Contents

2.THEORETICAL APPROACH........................................................................................ 2
2.1. Several definitions of the risk concept.............................................................2
2.1.1. Risk classification....................................................................................... 4
2.2. Several definitions of Risk Management concept.............................................7
2.2.1. Risk management classification.................................................................8
2.3. Risk Management Strategy.............................................................................. 9
2.4. Risk Management Procedure..........................................................................10
2.5. Stages in conducting a risk management analysis.........................................11
2.5.1. Strategic objectives................................................................................. 11
2.5.2 Risk determination.................................................................................... 13
2.5.3. Risk reporting and decision making.........................................................17
2.5.4. Risk treatment.......................................................................................... 18
2.5.5. Risk taking and risk monitoring................................................................20

2.THEORETICAL APPROACH

2.1. Several definitions of the risk concept

1
 The concept of Risk Management is hardly understandable without establishing from the
beginning what we mean by risk in general. People cannot entirely define the risk concept due
to the subjectivism of this notion because of peoples perception based on their personal
experience.
According to Oxford English Dictionary, risk is the chance or possibility of a danger,
loss, injury or other adverse consequence to happen. From this angle, risk seems to be
associated with negative consequences. Generally speaking, risk is also seen as the possibility of
an event to happen and to have an adverse outcome or to have a significant (negative) impact on
individual objectives.
Generally speaking, the concept of risk is associated with the idea of one or more
uncertain events that might happen and that might lead to an effect on the accomplishment of
objectives. The risk is composed of a mix of the probability of anticipated threat and the
grandeur of its impact on objectives where:
Threat is used to depict an uncertain event that could have an unfavorable impact
on objectives
Opportunity is used to illustrate an uncertain event that could have a positive
impact on objectives
Other perspectives related to risk would lead to the idea that, in the majority of cases, the
term risk is associated with uncertainty. In 1921, Frank Knight tried to find the difference
between these two concepts: " Uncertainty must be taken in a sense radically distinct from the
familiar notion of Risk, from which it has never been properly separated. The essential fact is
that "risk" means in some cases a quantity susceptible of measurement, while at other times it is
something distinctly not of this character; and there are far-reaching and crucial differences in the
bearings of the phenomena depending on which of the two is really present and operating. It
will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far
different from an un-measurable one that it is not in effect an uncertainty at all." (Knight, 1921,
Risk, Uncertainty, and Profit)

In order to have a better understanding of the risk aspects and the difference between
them, there are a few definitions presented below:
a. Risk versus Probability
The special part of risk which comes with its consequences is called probability.

2
 Catastrophic consequences can be provoked by an event with low probability of
occurrence as well.
b. Risk versus Threat
The concept of treat expresses the low probability of an event to occur with high negative
consequences.
Sometimes it is very difficult for experts to determine the risk if there are not sufficient
pieces of information to make evaluations of consequences and probabilities. Therefore, an easy
way to define risk would be through a mathematical expression:
Risk = Probability * Consequences
Taking all these into account, risk can be exemplified as being a combination between the
two notions presented above: the probability which is the likelihood of an event to occur, and
the consequence which is actually the outcome, which can be basically described as something
failing or succeeding.
On the other hand, Ian Sutton (2014) presented risk in a different way and according to
his vision, we can state that risk is composed of the following elements:
a. A hazard;
b. The consequence of that hazard to occur (safety, environmental, and economic);
c. The likelihood of occurrence of the hazard;
d. Safeguard that reduce consequences
The first three elements can be expressed using the following mathematical formula:

RiskHazard = Consequence x Predicted Frequency

Given the fact that risk is perceived in so many ways, it is very hard to quantify its
implications. As an example, a pessimism behavior can think of risk in a negative way, expecting
that by assuming a risk, there is great chance for danger to occur. On the other side, regarding it
from the perception of an optimistic person, it can be stated that he/she will look at it as an
opportunity for progress.

