Define risk?

This page is in response to questions we received on the issue of risk, management and the enterprise... also addresses the combinatorial management system programs such as Loss Prevention & Control.

Obstacles in meeting objectives, in the light of uncertainty. It constitutes Involvement without
 knowledge is 
 high risk!of action taking requiring the use of resources that may be unplanned, whilst planned action taking includes the creation effect placed upon others to act (mainly competitors).

Are risks purely negative or do they also hold opportunities for the organization?

We two kinds of risk; (1) Not acting when taking action provides lowering the risk level, and (2) acting when action taken does not build in lowering the risk level. Variants of previous include action taken by one organization creating the burden to others - e.g. 1987-1994 when ISO 9000 wasn't required (after published), the distinctive factor of some achieving it created the burden on others to achieve it… in many regions it's refer to "domino effect" . Both of these include a level of uncertainty thus in this context "risk". And then it separated into those believing that was an expenditure (negative cost burden) and those that saw it as an opportunity and thus an investment. Once this is said, what may be considered risks by some it may be an opportunity by others… "Everything is relative and absoluteness is incurring in err"

Are there different types of risks?

We can divide risks into those that are inherent to business activity and those brought about competition and market (we may say internal and external, considering from where the forces to incur risk come from including discontinuance of technology, evolution of regulatory requirements and market trends) - comprises from subsets of mutually inclusive business aspects and those  exclusive (community, environmental impact, socioeconomic effects...). Risk evaluation requires identifying risks and taking action... action focusing on prevention as to minimize or mitigate the effects of the hazard / risk within an organization activities, products and market. Thus risk is not purely negative, organizations do incur into risks, thus what actions organizations take and how is manage, (relative to the competition), and thus relevant to the success of an organization… Thus risk becomes, in a way, the management of uncertainty. In a successful project - case study, circa 1998, assisting, a world leader in socially responsibility, CHEVRON for reducing environmental, safety and health risks in one of the largest oil reserves in the Americas, the Director of EH & S refer to us as "Project Management by Chaos", it was a compliment in achieving a true high competency level spiced with uncertainty in a business region being pressured by international forces. Again we provided the best global expertise and responded in record time to their need and those of the region. They succeed to the point of attaining the "Green Cross" Award - highest environmental achievement an organization can attain… To this date they are a "Global Showcase" for environmental, safety and health consciousness within they delicate environmental industry sector and region, one which a teams such as BRS is proud. 

How would you define risk management?

Identification, evaluation and acting on the probable and uncertainty, it would be wised to spice it with a concept we call BATAEV (best known in the European Union, in the environmental forums, as EVABAT) "Best Available Technology And Economically Viable". In today's era of "Knowledge Based Global E-conomy" data flows to information and becomes knowledge. Thus RM is the means that an organization places to identify sources of information, identify potential events, evaluate severity concurrent with probability of occurrence and act upon results...

What are the benefits of risk management?

It is the difference of being or not (existing or not), for an organization to prevail risk must be identified, evaluated and acted upon effectively. Ir promotes the application of "PERM" as brought by BRS and used by many such as DNV. Whether not-for-profit or for-profit business analogy for this definition set is "gambling", it is dealing with uncertainty, and if we deal with an uncertain and random "hand" (with a high level of uncertainty) it will jeopardize… in business, the existence of any organizations. The forces acting upon the generation of risk come from various flanks including social, internal, market, competition, regulatory, partners and alike, and the organization must act… 

What is the importance of risk management in the overall strategy of the company?

RM must be an integral part of an organizations managerial scheme, not acting jeopardizes existence. Just look at what recently happened to the dot-com wave of the year 2000 (staring at the turn of the millennium) and flowing into 2008 - 2010, unfortunately this "wave" "washed" many, including individual investors (some retirees and their pensions).

Do you keep any records on potential risks?

In a "Knowledge Based Global E-conomy" ("KBGE") information needs safeguards for privacy and the the ability to recover from disaster needs becoming a routine activity. Information means records and alike to assist an organization in objectively demonstrating social responsibility, evaluation on trends (such as within 8.4 of ISO 9001), data for analysis, and restoring operational conditions, etc. We encourage information to be available and accessible within the confinement of a defined "Firewall", of course we are in a "KBGE" era. If not the value of information may be lost, with partially the intellect of an organization and its ability to navigate, evaluate where we have been, where we are, and where to be. 

Do you determine a budget for risk management?

Estimating a budget for RM ties-in with development of human resources, training, risk reduction programs for environmental, health and safety, and issues relevant to acquisitions, including advertisement (internal and external), implementations, advancements and external supports. Do you conduct a cost/benefit or ROI analysis in order to see if the risk mitigation strategy does not exceed the budget? Your best in class organizations do complete a risk analysis, at times they may not call it "risk analysis", but they do identify and value the cost of the effects for incidents, contingencies, emergencies and alike effects (the "if" scenarios). The level and extend to which is done may not necessarily fulfill text book criteria, but often just acting, promoting and "keeping score" provides a basis that in itself assist in reducing risks, and thus ongoing improvements to avoid the adverse "if". Yes we can go into the "Theory of Probability" and apply "DoE" methodologies, Montecarlo modeling, but in reality only and perhaps larger corporations (multinationals) do this type of analysis, and the world has only a few of these. The vast majority of businesses globally are micro, small and medium. How much would an organization save if at least one court litigation could be avoided (think image, expenditures, and solution to come about…). 

