Mid-term Assignment

Risk

Management
its
Assessment and
types
Subject:

Risk Management
Submitted to:
Prof. Itrat Naz
6th Semester
By
Rai Jaffar

MBAP-F13-18

Fezan Akhter

MBAP-F13-19

M. Adnan

MBAP-F13-20

Khadija Tul Kubra

MBAP-F13-23

MASTERS IN BUSINESS ADMINISTRATION

Faculty of Management Sciences

THE SUPERIOR UNIVERSITY LAHORE

Campus, Okara, Pakistan

Business Risk Assessment

History:
The study of risk management began after World War II. Risk management has long been associated with
the use of market insurance to protect individuals and companies from various losses associated with
accidents. Other forms of risk management, alternatives to market insurance, surfaced during the 1950s
when market insurance was perceived as very costly and incomplete for protection against pure risk.

Introduction:
Risk management is the process of identification, analysis and either acceptance or justification of
uncertainty in investment decision-making. Essentially, risk management occurs anytime an investor or
fund manager analyzes and attempts to quantify the potential for losses in an investment and then takes
the appropriate action (or inaction) given their investment objectives and risk tolerance. Inadequate risk
management can result in severe consequences for companies as well as individuals. For example, the
recession that began in 2008 was largely caused by the loose credit risk management of financial firms.

Definition:
A risk is defined as
An uncertainty that is affiliated with a particular circumstance that could render a business
inoperable or cause financial insecurities for the company.
A business risk assessment is defined as
Is the process of determining whether a particular uncertain circumstance has the potential to
threaten your business operations?

Features:
According to PCMAG.com, a website that provides information on technology, a risk assessment exhibits
a business vulnerabilities, the strategies and costs that the business will need to recover from damages
and losses, and explains what actions the business will take to defend the enterprise so risks can be
avoided or minimized. Risk assessments may also contain useful features, such as risk scoring systems.

Types of Risk:

Risks come in many forms, and its important to know the different types of risks that are out there so you
can properly assess the ones that are applicable to your business. Creating a list of identified threats can

help you organize your risk assessment. If you are assessing your businesss internal environment,
consider

Financial risks

marketing risks

operational risks

strategic risks

Work force risks.

External business environments include risks, such as the changing economy, new market competitors
and natural disasters. Some threats are not as easily noticeable, so performing the identification process as
a team can help to make sure nothing gets overlooked.

Operational Risk Assessment

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and
systems, or from external events, but is better viewed as the risk arising from the execution of an
institutions business functions. Operational risk exists in every organization, regardless of size or
complexity from the largest institutions to regional and community banks. Examples of operational risk
include risks arising from catastrophic events (e.g., hurricanes), computer hacking, internal and external
fraud, the failure to adhere to internal policies, and others.

Definition
Operational risk is defined as a continual cyclic process which includes risk
assessment, risk decision making, and implementation of risk controls, which results in
acceptance, mitigation, or avoidance of risk.
Objective:
Few now doubt the advantages of having a documented operational risk policy. It allows senior
management to communicate to all staff the approach of the firm to operational risk
management. As such, the policy should be approved by the Board of Directors. Alternatively,
in some firms, the Executive or Management Committee may wish to approve the policy
document or at a minimum, review and comment on it prior to Board approval.

a. Performing an assessment
There are a variety of views on how to perform an operational risk assessment. Options include:

A third party review, which uses a central understanding of critical objectives and processes
together with an independent validation of assessments.
Facilitated assessments (conducted by an outside consultancy, risk management and business
managers), which uses the central understanding to identify and agree the business risks with the
business. The effectiveness of internal controls is also documented and action plans are agreed
where necessary.
Self assessment (conducted by the business managers), which uses the detailed knowledge of
people in the business to identify the business risks and to agree on their monitoring. As with
facilitated sessions, control effectiveness is also assessed and action plans put in place to enhance
ineffective controls.