2.1.1. Risk classification

3
 Risk can be classified in different ways depending on various criteria. Every risk has its
own attributes that require individual management or analysis. In his book Fundamentals of
Risk Management (2010), Hopkin classifies risk in three main categories, as following:

1. Hazard (or pure) risks. This type of risk has only negative outcomes and this may be
thought of as operational or insurable risks. A common example of hazard risk is that
of theft.
2. Control (or uncertainty) risks. There are certain risks that give rise to uncertainty
about the outcomes of a situation. An example of this category can be considered the
risk associated with project management in organizations. Uncertainty in this case
may refer to the benefit that the project produces, as well as with the delivery of the
project in time.
3. Opportunity (or speculative) risks. Opportunity risks refer to those actions that are
taken in order to obtain a positive result. They are related to the relationship between
risk and return. The objective is to take action that involves risk to achieve positive
gains. The concern of speculative risk is associated especially towards investment.

Identifying the type of risks that exist in different context can facilitate the selection of
more specific standards and guidance in order to manage the risks and the effective allocation
of risk management resources. Risks are of diverse nature and arise due to numerous factors.
Depending upon the objectives and the context of the actions undertaken by individuals,
risks can be classified accordingly:
1. Information Security Risk (ISR). ISR comprises the impacts to an individual that
could happen due to the threats and vulnerabilities associated with the operation and
use of information systems and the environments in which those systems operates
(e.g. Online payments, use of online media and social networks, Internet access etc.).
The primary means of avoiding this risk is to implementation of security controls or a
more selective choice upon the used networks).
2. Investment Risk. Investment decision made by individuals or organizations usually
consider the cost of a given investment and compare direct or indirect cost with the
benefits anticipated or other factors justifying the investment. Because investment
decisions are generally taken under resource constraints, so investment risk typically

4
 includes the outcome of the investment, investment as well as the opportunity cost
associated with not making the investment.
3. Legal Risk. Legal Risk applies to any aspect of life related to legislative or regulatory
requirements and comprises actions or incidents that result in failure to comply with
regulations and legal or social norms.
4. Political Risk. Political Risk derives from changes in the countrys polices, strategies
and political actions. The most important political risk can be considered the country
risk that reflects not only the economic and political factors, but also the social-
economical order. (Ghinea, 2014)
5. Reputation Risk. Individuals and organizations may undertake different actions that
result in damage to their reputation, with possible impacts including bad publicity,
destruction of public trust, or loss of confidence in their ability to successfully
perform their actions.
6. Safety Risk. Safety risk implies outcomes from incident or events that cause injury to
people or damage to property. Loss or harm associated with safety risk usually
involves financial cost; therefore managing the safety risk requires preventive
measures that seek to reduce injury to individuals, loss of life, and destruction of
property.
7. Strategic Risk. Strategic risk means the current and future impact on earnings and
capital that could appear from several business decisions, incorrect implementation of
decisions or lack of responsiveness to changes in the industry.
8. Supply chain risk. This is related to potential disruption or unavailability of necessary
resources provided through external sources.
9. Program Management Risk. Business programs to achieve their goals and outcomes,
and do so in accordance with projected costs and within timelines.
10. Employee Risk. Employee Risk refers to any field in which the activities performed
by one or more individuals can harm the business.

Even though within the activity of a risk manager, only some of the risks mentioned in
above will be applicable, it is still important for interested parties to have knowledge of the
variety of risks that might occur during a process.
Risk can be classified in many ways. There is a range of risk classification depending on
different factors like places of origins, the size and the nature of risk or the timeframe for the
impact of risk. Considering the last factor, timeframe for the impact of the risk, it is a very useful

5
means of analyzing the risk exposure. In this context, risks may be treated as related to events,
changes in circumstances, actions, or decisions. Therefore, risk can be classified as following:
1. Long-terms risks. In general, long-terms risks will have impact several years, up to
five years, after the decision is taken. Usually this category of risk is related to
investment decision.
2. Medium-term risks. This category of risks has its impact some time after the event
occurs or the decision is taken, and generally will be about a year. They are often
associated with decision related to education programs or work projects.
3. Short-term risks. Short-term risks have their impact immediately after the event
happened (e.g. accidents at work, traffic accidents, fire, or theft etc.)

