Risk is unfavourable outcome of uncertain event affecting profitability of the organisation or a situation involving exposure to danger.

While our every step is uncertain and carries a Risk; Only a person with ears and eyes open is better prepared to take a timely action.

Types of Risks

Risks are everywhere around us and can happen in any function of the organisation. Some risks have high probability of occurrence whereas some have least.

Risk could be broadly of either type:

      • The manpower of the organisation acts unfavourably;
      • The assets of the organisations (cash, bank, investment, fixed assets, loans & advances, technology, etc.) stops working OR loses value;
      • The world outside of organisation’s boundaries (all stakeholders, competitors, etc.) acts unfavourably resulting in loss of funds / revenue OR increased cost / liability.

The following are illustrative list of risks. What we should appreciate is to observe the nature of risk in all activities / functions of the organisation rather than terminology used for defining the risks.

    • General
      • Reputational risk
          • Customers, vendors or any other stakeholder may affect the reputation of the organisation by sharing the unfavourable news (correct or rumours) with others, e.g. rumour about organisation going bankrupt OR defaulting on payments to vendors, etc.
          • Organisation not receiving lenders’ funds due to poor reputation.
      • Monetary risk
          • Frauds, thefts, etc. of cash or other physical assets;
          • In financial world, investment value getting corrected due to changed monetary policy of the Govt. affecting the currency value or foreign exchange value.
    • Accidents
      • Nature’s risk
          • Floods, earthquake, famines, natural deaths, etc., which are also called God’s acts.
      • Risk due to other accidents
          • Fire, terrorists’ attacks, riots, strikes, road accidents, etc. are human’s acts.
    • Loans & Advances given and Investment
      • Credit risk OR Default risk
          • The borrowers may not pay their dues partially or fully on due date; and
          • The organisation does not carry any security for safeguarding against above defaults.
      • Investment risk
          • Investments of the organisation not yielding returns OR principal amounts on due dates
    • Product related risks relating to turnover and receivables
      • Receivable risk
          • The customers of the organisation may not pay their outstanding dues.
      • Consumer risk
          • The consumer may not accept the product of organisation due to same not matching his / her specifications.
      • Product risk
          • Product losing the customers / market because of new products introduced by competitors;
          • Product becoming out of trend.
      • Market risk
          • In the financial world, risk of losses in positions arising from movements in market prices (like equity market, bond market, Futures & Options market, commodities market, etc.).
    • Production and receivable related risk
      • Logistics risk (non-availability or non-functioning of mode of transport)
          • Raw material may not reach the production and production getting stopped;
          • Finished goods may not reach to customers.
      • Technology risk
          • Production technology outdated OR hacked OR frauds resulting in technology failure.
    • Liability related
      • Compliance risk
        • Organisation may not comply with local laws resulting in statutory liabilities (additional tax, interest, penalty, etc.)
            • Violation of local laws like safety rules or pollution norms, etc.;
            • Not depositing the taxes and returns timely and regularly.
        • Change in local laws remaining un-noticed resulting in additional liabilities;
        • Organisation losing vital documents for claiming concession in tax resulting in additional liabilities;
        • Unfavourable outcome of assessment / appellate proceedings, etc.
    • Manpower related
      • Health risk
          • Key employee not joining duties due to bad health of self or family members.
      • Other risk
          • Death of key management personnel;
          • Manpower turning hostile and leaving the jobs OR bad-mouthing;
          • Strikes, lock-outs, etc.

Risk Treatment

Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:

      • Avoidance (strategy to eliminate, withdraw from or not become involved)
      • Reduction (strategy to optimize – mitigate)
      • Sharing (strategy to transfer – outsource or insure)
      • Retention (strategy to accept and budget)

The International Organization for Standardization (ISO) identifies the following principles of risk management

Risk management should:

      • create value – resources expended to mitigate risk should be less than the consequence of inaction, or (as in value engineering), the gain should exceed the pain;
      • be an integral part of organizational processes;
      • be part of decision making;
      • explicitly address uncertainty and assumptions;
      • be systematic and structured;
      • be based on the best available information;
      • be tailorable;
      • take human factors into account;
      • be transparent and inclusive;
      • be dynamic, iterative and responsive to change;
      • be capable of continual improvement and enhancement;
      • be continually or periodically re-assess  since risks can never be fully avoided or mitigated simply because of financial and practical limitations.