The three methods of operational risk assessment above have an increasing level of business benefit
although these are balanced by an increasing level of process sophistication. In particular, a self
assessment (being conducted by the business itself) gives the best platform for cultural change. (It should
be recognized that most firms will, necessarily, go through a period of cultural change whilst embedding
operational risk management into the structure and decision making of the firm).
Any of the methods above can be used for risk assessment, control assessment or risk and control
assessment. Commonly, firms start with an assessment of risk (initially evaluating the risk after allowing
for the mitigating effect of the controls). Both stand-alone assessment methods give some value although
neither gives the value that can be derived from a combined risk and control assessment.
For example:
There is generally very little shared assessment in control self assessments, even when the business
reviews the process for the assessment of control effectiveness. By contrast, in risk and control
assessments carried out by the business there is usually a natural element of co-assessment in order to
ensure consistency.

b. Possible methodologies:
There are a variety of practices that can be used to carry out any of the three methods of assessments.
These include:

Workshops: This can be very effective and efficient in a firm that is open to discussion and
challenge. However, the drawback is that a first risk and control assessment generally takes a full
working day to complete and it is therefore necessary for all workshop attendees to be absent
from their desks for the day.
Interviews: which work very well in a firm that is used to one-to-one discussion of issues.
Interviews are relatively inefficient as a certain amount of iteration is necessary in order to obtain
agreement on the risks and controls. They are nevertheless effective when an entire cadre of staff
cannot be spared or is not available for a full day workshop.
Questionnaires: which can be easy and quick although these generally need strong management
and significant communication skills in order to achieve cohesiveness to the wide ranging results
that can be a consequence? Good design of the questions is fundamental to obtaining an outcome

that has business benefits. This is often harder than it may appear as risks, control failures and
indicators can easily become confused in the mind of the person answering the questionnaire.

C. Why do assessments go wrong?

There are a number of reasons why risk and control assessments go wrong. At a high level, these include
cultural issues, administrative hurdles and value perception.

1. Cultural Issues
The lack of support from senior management for the risk and control assessment process. This is often
characterized by a lack of attendance by senior management at risk and control assessment workshops or
by sudden departures after 30 minutes or 1 hour. Alternatively, the firms appraisal or review mechanisms
may not take into account good (or bad) risk management by the employee being evaluated.
Another typical cultural issue is the use of operational risk management to reduce risk rather than
managing it appropriately to the organization. Some firms aim for a perceived level of best practice,
whereas operational risk management should be focused on managing risk at a level suitable to the firms
size and substance.

2. Administrative Hurdles
Risk and control assessments are often unnecessarily paper intensive. The implementation of this type of
assessment is very difficult across regions of the world and particularly across different cultures. It is also
burdensome to maintain and can be orientated towards a policing role, looking for a fault and assigning
blame rather than forward looking and proactive.

3. Value Perception
Sufficient thought must be given to the reporting of risks and controls so that they can be monitored. This
will be addressed further in later articles although it should be clear that inadequate reporting provides
limited business value. Additionally, if the results from the risk and control assessment are not linked to
other users of the information there will be limited leverage possible. There is also a much greater
perception of the value from a risk and control assessment when the action plans generated (either to
enhance controls or add new controls) can be seen to be followed up and implemented. The greatest value
to be obtained from operational risk and control assessments is from linking them to losses, key indicators
and mathematical models. These links will be addressed in later articles.

D. Carrying Out Assessments

1. Level
The level at which an assessment is to be carried out should first be decided. Many organizations first
look at the major processes undertaken and assess the risk and controls over these. Other organizations
leave the major process risks until the strategic risks and controls have been assessed.
2. Approach

Risk and control assessments can be carried out at using two different assessment approaches which can
also be combined. The most common starting point is to assess the risk after the controls (i.e. after taking
into account the mitigating effect of the controls). This is known as net or residual risk assessment.
However, losses generally occur after controls have failed and therefore net risk assessment by definition
does not give any values for the likely loss that the firm will suffer when the risk event occurs.