Evaluating and identifying the range of risk available in our society and deciding the
most appropriate way to reduce risks is at heart of risk management. Responding to risk should
produce benefits for us as individuals, as well as for organizations. (Hopkin, P., 2010)

2.2. Several definitions of Risk Management concept

If we take a glimpse at risk from the perspective mentioned above, we can say that we
could slightly diminish it, by struggling with these two components previously mentioned. This
is how we can identify what is the best definition for risk management, seen as a reaction to
risk and its components.
Taking into consideration all the aspects mentioned above about how we can define risk,
when referring to how risk should be managed, the elements that play a key role would be:
identifying, evaluating, and dealing with possible threats.
As it is very hard to define the general concept of risk, the exact same thing happens with
having a suitable definition of risk management. It is acknowledgeable that risk management is
related to the safety hazards, uncertainty, vulnerabilities and opportunities and can be defined as
a set of activities undertaken to deliver the most favorable outcome and reduce the volatility or
variability of outcome. (Hopkin, P., 2010).
Therefore, risk management provides a framework to deal with and to react to uncertainty
and risk. The Software Engineering Institute define risk management as a cycle and continuous
process that provides an organized context for making proactive decisions regarding the

6
identification of the possible threats and also the most effective methods of controlling their
possible outcomes. (Ghinea, V., 2014).
The major difference between these related concepts of risk and risk management is that
the first one is perceived from the perspective of chance or possibility, whereas the other one is
focusing on the value and on the frequency (recurrence).
From another perspective, the term of Risk Management invokes the efficient and
standardized application of procedures to the responsibility of identifying and assessing risk and
then planning and implementing risk responses. This contributes in having a habituated climate
for proactive decision making.
In order to manage effectively the risk, this has to be:
Identified. This category covers all the risks that could alter the achievement of the
objectives. Moreover, the risk has to be defined in such a way that would ensure a
common understanding of it.
Assessed. When assessing the risk, one has to establish that the risk can be rated in terms
of predicted likelihood, impact and concurrence. Moreover, it is highly important to have
a wide perception of the overall risk level.
Controlled. Risk controlling means determination of convenient risk responses and then
monitor and control those responses.
Overall, from organizational point of view, Risk Management can be applied in numerous
areas from various perspectives as: operational, project or programme context depending on the
time frame. (see figure below)

Fig 2.1 Risk from organization perspectives

7
 Source: Personal approach based on literature review

2.2.1. Risk management classification.

As stated before, risk management is a highly evolving concept and it developed in many
business areas. Risk management has strong impact in many activities. Taking into account the
sector of activity where risk management is successfully applied, it can be classified as per the
below:
1. Health and safety at work risk management
2. Quality risk management
3. Project risk management
4. Clinical/medical risk management
5. Financial risk management
6. IT risk management
7. Enterprise risk management
8. Employee risk management

All of the domains mentioned before lead to a clear evolution of risk management in
time. When an organization takes into consideration the risks that it has to face and how this risk
could impact its vision, mission and objectives, then the company approaches the risk
management method and tools.
Financial risk is the one more concerned with applying risk management tools and
methods. Banks and other financial institutions are concerned with loan risk and market risk, as
well as operational risk.
IT risk management is another specific branch of risk management. The increasing
importance of securing data has resulted in the development of specific standards applicable to
IT risk management.
Enterprise risk management is a strategic business discipline that supports the
achievement of an organizations objectives by managing its risks. (Hopkin, P., 2010)
The concept of employee risk management is relatively new as many corporations
developed it in the past decade. It is an independent concept that is channeled on how the actions
of people employed and others within a business such as the management team, the contractors
and agency staff can harm the company which plays the role of the employer. The employee
risk management does not include only juridical compliance issues, but also refers to a large area

8
threats and vulnerabilities that have their origins in the workforce: either as individuals or
groups. As a concept, risk management is usually jointed with domains such as finance or health
and safety at work. However, its principles can equally carry into effect to the management of
employee risk in the HR context.

