment
As defned earlier, risks are events or conditions that may occur, and whose occurrence, if it does take place, has a
harmful or negative impact on the achievement of the organisations business objectives.
Risk assessment covers the following aspects:
Risk Identifcation and Categorisation the process of identifying the companys exposure to uncertainty
classifed as Strategic / Business / Operational.
Risk Description the method of systematically capturing and recording the companys identifed risks in a
structured format.
Risk Estimation the process for estimating the cost of likely impact either by quantitative, semi-quantitative
or qualitative approach.
Risk identifcation is an important step in risk assessment. The other steps are risk description and risk estimation.
2.2.1 Risk Identifcation and Categorisation
Key characteristics by which risks can be identifed are:
Risks are adverse consequences of events or changed conditions.
Their occurrence may be identifed by the happening of trigger events.
Their occurrence is uncertain and may have different extents of likelihood.
After recognizing the kind of risks that company is/may be exposed to, risks will be classifed broadly into the
following categories:
Fig. 2.1 Categorisation of risks
The nature of the risk identifcation phase depends on how risk has been defned. Whatever the defnition, a risk
17/uts
arises in the presence of values or asset elements that represent a stake for the company or organisation; where
certain qualities must be maintained for the entity to function properly.
Identifying potentially critical assets is therefore the frst step, and a part of all risk analysis methods.
The second step, which depends on how risk has been defned, involves looking for:
threats that may damage these assets, and vulnerabilities that could be exploited ( where risk is identifed
on a threat/vulnerability basis), or
damage that may affect these assets and the circumstances in which this damage may occur (where risk is
identifed on a situation/scenario basis)
2.2.2 Risk Description
Risk description helps in understanding the nature and quantum of risk and its likely impact and possible mitigation
measures.
Risk descriptions for each of the risks identifed in the risk matrix are to be documented and recorded in a
structured format in each area where the risk is identifed.
The objective of risk description is to display the identifed risks in a structured format, for example, by using
a table. The risk description table can be used to facilitate the description and assessment of risks.
The use of a well designed structure is necessary to ensure a comprehensive risk identifcation, description
and assessment process. By considering the consequence and probability of each of the risks set out in the
table, it should be possible to prioritise the key risks that need to be analysed in more detail. Identifcation
of the risks associated with business activities and decision making may be categorised as strategic, project
tactical, operational. It is important to incorporate risk management at the conceptual stage of projects as well
as throughout the life of a specifc project.
Name of risk
Scope of risk
Qualitative description of the events, their size, type, number
and dependencies
Nature of risk E.g. strategic, operational, fnancial, knowledge or compliance
Stake holders Stake holders and their expectations
Quantifcation of risk Signifcance and probability
Risk tolerance/Appetite
Loss potential and fnancial impact of risk
Value at risk
Probability and size of potential losses/ gains
Objectives for control of the risk and desired level of perfor-
mance
Risk treatments and control mechanisms
Primary ways by which the risk is currently managed
Levels of confdence in existing control
Identifcation of protocols for monitoring and review
Potential action for improvement Recommendations to reduce risk
Strategy and policy developments
Identifcation of function responsible for developing strategy
and policy
Table 2.1 Risk description
(Source: http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf)
2.2.3 Risk Estimation
Risk estimation can be quantitative, semi-quantitative or qualitative in terms of the probability of occurrence and
the possible consequence.
In this process, the consequences of the risk occurrences have to be quantifed to the maximum extent possible,
using quantitative, semi-quantitative or qualitative techniques
Process of risk quantifcation for the company has to be qualitative, supported by quantitative impact analysis.
Risk Management
18/uts
To apply this approach, the chain of adverse consequences, which may occur in case the identifed risk materialises,
should be enlisted. For each of the chains of adverse consequences, the cost impact needs to be calculated and
attributed to the particular risk. In such an exercise, actual cost impacts (like claims by contractor, loss of equipment
value, etc) as well as opportunity costs (like loss in realisation of revenue, delay in commission of project etc) must
be captured to arrive at the total cost impact of materialisation of the risk.
Fig. 2.2 Risk estimation
(Source: http://www.nhpcindia.com/writereaddata/English/PDF/RiskManagementPolicy.pdf)
2.3 Risk Analysis
Risk analysis is the process of systematically identifying and assessing the potential threats and uncertainties that
occur when trying to achieve a certain goal (such as completing a project), and then fnding a reasonable strategy
for most effciently controlling these risks. This technique helps to analyse the related vulnerabilities of a project
to these threats.
Risk analysis also helps to defne preventive measures to reduce the probability of these factors from occurring and
identify countermeasures to successfully deal with these constraints when they develop to avert possible negative
effects on the competitiveness of the company.