3. Enhanced Approaches
As a firm progress along the risk and control assessment path, it sometimes combines the above two
approaches by assessing risks at a gross and net level as well as assessing the mitigating controls. Often
an assessment of the risk at a target level (i.e. after any remedial action) is also made. In any of the
approaches, the action plans for enhancing the perceived defective controls are also identified.
4. Scoring
Following the identification of the risks and their owners, the risks are usually scored. Five years ago, a
risk would have been scored for its severity a one dimensional value. Today, almost all firms use two
dimensions likelihood and impact. Controls are also today often scored in two dimensions (typically,
design and performance) rather than simply the effectiveness of the control. The scores of the risks and
of the controls are usually arranged on a scale. Some firms use 1, 2 and 3 or low, medium and high.
Others use up to ten levels. It is useful to use an even number of levels so that there can be no sitting on
the fence by using the middle level for most risks and controls. Probably the most common number of
levels is four or six with four levels being high, medium high, medium low and low.
5. Cause, event and effect
Another consideration when carrying out a risk and control assessment is to isolate the risk events (i.e.
what you want to capture) from the risk causes, the risk effects and the control failures. Most
methodologies for risk assessment (see the previous article) will produce a combination of all four risk
types unless some guidance is given. It is the risk event that is required in a risk and control assessment
as the risk event is immutable whereas risk causes and effects change over time. If controls are applied to
changing circumstances, the controls may become less effective because of the shifting conditions rather
than the efficiency of the control itself.
6. Control assessment
The assessment of the controls can be carried out either on the cluster of controls that mitigate a risk or on
each control within the cluster. The greatest business benefit is derived from assessing each control as a
control may operate on several risks and its varying effects can therefore be judged. Additionally, controls
are often identified as either preventative or detective controls to aid the design of action plans over the
further mitigation of a risk.

Project risk assessment

An uncertain event or condition that has a positive or negative effect on a projects objectives.
Basically, risk is any unexpected event that can affect your project for better or for worse. Risk can affect
anything: people, processes, technology, and resources.
Most important is that, risks are not the same as issues. Issues are things you know youll have to deal
with. You may even have an idea of when theyll pop up. Conversely, risks are events that might happen,
and you may not be able to tell when. Like A key product component is on backorder and will arrive a
week late. Theyre slippery, and it takes some serious preparation to manage them.

Project management risks elements:

We can break project management risks down into five elements:
1. Risk event: What might happen to affect your project?
2. Risk timeframe: When is it likely to happen?
3. Probability: What are the chances of it happening?
4. Impact: Whats the expected outcome?
5. Factors: What events might forewarn or trigger the risk event?

Assessment of Risk in a Project

After you finish planning your project's scope, timeline, budget, tasks and milestones, there is still a lot of
planning left to do. A successful project manager is one who plans ahead for the unexpected and assesses
the possible impact future risks can have on the overall project. Involve your team in the process to be
sure you have identified all of the adverse events that can happen so that you have everything covered.

Step 1
Identify events:
That could happen throughout the life of the project that would adversely impact it. An adverse effect is
one that would cause the project to come in over budget, miss the deadlines or fail altogether. These
project risks can come from a broad range of factors, including human, operational, reputational,
procedural, natural, financial, technical, political and others. An operational risk, for example, could be
how a disruption in supplies would impact the project, while a natural risk could stem from a natural
disaster.

Step 2
Transfer risks to external stakeholders:
Where possible. If you have identified supply chain issues as a potential risk, you might consider
transferring that to a company procurement or operations specialist.

Step 3
Prioritize the risks:
That you have identified. Rank each risk in terms of impact, how likely or unlikely it is that it will
actually happen and how well you can control the event if it does happen. When assessing a risk's impact,
consider how it could affect the project's scope, budget and timeline. Where appropriate, determine how
much each risk would cost the company if it did occur.

Step 4
Calculate risk exposure:
Based on impact, probability and controllability. Rate each on a scale that you determine, such as
insignificant to critical or high to low. While it is human nature to put more emphasis on risks that could
cause more damage to the project, if it is an insignificant risk with a small probability of actually
occurring, you should focus on other risks instead.