2.3. Risk Management Strategy

A companys risk management policy should communicate how risk management will be
enforced throughout the organization to hold up the awareness of the strategic objectives of the
business. In this category, one can include pieces of information like: companys risk appetite
meaning the exclusive attitude of the business towards risk taking, risk resistances, procedures
for escalation and predefined roles and responsibilities.

Before launching any risk management activities, a Risk Management Strategy should be
developed for the business. The purpose of this blueprint is to define how risk management will
be ingrained in the project management activities. Moreover, each company should have a risk
management guide in which it should be stipulated the series of steps and the corresponding
correlated activities necessary to implement risk management. This guide should provide the
best-practice access that will support a persistent method of risk management across the
company.

A key point that needs to be documented within the Risk Management Strategy is the
Business Boards attitude towards risk taking, which actually precepts the amount of risk that it
examines as being acceptable. This information is forcefully hold in the form of risk tolerances,
which represents the levels of exposure that, when exceeded, will generate an Exception Report
to bring the situation to the consideration of the Business Board.

The following will have an influence on the companys Risk Management Strategy:

The customers quality expectations

The number of projects involved and the relationship between them
The needs of the stakeholders involved and the relationship between them
The assumptions that have been made
The companys own environment (i.e. legislative requirements)

9
2.4. Risk Management Procedure
Generally, a risk management procedure should be formed of five typical steps:

1. Identification
2. Assessment
3. Plan
4. Implementation
5. Communication

Implement

Communica Identif
Plan te y

Assess

Fig 2.The risk management procedure

Source: Personal approach based on literature review

The first four steps mentioned above are successive, whereas the Communication step
is developing in parallel because the data coming from the other steps may need to be
communicated before the entire process is completed. All of the steps are repetitive in nature
in such a way that when supplementary information becomes available, it is often necessary
to return to earlier steps and execute them again in order to achieve the most effective and
efficient result.

Further on, it will be presented all the sub elements that compose this 5 big steps and the
way they can be determined and analyzed.

10
2.5. Stages in conducting a risk management analysis
2.5.1. Strategic objectives
The first step to define risk management objectives is to define the individuals or
organizations shared vision. Once the vision and overall management goals are established, the
objectives must be defined as well. While a vision statement is often aspiration, the strategic
objectives should ordinarily describe in simple terms what is to be accomplished. Setting
objectives demands an indicator to measure the fulfillment of the objectives. If an objective lacks
specificity or measurability, it is not very useful, simply because there is no way of determining
whether it is helping or not achieving the stated vision.
As strategy is the foundation of any successful branch of management, it is mandatory for
each and every company to establish strategic objectives in interest of achieving its goals. In
order to ensure a high rate of success, these objectives need to be SMART:
Specific. This should grant a clear message related to what needs to be accomplished.
Measurable. There must be at least one indicator that measures progress against fulfilling
the objectives.
Appropriate. It must be action-oriented and describe the result (also consistent with the
mission and the vision).
Realistic. The objectives must be relevant to the business and they must also be an
achievable target given the available capabilities and opportunities in the environment.
Timely. There needs to be settled a deadline or a period for accomplishing the objectives.
When all the objectives are in consent with the above criteria, this will lead to many
benefits for the company. It helps to concentrate and conserve valuable resources in the project
and to work in a timelier manner. (Gregory, G., and all, 2005).
When referring strictly to the risk management process, some common risk management
objectives include the following:
Identifying who raised the risk and when it was raised
Managing an extensive pattern of threats and risks to the achievement of the strategic
goals and objectives in an informed and strategic manner within an accepted
tolerance level;
Identifying and prioritizing potential risk events;
Categorizing and describing risk

11
 Helping develop risk management strategies and risk management plans;
Using established risk management methods, tools and techniques to assist;
Developing strategies and plans for lasting risk management strategies;
Develop communication plan for both internal and external stakeholders at the
earliest stage of the process present the risk issues and the how to handle it process
Developing and implementing appropriate risk mitigation plans through assigned
risk owners;
Maximizing opportunities.