What is being done to prevent the occurrence of risks?

I hope you refer to the risk itself, risk itself is inevitable… We can prevent some, reduce others, minimize many and mitigate most, and face as a crisis, contingency, emergency and catastrophically most of the "severe" all. Think that "Mother Nature" can send a gamut and we are to only minimizes... mitigate…

Does risk management give your organization a competitive edge?

It does to our client companies, it makes the difference between prevailing and becoming the pass ("once was and longer is"). To many examples to herein indicate. For-profit "organizations of today must continuously strive for growth if they are to prevail". Growth requires analyzing risk, even without the application of mathematical modeling, visualization and acting may just do the trick… "Does man act on emotions?

Questions related to the steps in the risk management process:

Planning

Who will be responsible for each activity?

The structure of an organization (from the micro to multinational size) will take (management) the designation and enactment of responsibility burdened within each activity, department or function relevant to and inhibitors in achieving objectives, calling risk.

Do you hire external help? We hope! External help must be an experienced body/group with a high desire (call it passion) to have the organization succeed (meeting objectives) not uniquely by doing but by transferring tacit knowledge explicitly. They are an outside the paradigm "pair of eyes" assessing risk. These may include Certification Bodies - CABs with the competence and true passion in contributing to the success of your organization.

Does the organization possess the necessary skills and resources in place or does the personnel require additional training?

Within a "KBGE" it is hard for any organization to have the necessary skills (it may not be economically feasible), thus by providing the resources and teaming with external parties then the training objectives, once defined and agreed, can be achieved. Transferring tacit knowledge as explicitly as possible is key to the success of on going achievements with a mindset beyond training, and this is to raise competence.

Do you describe in advance how the risks will be assessed and managed as to prevent - eliminate - reduce - mitigate (PERM)?

Organizations may have their own methodology and others are looking at external assistance (e.g. consulting) to assist in implementing a methodology, or a combination is applied - that is the norm we have observed. Pradign shifters like BRS, bring about simple concepts that "PERM" encompass, and regardless a methodology, simple or complex, is most likely needed to be in place for RM to effectively progress.

Assessment

How often / When does the organization carry out this task to manage risk?

We advice doing an implementation program, which is what we do then every time a "major" activity, process or business change will take effect or has taken effect (preferred to plan than to react). Further, external conditions and actions that may change the business' risk assessment (whether this assessment is formal or informal).

What are the objectives of the assessment?

Prevent/eliminate, reduce, minimize, or else mitigate/plan-for-action identifiable risks. Could be business growth, competition, market trend, product liability, health, safety or environmental issues. This has to do with the business-of-business, making profit responsibly. The existence of economy and financial... as we see... currency flows from source to source until it disappears.

How do identify risks?

Do you use a qualitative (interviews) or quantitative (checklists) approach based on PERM? We do not encourage a """robotized" check list approach for analyzing risk, as many practice. We are humans because of what we elect and not elect to do…We believe that the experiences, skills, knowledge of each can be placed to improving any situation. It may be needed some training to raise competence level, placed in a situation… and "Need is the mother of invention". At times a checklist may be reasonable but at times is an inhibitor to reduce risk and improve competitively (could be a paradigm shift blocker), if the world was static maybe!

Which hazards, threats... factors (causes or sources of risk) do we need to communicate?

All possible identifiable through a "team concert" including a multidisciplinary team... knowledge is learned from the events that has happened, as from those that visualizing we can avoid, and did not happened.

Which characteristics of risk do you document (examples are: severity, frequency, probability, estimated time-to-impact, financial or other consequences, ownership, causes, related risks...)?

The nature of the activities defines the path to follow and this path may have many avenues, however invariably we recommend that severity and probability of occurrence must be considered. CARVER + Shock is a technique - concept that organization may wish to apply, as BRS, DNV, Lloyd's and other CAB apply.

Do you mitigate all risks or do you prioritize risks?

We find that prioritize is first step to ranking of risks. How do we rank risks? A simple weigh ranking scheme can do or go into the complex arena of mathematical modeling, and in this KBGE, by the time action is to be taken the opportunity is gone. We live in an era where "speed is king" and that financial resources are not limitless.

You can either use a qualitative approach, such as expert opinions, risk maps, or a quantitative approach, such as a risk matrix, risk tables, (Monte Carlo) simulation or do you have a different method?