2.3.1 Risk Identifcation and Analysis Methods
Examples of risk identifcation techniques
Brainstorming
Questionnaires
Business studies which look at each business process and describe both the internal processes and external
19/uts
factors which can infuence those processes
Industry benchmarking
Scenario analysis
Risk assessment workshops
Incident investigation
Auditing and inspection
HAZOP (Hazard & Operability Studies)
Risk analysis methods and techniques
Upside risk
Market survey
Prospecting
Test marketing
Research and Development
Business impact analysis
Both
Dependency modelling
SWOT analysis (Strengths, Weaknesses, Opportunities, Threats)
Event tree analysis
Business continuity planning
BPEST (Business, Political, Economic, Social, Technological) analysis
Real Option Modelling
Decision taking under conditions of risk and uncertainty
Statistical inference
Measures of central tendency and dispersion
PESTLE (Political Economic Social Technical Legal Environmental)
Downside risk
Threat analysis
Fault tree analysis
FMEA (Failure Mode & Effect Analysis)
2.3.2 Risk Profle
The result of the risk analysis process can be used to produce a risk profle which gives a signifcance rating to
each risk and provides a tool for prioritising risk treatment efforts. This ranks each identifed risk so as to give a
view of the relative importance. This process allows the risk to be mapped to the business area affected, describes
the primary control procedures in place and indicates areas where the level of risk control investment might be
increased, decreased or reapportioned. Accountability helps to ensure that ownership of the risk is recognised and
the appropriate management resource allocated.
2.4 Risk Evaluation
When the risk analysis process has been completed, it is necessary to compare the estimated risks against risk
criteria which the organisation has established. The risk criteria may include associated costs and benefts, legal
requirements, socio-economic and environmental factors, concerns of stakeholders, etc. Risk evaluation therefore,
is used to make decisions about the signifcance of risks to the organisation and whether each specifc risk should
be accepted or treated.
Risk evaluation deals with estimating probability and impact of individual risks, taking into account any
interdependencies or other factors outside the immediate scope under investigation.
Risk Management
20/uts
Probability is the evaluated likelihood of a particular outcome actually happening (including a consideration of the
frequency with which the outcome may arise). For example, major damage to a building is relatively unlikely to
happen, but would have enormous impact on business continuity. Conversely, occasional personal computer system
failure is fairly likely to happen, but would not usually have a major impact on the business
Impact is the evaluated effect or result of a particular outcome actually happening.
Impact should ideally be considered under the elements of:
time
quality
beneft
people/resource
Some risks, such as fnancial risk, can be evaluated in numerical terms.
Others, such as adverse publicity, can only be evaluated in subjective ways.
There is a need for some framework for categorising risks, for example, high, medium and low.
When considering a risks probability, another aspect is when the risk might occur.
Some risks will be predicted to be further away in time than others and so attention can be focused on the more
immediate ones.
2.5 Risk Reporting and Communication
As mentioned in chapter 1, risk reporting and communication is an essential component of risk management. We
have more look in to reporting and communication in risk management.
2.5.1 Internal Reporting
Different levels within an organisation need different information from the risk management process.
The higher management should:
know about the most signifcant risks facing the organisation
know the possible effects on shareholder value of deviations to expected performance ranges
ensure appropriate levels of awareness throughout the organisation
know how the organisation will manage a crisis
know the importance of stakeholder confdence in the organisation know how to manage communications
with the investment community where applicable
be assured that the risk management process is working effectively
publish a clear risk management policy covering risk management philosophy and responsibilities
Business Units should:
be aware of risks which fall into their area of responsibility, the possible impacts these may have on other
areas and the consequences other areas may have on them
have performance indicators which allow them to monitor the key business and fnancial activities, progress
towards objectives and identify developments which require intervention (e.g. forecasts and budgets)
have systems which communicate variances in budgets and forecasts at appropriate frequency to allow
action to be taken
report systematically and promptly to senior management any perceived new risks or failures of existing
control measures
Individuals working in an organisation should:
understand their accountability for individual risks
understand how they can enable continuous improvement of risk
management response
understand that risk management and risk awareness are a key part of the organisations culture
21/uts
report systematically and promptly to senior management any perceived new risks or failures of existing
control measures
2.5.2 External Reporting
A company needs to report to its stakeholders on a regular basis setting out its risk management policies and the
effectiveness in achieving its objectives. Increasingly stakeholders look to organisations to provide evidence of
effective management of the organisations non-fnancial performance in such areas as community affairs, human
rights, employment practices, health and safety and the environment.
The formal reporting should address:
the control methods particularly management responsibilities for risk management
the processes used to identify risks and how they are addressed by the risk management systems
the primary control systems in place to manage signifcant risks
the monitoring and review system in place. Any signifcant defciencies uncovered by the system, or in the
system itself, should be reported together with the steps taken to deal with them.
2.6 Risk Management: Statistical Methods
Estimation of Probable Maximum Loss (PML) is the frst most important aspect for the risk manager. The PML
arrived at could be verifed, adjusted based on past data of industry of a similar nature. It could be adjusted based
on past incidences of that particular industry. It can also be adjusted based on projected happening, on the whole.
It should be done very carefully based on both past and projected losses.