2.5.2 Risk determination

When creating a risk management procedure, first of all, one needs to determine the risk.
In order to do that, it is crucial to communicate and consult, make the people implicated
understand what is at stake and why certain decisions need to be made.
The purpose of risk determination is to provide evidence-based information and to
analyze it based on decision-making process. Risk determination leads to risk identification, risk
causes, risk consequences, risk probability seen as inputs in risk management process with the
defined purpose of: choosing the option representing different risks, classifying risks, selecting
the suitable strategy in identifying the risk that have a high degree of tolerance, and establishing
the necessity of risk treatment

2.5.2.1 Risk Analysis

After a many studies and reserach over the key concepts of risk management, researchers
concluded that it is extremely difficult to separate risk analysis from risk assessment in practice
and to provide a coherent clarification of theories for each of them.
Risk analysis is the process through one can measure and define the probability of the
risks, the impact, and other characteristics. Based on risk analysis it can be separated important
risk from trivial ones and also identity the opportunities which influence risk environment in the
correct direction.
The scope of risk analysis is to identify, describe, and quantify risk.
There are many different techniques used in risk analysis, but in general, they fall into
two major categories defined as:

12
 Qualitative risk analysis is the process of prioritizing risk for further analysis by
aassessing and combining their probability of occurrence and impact and defining the
consequences, probabilities and risks on different scales, such as: high, medium, or
low. They are mainly used when the level of risk is not that high and it is not time-
efficient to resort to numerical
Quantitative risk analysis is the process of numerical evaluation of the real values for
consequences and probabilities and promoting s risk values in specific units, defined
by context.

Some of the science people have tried to quantify the items that belong to risk analysis
and reached to the conclusion that there are three steps during this process: risk identification,
description and quantification. In the figure below (Fig) each step mentioned above is highly
exemplified.

Risk identification:
Risk recognition
Risk categorization

Risk description
Graphics and models
Diagrams and sketches

Risk quantification
Statistical sums and Simulations
Expected monetary values and Risk models

Figure 2.6: Examples of risk description

Source: Personal approach based on literature review

a) Risk identification
Risk identification should be executed consistently and periodically. Risk can be
identified using various methods and techniques, some of them traditional, others new and
modern. The most used of them are presented below:

13
 Review lessons this would be the most effective way to reduce uncertainty by
reviewing similar previous businesses and projects and see what threats and
opportunities affected them
Risk checklist these are in-house risks that have been either identified or have
occurred on similar cases. These checklists are useful aids to establish that
identified risks are not neglected.
Risk prompt lists these are publicly available lists that categorize risks into
types or areas and are normally relevant to a wide range of projects. These lists
are useful aids to help stimulate thinking about sources of risk in the widest
context
Brainstorming this would enable group thinking, which can be more
advantageous than individual ones. The most important fact in this case would be
to exclude criticism as this can stop people contributing.
Risk Breakdown structure this is a hierarchical decomposition of the entire
companys project environment assembled to illustrate potential sources of risk.
Each descending level represents an increasingly detailed definition of sources of
risk. There are numerous ways to break down risk and it may be useful to do more
than one list.
Delphi method - this supposes a survey among experts in order to find out their
opinion on events that could influence the future evolution of an area of interest.
(Popescu 2001 as cited by Ghinea 2014)
Analogies techniques - that represents the comparing of current situation with the
historical circumstance in order to estimate future evolution. (Allen 1996, as cited
by Ghinea 2014)
Questionnaire which is a research instrument consisting of a series of questions
and other prompts for the purpose of gathering information from respondents.

b) Risk description
In this step of the process it can be found a wide range of tools each company uses,
depending on what the risk manager considers it is most suitable for the businesss activity. The
objective of risk description is to display the identified risks in a structured format. A good
structure of the identified risks takes into account not only a better understanding of some
specific risks, but also their classification and management. (Ghinea, V., 2014).

