Beruflich Dokumente
Kultur Dokumente
Generic approach:
not specific to any industry or sector
can be applied to any type of risk (financial, technological,
natural, project)
can be applied to any type of organization
Overview
Provides foundations for discussing risk management and
undertaking a critical review of an organization’s risk
management process
Overview
In scope:
Objective
Unexpected
perturbations
Start
t0 t1
ILLUSTRATION OF RISK
The organization establishes its objectives; at time (t), it wants to be at
position (O – objectives)
3. Information Risks
TYPE OF BUSINESS RISKS
Business risks exist throughout an enterprise and must be managed
individually and in the aggregate.
Includes:
external elements: regulatory environment, market conditions,
stakeholder expectations
2. Risk Identification
identifying what could prevent us from achieving our objectives.
3. Risk Analysis
understanding the sources and causes of the identified risks; studying
probabilities and consequences given the existing controls, to identify
the level of residual risk.
4. Risk Evaluation
comparing risk analysis results with risk criteria to determine whether
the residual risk is tolerable.
RISK MANAGEMENT PROCESS
5. Risk Treatment
changing the magnitude and likelihood of consequences, both
positive and negative, to achieve a net increase in benefit.
It is an action that is taken to manage a risk.
i. Avoiding
ii. Accepting
iii. Mitigating, includes sharing, transferring or reducing (including
control activities)
RISK MANAGEMENT PROCESS
5. Risk Treatment
a. Avoiding
You can choose not to take on the risk by avoiding the actions that cause
the risk.
For example, if you feel that swimming is too dangerous you can avoid the
risk of not swimming.
b. Accepting
Risk acceptance, also known as risk retention, is choosing to face a risk.
In general, it is impossible to profit in business or enjoy an active life
without choosing to take on risk.
For example, an investor may accept the risk that a company will go
bankrupt when they purchase its bonds.
RISK MANAGEMENT PROCESS
5. Risk Treatment
c. Mitigating
c.1. Sharing
c.2. Transferring
You can transfer all or part of the risk to a third party. The two main types
of transfer are insurance and outsourcing.
c. Mitigating
c.3. Reducing
b. Separate evaluation
May be based on either planned periodic examinations or follow-up of
exceptions arising in operations or day-to-day monitoring. The Internal
Audit Function is often the preferred provider for separate evaluations of
ERM because of internal auditors’ competencies, skills, and experiences
with independent investigation, risk assessment, and reporting
RISK MANAGEMENT PROCESS
7. Communication and consultation
This task helps understand stakeholders’ interests and concerns, to
check that the risk management process is focusing on the right
elements, and also helps explain the rationale for decisions and for
particular risk treatment options.
RISK MANAGEMENT PROCESS
7. Communication and consultation