2.6.1 PML
The loss being estimated is neither accurate nor inaccurate; it is just estimation, a probability and is basically a
probable maximum loss. While estimating the probable maximum loss, study would be made as per the perils
covered.
Loss can be arrived on account of each and every peril for the same property, however, the insurance cover is
portfolio based, where some perils are covered under the fre policy, some are excluded. Among those excluded,
some would be covered under the engineering policy and again there would be some exclusion. Thus depending
upon the perils covered by the policy along with the exclusions and the add-on covers obtained, an examination
should be made to arrive at a probable, maximum loss normally called PML.
While arriving at the PML, even though more than one peril is covered under any one policy, normal estimation
is done if only one peril is at strike at one point of time. Thus the maximum loss would be that loss, which has
been arrived on account of one peril, which has given the maximum loss.
While there are twelve perils normally covered under the standard fre policy, it could be the loss estimated
on account of fre and lightning, an earthquake, storm, food, RSMD and such set of perils being taken into
consideration.
PML is also arrived based on:
Simulation
Model study
Accumulation at a time or that place or an event
Maximum
In some cases the fault tree analysis is also adopted
Risk management begins much before the actual, real activity at that site. The risk management study continues, so
long as that activity is in operation and further even after the activity ceases to exist. Risk management study thus
is a never-ending study/analysis.
Risk Management
22/uts
Summary
Risk assessment, analysis and evaluation are important components of risk management process. Theses
components need to be studied in detail to apply them effectively in practice.
Risk assessments include detailed quantitative and qualitative understanding of risk, its physical, social, economic
and environmental factors and consequences.
Risk assessment covers the following aspects: risk identifcation and categorisation the process of identifying
the companys exposure to uncertainty classifed as strategic/business/operational, risk description the method
of systematically capturing and recording the companys identifed risks in a structured format, risk estimation
the process for estimating the cost of likely impact either by quantitative, semi-quantitative or qualitative
approach.
Risks are adverse consequences of events or changed conditions, their occurrence may be identifed by the
happening of trigger events, and their occurrence is uncertain and may have different extents of likelihood.
After recognizing the kind of risks that company is/may be exposed to, risks will be classifed broadly into the
following categories.
Risk estimation can be quantitative, semi-quantitative or qualitative in terms of the probability of occurrence
and the possible consequence.
Risk analysis is the process of systematically identifying and assessing the potential threats and uncertainties
that occur when trying to achieve a certain goal (such as completing a project), and then fnding a reasonable
strategy for most effciently controlling these risks. This technique helps to analyse the related vulnerabilities
of a project to these threats.
The result of the risk analysis process can be used to produce a risk profle which gives a signifcance rating to
each risk and provides a tool for prioritising risk treatment efforts. This ranks each identifed risk so as to give
a view of the relative importance.
Risk evaluation is concerned with assessing probability and impact of individual risks, taking into account any
interdependencies or other factors outside the immediate scope under investigation.
Risk reporting and communication is an essential component of risk management. Different levels within an
organisation need different information from the risk management process.
Estimation of PML is the frst most important aspect for the risk manager. It should be done very carefully based
on both past and projected losses.
References
A Risk Management Standard- Published by AIRMIC, ALARM, IRM: 2002. Available at: <http://www.theirm.
org/publications/documents/Risk_Management_Standard_030820.pdf> Accessed 3
rd
March 2011.
Living with Risk. A global review of disaster reduction initiatives. 2004 version. Risk awareness and assessment.
Chapter 2, section 3. Inter-Agency Secretariat of the International Strategy for Disaster Reduction (UN/ISDR).
Available at: < http://www.unisdr.org/eng/about_isdr/bd-lwr-2004-eng.htm> Accessed 3
rd
March 2011.
Risk Management Policy NHPC Limited Available at: < http://www.nhpcindia.com/writereaddata/English/PDF/
RiskManagementPolicy.pdf > Accessed 3
rd
March 2011.
Risk Management: concepts and methods- white paper CLUSIF. Available at: http://www.clusif.asso.fr/fr/
production/ouvrages/pdf/CLUSIF-risk-management.pdf> Accessed 3
rd
March 2011.
The Risk Management Guide. Available at :< http://www.ruleworks.co.uk/riskguide/risk-evaluation.htm>
Accessed 3
rd
March 2011.
Recommended Reading
Probabilistic Risk Analysis: Foundations and Methods [Hardcover]. Tim Bedford, Roger Cooke. Publisher:
Cambridge University Press; 1st ed. (April 30, 2001). 414 pages.
Risk Analysis: A Quantitative Guide [Hardcover]. David Vose. Publisher: Wiley; 3rd ed. (May 20, 2008).752
23/uts
pages.
Risk Assessment and Decision Making In Business And Industry: A Practical Guide - 2nd ed. [Hardcover].
Glenn Koller. Publisher: Chapman and Hall/CRC; 2nd ed. (March 30, 2005).352 pages.