14
 No matter what are the instruments used, there are several characteristics of risk that need
to be taken into consideration:
Risk name the risk at failing to get employed in the desired company
Risk area description of the event
Risk nature financial, strategic
Risk appetite size of potential loss/value
Treatment method risk management techniques of controlling
To summarize the risk description, when trying to depict risk, you should give it a name,
acknowledge its area of spreading, specify its nature, explain how will the stakeholders be
involved, quantify the risk, entail its appetite, outline the treatment and control techniques,
possible improvement actions and development of strategies.

c) Risk quantification
Risk quantification is synonim with risk evaluation. The most important goal of the
Evaluation process is to determine the net effect of all established threats and opportunities on
a project when cumulated together. This will enable an appraisal to be made of the entire asperity
of the risk facing the company, to figure out if this level of risk is within the risk tolerance
previously set.
Risk can be evaluated by using procedures such as :
Risk models (simulations) it is the portrayal of a system in order to analyse its
performance. The Monte Carlo analysis empowers simulation of what if plans using
random numbers to establish how many times risk appears in a certain range. These
imitations are run many times to determine the average level of risk for the projects cost.
Expected monetary value - takes into consideration risk event probability, estimating the
level of appearance, and risk event value, examining the loss/value added by the occured
event. It is essential when using this method, to examine both tangible, as well as
intangible assets and a very important fact would be that it provides a instantaneous
appraisal of a group of risks to figure out their combined effect.
Statistical sums calculate estimated costs for individual items within their project. This
is appropriate when measuring the pricing of similar projects or offers.

15
2.5.2.2 Risk Assessment
Risk assessment should be the first step risk managers ought to make within the risk
identification process, so that they will proactively know what to prepare for. Risk assessment
aims to depict a risk picture. This encompasses the appraisal of the threats and the opportunities
of the business in terms of their probability and impact.
According to Paul Hopkin (2013), the process of risk assessment should be structured in
two parts. In figure 2.8 are best highlighted all the involved activities, described briefly below:

Figure 2: Risk assessment bow-tie

Source: Risk Management (2013), Hopkin, P., p 62

The risk assessment pieces define how the potential impacts of the events will be
identified. The scope of risk assessment should include attention to the established aim and
objectives. The primary reason for understanding the risk management assessment is to analyze
the current level of risk faced and decide whether the existing controls are effective and efficient.
The risk communication bow-tie pictures out that a right development of risk
communication activities needs to consider the potential impact on the finance, infrastructure,
reputation and marketplace of any project. Risk communication should also ensure that the risk
management process focuses on the anticipated consequences of these events for strategy, tactics,
operations, and compliance. (Hopkin, P. 2013)

16
2.5.3. Risk reporting and decision making
Awareness of the level of risk is vitally important. The information should be updated on
an almost continuous basis. Risk communication activities should be designed to ensure that all
the stakeholders are aware of the risk faced and their role and responsibilities in the management
of those risks.
Risk reporting is a method used to define, gather and process risk data in order to
identify, monitor and manage risk. This mechanism is usually applied by middle or top
management with the purpose of reducing probability or even severity of losses. Its main goal is
to improve data availability and accuracy, performances accross teams, and the whole decision-
making process. The main elements risk reporting should embrace in order to have maximum
level of performance:
Infrastructure - In order for a risk reporting tool to be efficient, it should have design,
must build and maintain an infrastructure that can fully support the requirement of
complex data referred to risk
Complete data offered in a timely manner should be taken into consideration everytime
when a manager analyzses important information for the overall process.
Adaptabilty of the risk reporting system is essential as the environment is continuosly
changing, therefore the system should be able to incorporate change quickly.
The message should be clear, concise and comprehensive in order for the complex
process to be understood by all the members among the team

After the risk is identified and analyzed, the management of the company should decide
what the next steps the company should follow are. In other words, there should be a decision
making related to what risks the company affords to take and which of them should be closely
monitored in order to produce the best scenarios.

2.5.4. Risk treatment

Having identified and assessed the risks, the next step is to decide how to treat those
risks. It is important to understand the related factors and circumstances associated with each risk
as well as what actually can be done about them. Risk treatment or risk response is identified by
ISO Guide 73 as the process to modify risk (ISO, 2009a). According to ISO Guide 73, there
are various ways to treat risks as:

17
 Avoiding the risk deciding not to start or continue with the activity that gives rise
to risk;
Taking or increasing risk to pursue an opportunity;
Removing the risk resource;
Changing the likelihood;
Changing he consequences;
Sharing the risk with another party or parties;
Retaining the risk by informed decision.
Another popular framework to treat risks is the four Ts of risk management provided by
Paul Hopkin: tolerate, treat, transfer, and terminate (Table 3).