The permissible and feasible methodologies and variables are vast and each case must be faced individually, based on PERM. We can't generalize - read previous reply herein this page. Mathematical modeling is helpful but when you get to the layman terms you must skip some of the mathematical modeling jargon. Risk reduction not by experts deciding but by acting within the confines of operating routine / process.

What are the most commonly used risk mitigation strategies?

Training, planning, and acting... and acting... practicing and acting! This raises the risk competence level of the organization, the risk quotient goes up.

Monitoring

Do you have a formal of informal system in place to monitor risks?

Most companies do have a formal system, regardless of methodologies a formal periodical review by management is most effective. For this reviews to be effective a fundamental management system must be in place realizing that in KBGE it must be agile and robust (robust means that is simple and thus propitiating an inviolable scheme). Agility is needed not to react but to anticipate, in this way it becomes integral to competitiveness form a global perspective.

        Note: Today competition does not across the street, it may cross-global boundaries, and the term co-opetition comes to light.

How is the system organize?

Applying, through implementation, international standardized scheme for management and integrated these schemes has been beneficial to organizations, thus ISO Kaizen-Blitz comes about in applying ISO 9001, ISO 14001, OHSAS 18001, ISO/IEC 27001, HACCP MS, ISO 22000 and other management specifications and systems.

How often is this system revised?

As often as it requires by, namely three aspects, which must be "anticipate" (to be ahead of reactive) and acted upon; (1) Market Trend and Consumer Tendency, (2) Evolution of Regulatory Requirements (at point of product realization and point of sale), (3) Discontinuance of Technology. Synergistically these (three, 3) provide an effective basis for acting... and which leads to the implementation of analyzing and acting on "if" scenarios. In more detail then we can apply PERM within the "organization's microcosm".

Who determines which strategies to implement?

The organization's management team... emphasizing a global view of the organization while acting within the boundaries of the scope of the organization's activities and processes.

How do you decide if a strategy is successful?

By (1) Prevailing and (2) Growth, whilst objectively demonstrating social responsibility and feedback from stakeholders.

Do you regularly revise the entire process?

As it needs changes relating within processes, changes in market tendency, discontinuance of technology and changes in regulatory requirements, and internally add significant changes to processes, activities, products, structure and personnel. We need to remember that anticipation is been pro active. If anticipate then an organization can be second to none, otherwise are just followers. How do you know you have to revise it? Go back and read this again.

What happens upon identifying new risk?

Act upon in the herein and now on the current concept that the organization applies! Expectation is that severity and probability of occurrence be part of PERM...

Questions related to Enterprise Risk Management:

How would you define ERM (Enterprise Risk Management)?

First, its an old arena with a new name... Risk management expands from the classical to identify, plan, coordinate, implement and control activities such that the effect of risk is minimized (or even prevented) on the organizations accidental losses, capital assets and earnings to include financial, strategic, operational, and relevant risks within the scope of the boundaries, at times, of many organizations.

Risks relating to IKB© principles includes discontinuance of technology, market trend and evolution of regulations these combined with classical risk propitiated interest in ERM.

Industrial associations, regulatory entities, investors, et all stake holders scrutinize the organizations management planning beginning with policies and procedures for managing risk. RM has not eluded the Executive Boards and reviewing and reporting on the effectiveness of the organizations RM strategy thus moving to ERM.

    Managing risk and earnings are the banking institutions "bread and butter", Bank of America and Royal Bank of Scotland are vivid examples of applying best practices benefiting from effective implementation and maintenance of ERM, in view of the results of then year 2008 (financial crisis). 

See also Risk Management (earlier at the beginning), whilst the scope may change and more effects come into play. ERM is a process to optimize the actions relevant to identifiable risks. The very principles involved for the existence of an organizations (an enterprise) brings elements of uncertainty come into play and successful organizations take risks to achieve known objectives whilst avoiding some that may take place if not acting upon. Thus in essence ERM deals not with avoiding risk but optimization of those identified or encountered. Risk invariable exist by the mere existence of mans action, in electing to do and not to do, as well all living creature incur in risk, its how we deal and differentiates between prevailing, succeed, fade away...     

What is the importance of ERM?

In today's era of KBGE, as applicable to the enterprise concept, ERM is important, and may be that the larger the organization and its accumulated goods and assets (physical or intellectual) the more important is perceived to be.

Closing Statement:

Organizations advancement in a KBGE is dependent on the management of risk (whether ERM or RM) and effectively can assist in global competitiveness. Favorably organizations are viewing and acting upon risk and internationally recognized benchmarks are helping, some of these are ISO/IEC 27001, ISO 14000 , OHSMS - BS OHSAS 18001, ISO 22000, and ISO 9001 . Internationally recognized standards require that organizations define practices, methods and processes to build an entity of social goodness. From thereon successful organizations apply BATAEV (Best Available Technology Economivally Viable, also EVABAT) thus creating risk on others. The process of implementation and advancement is fun and hard work when organizations have robust and effective "teamwork".

Note - The answers provided are based on our experience,
and do not reflect textbook answers.