Risk Management

    • Broad methodology:
        • Acknowledgement of presence of risk
        • Identify, characterize, and assess threats;
        • Assess the vulnerability of critical assets to specific threats;
        • Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets);
        • Identify ways to reduce those risks;
        • Prioritize risk reduction measures based on a strategy.
    • Acknowledgement of presence of risk
        • Risk management begins after organisation accepts that risk exists in all activities of organisation and can’t be avoided;
        • The risk can cause loss to the organisation;
        • This risk needs to be managed with better planning if the organisation wants to continue working;
        • All risks can never be fully avoided or mitigated simply because of financial and practical limitations;
        • Therefore all organizations have to accept some level of residual risks.
    • Building Risk Register
        • List out all activities and assets and liabilities of the organisation prone to risk;
        • What is the probability of the risk?
            • Every risk has a probability of occurrence from small to large, e.g. in coal mining, there is a high risk for workers engaged in mining getting trapped in mines whereas river-bed sand mining does not have such risk.
        • Whether risk can be measured?
            • Measurability for different risks can be of different nature. Some risks can be measured with lot of certainty (e.g. one day loss due to strike in a factory can be measured);
            • But, loss due to God’s acts can’t be measured till the acts get completed and severity ascertained (e.g. loss due to floods, famines, storms, etc.)
    • Methodology
        • Planning how risk will be managed:
            • Risk Management Tasks;    Responsibilities;     Activities;     Budget Amount
        • Assigning a risk officer:
            • responsible for foreseeing potential organisation’s risks;
            • Typical characteristic of the officer à healthy scepticism in each activity.
        • Maintaining live project risk database. Each risk should have the following attributes:
            • Opening date;    Title;    Short description;   Probability;     Importance;    Person responsible;     Target date;
        • Creating anonymous risk reporting channel
              • Each team member reporting risks that he/she foresees in the organisation
        • Preparing mitigation plans for risks that are chosen to be mitigated
            • Purpose:
                • How a particular risk will be handled?
                • What, When, By Whom and How will it be done to avoid it or minimize consequences if it becomes a liability.
            • Business Continuity Planning (BCP)
                • There is a residual risk, which can’t be managed;
                • The necessity to have BCP in place arises because even very unlikely events will occur if given enough time;
                • BCP process goes beyond risk management’s pre-emptive approach and assumes that the disaster WILL happen at some point.
        • Risk Communication
            • How to reach the intended audience, to make the risk comprehensible and relatable to other risks?
            • How to predict the audience’s response to the communication?
            • Main goal to improve collective and individual decision making in the state of risk?
            • Somewhat related to crisis communication.
    • Risk Avoidance
        • Information Security
            • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction;
            • Take regular back-ups of IT;
            • Regular change of passwords;
            • Computerised accounting or audit system to flag a problem;
            • Creating firewalls;
            • Regular virus protections;
            • Storing previous years’ physical data safely;
            • Avoiding chances of duplicate entries in the Systems;
        • Human Resources / Machines / Assets
            • Have back-up plans of human, machines, etc.;
            • Regular preventive maintenance;
            • Cross-skill training and job-rotation;
            • Take sufficient insurance of movable stocks;
            • Continuity plan in the event of a fuel strike or shortage.
        • Processes
            • Creating of checklists of processes alongwith documents required;
            • Guard against risks of
            • Payments made for unintended transactions;
            • Services rendered but not invoiced to customer;
            • Liability accounted for services / goods not received;
            • Receipts unaccounted;
            • top 10 tests within a given business process area that are likely to detect control weaknesses that could have a significant financial or regulatory compliance impact.
        • Suppliers / Customers
            • Insure foreign collections;
            • Reduce dependency on single supplier / customer;
            • Keep a track on the developments with major suppliers / customers;
            • Keep a track on credits to customers à don’t give credits more than person’s credit worthiness.
        • Others
            • Don’t put all eggs in one basket; distribute the risk;
            • Create reserves for losses;
            • Regular mock drill exercise to check risk preparedness;
            • Observe around regularly for new risk developments;
            • Human logics can’t defy (use logical interpretations of events).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s