Decision
Tolerate (detective)
Treat (corrective)
Transfer (directive)
Terminate (preventive)
Actions
The decision to do nothing, because no further action needs on
or can be taken-the risk is accepted and is further monitored.
The decision of acting upon the risk to control or reduce the risk
(partially) and the frequent ways risks are addressed in an
organization.
The decision of sharing or completely transferring the risk to a
third party (e.g., an insurance company).
The decision to stop the activities that lead to the risk

Table 3: Risk management 4Ts

Source: Pipeline IntegrityHandbook,Singh R. (2014), p.54

In some cases, the identification of key risk indicators may be useful for the development
of action plans. When determining the risk response, it should be assessed the likelihood and the
probability of the risk to take place as well as a response to the stimuli.
When talking about risk treatment, there are four categories that should be taken into
consideration from the point of view of the response: avoidance, mitigation, transfer and
acceptance.

Probability Likelihoo Response

d
High High Avoidance
Low High Mitigate
High Low Transfer

18
 Low Low Accept
Table 4: Risk response
Source: Enterprise Risk Management Best Practices: From Assessment to Ongoing Compliance (2011), 54

Risk avoidance is the opposite of risk acceptance because it is an all-or-nothing kind of

action. Therefore, risk avoidance means taking steps so that the risk is completely addressed and
cannot occur. This strategy is usually the most expensive way of treat risk, but it has the result of
reducing the cost of downtime and recovery significantly.
Risk mitigation is the most common used risk management strategy. The decision is to
limit the exposure through taking some actions. This limitation differs in accordance to the type
of existing risks.
Risk transfer supposes handing the risk off to a willing third party. The most common use
method is purchasing insurance or other insurance type of services. This implies an extra cost
because it should be paid some extra money to a third party in order to assume that risk.
(Snedaker S., Rima C., 2014)
Risk acceptance is sometimes referred to as do nothing option. The cost of risk
acceptance is very low at the beginning (it may even be zero), but on the long-term, the cost can
be significantly higher than other risk management strategies.

2.5.5. Risk taking and risk monitoring

Risk taking refers to the level of acceptance an organisation is willing to have for
occuring risks and according to this ranking, the company decides whether to eliminate risk or
treat it.
Every organisation has its own different perspective on the risk acceptance, depending on
various factors that influence this decision, such as: financial resources, how high is the impact
of the risk, what is the area affected etc. In certain situations it is sometimes better to take the
risk, because it is cost-efficient, but it is highly recommended to take note of that risk so it can be
avoided for future reference.
Risk monitoring and control is the process for tracking identified risks, monitoring
residual risks, identifying new risks, executing risk response plans, and evaluating their effects.
(Ghinea,V., and all, 2014).

19
 Risk monitoring helps maintaining ongoing risk awareness and provides information
about changes, new risk, or threats and vulnerabilities relevant to the project. As well, risk-
monitoring measures implemented risk response actions and identifies events or circumstances
posing new risks. (Singh R.,2014)
The scope of risk monitoring is to determine if risk responses have been implemented as
planned, risk response measures are as effective as expected, or if new response should be
developed. As well as if project assumptions are still valid, risk exposures has changed from its
prior state, or a risk trigger has occurred.
Following on from risk monitoring, it should be in put in place processes to control the
risks. The introduction of control barriers can reduce the severity or reduce the likelihood, either
way this will diminish the risk. Considering the hierarchy of controlling risks, the first and the
most preferable is elimination by using a different approach to achieve the same goal. Where
elimination is not appropriate then control measures must be taken. The hierarchy of control can
be seen on the figure below:

Figure 6: Hierarchy of risk control

Source: Risk Managemnt (2010), Brown A., p. 86

20
21