Step 5
Put risk avoidance and mitigation strategies:
Into place. Start by reviewing your project's scope and eliminating any pieces that are not essential to a
successful completion. As you narrow the scope, you may find that many of the identified risks are no
longer relevant. For risks that have a high level of controllability, make plans for how you can reduce the
risk of them occurring and minimize their impact if they do occur.

Step 6
Create contingency strategies:
Sometimes called "Plan B." Assign each risk to one team member who will watch for indicators or
symptoms of the risk throughout the project. This will help you to recognize developing risks early on,
giving you the opportunity to put contingencies in place before they become critical. Identify what those
contingencies are, or how you will counteract the risk's impact as it happens.

Strategic risk management

Definition
Strategic management: is the continuous planning, monitoring, analysis and assessment of all
that is necessary for an organization to meet its goals and objectives.

The Strategic Risk Assessment Process

There are seven basic steps for conducting a strategic risk assessment:

1 Achieve a deep understanding of the strategy of the organization:

The initial step in the assessment process is to gain a deep understanding of the key business strategies
and objectives of the organization. Some organizations have well developed strategic plans and
objectives, while others may be much more informal in their articulation and documentation of strategy.
The next step is to gather information and views on the organizations strategic risks. This can be
accomplished through interviews of key executives and directors, surveys, and the analysis of information
(e.g., financial reports and investor presentations). This data gathering should also include both internal
and external auditors and other personnel who would have views on risks, such as compliance or safety
personnel. Information gathered in Step 1 may be helpful to frame discussions or surveys and relate them
back to core strategies. This is also an opportunity to ask what these key individuals view as potential
emerging risks that should also be considered.

3. Prepare a preliminary strategic risk profile:

Combine and analyze the data gathered in the first two steps to develop an initial profile of the
organizations strategic risks. The level of detail and type of presentation should be tailored to the culture
of the organization. For some organizations, simple lists are adequate, while others may want more detail
as part of the profile. At a minimum, the profile should clearly communicate a concise list of the top risks
and their potential severity or ranking. Color-coded reports or heat-maps may be useful to ensure clarity
of communication of this critical information.

4. Validate and finalize the strategic risk profile:

The initial strategic risk profile must be validated, refined, and finalized. Depending on how the data
gathering was accomplished, this step could involve validation with all or a portion of the key executives

and directors. It is critical, however, to gain sufficient validation to prevent major disagreements on the
final risk profile.

5. Develop a strategic risk management action plan:

This step should be undertaken in tandem with Step 4. While significant effort can go into an initial risk
assessment and strategic risk profile, the real product of this effort should be an action plan to enhance
risk monitoring or management actions related to the strategic risks identified. The ultimate value of this
process is helping and enhancing the organizations ability to manage and monitor its top risks.

6. Communicate the strategic risk profile and strategic risk management action plan:
Building or enhancing the organizations risk culture is a communications effort with two primary
focuses. The first focus is the communication of the organizations top risks and the strategic risk
management action plan to help build an understanding of the risks and how they are being managed.
This helps focus personnel on what those key risks are and potentially how significant they might be.

7. Implement the strategic risk management action plan:

As noted above, the real value resulting from the risk assessment process comes from the implementation
of an action plan for managing and monitoring risk. These steps define a basic, high-level process and
allow for a significant amount of tailoring and customization to reflect the maturity and capabilities of the
organization. As shown by Figure 1, strategic risk assessment is an ongoing process, not just a one-time
event. Reflecting the dynamic nature of risk, these seven steps constitute a circular or closed-loop process
that should be ongoing and continual within the organization.

Conclusion:
Risk is about uncertainty. If you put a framework around that uncertainty, then you effectively de-risk
your project. And that means you can move much more confidently to achieve your project goals. By

identifying and managing a comprehensive list of project risks, unpleasant surprises and barriers can be
reduced and golden opportunities discovered. The risk management process also helps to resolve
problems when they occur, because those problems have been envisaged, and plans to treat them have
already been developed and agreed. You avoid impulsive reactions and going into fire-fighting mode to
rectify problems that could have been anticipated. This makes for happier, less stressed project teams and
stakeholders. The end result is that you minimize the impacts of project threats and capture the
opportunities that occur.