CMS-301

Paper
Principles of Management
Principles of Management Assignment

BS-ME, 2016-2020

RISK MANAGEMENT IN ORGANIZATIONS

USMAN K. QURESHI
Department of Mechanical Engineering (DME), PIEAS, Nilore 45650, Islamabad, Pakistan

(Received 29th April, 2019)

The risk management field has received a lot of attention over the last decade as a result of the change in the way
businesses run and the occurrence of several events with impact in the global economy such as the 2008 collapse of
the credit market and the housing market meltdown in the USA, the 2010 Gulf of Mexico oil spill or the 2011 incident on
the Japanese nuclear power plant of Fukushima-Daiichi. As a result, risk management has become a main topic as
plays an increasingly important role in the strategy of an organization. This paper presents different perspectives on how
risk management has been addressed by organizations, and/or enterprises, the different types of risk managers and
different categories risks that exits in the organizations and enterprises and this paper also proposes a classification for
managing different types of risks and how to approach them. In the end it is also discussed that why it is hard to talk
about risks.

Keywords: Risk Management; Risk Manager; Organizational work; Principles of Management

1. Introduction o Insurance Agents

Risk management is a systematic process of
identifying and assessing company risks and
taking actions to protect a company against them.
Some risk managers define risk as the possibility
that a future occurrence may cause harm or
losses, while noting that risk also may provide
possible opportunities. By taking risks, companies
sometimes can achieve considerable gains.
However, companies need risk management to
analyze possible risks in order to balance potential
gains against potential losses and avoid expensive
mistakes.
o Salaried Employees
o Independent Consultants
2.2 Categories of Risk and their
Management
The risks that companies face fall into three
categories, each of which requires a different risk-
management approach. Preventable risks, arising
from within an organization, are monitored and
controlled through rules, values, and standard
compliance tools. In contrast, strategy risks and
external risks require distinct processes that
encourage managers to openly discuss risks and
find cost-effective ways to reduce the likelihood of
risk events or mitigate their consequences.

The first step in creating an effective risk-

2.
management system is to understand the
qualitative distinctions among the types of risks
that organizations face. And the field research
shows that risks fall into one of three categories.
Risk events from any category can be fatal to a
company’s strategy and even to its survival. These
three categories of risks are as follows:

Materials and Methods o Category I: Preventable Risks

2.1 Risk Managers o Category II: Strategy Risks

Company managers have three general options o Category III: External Risks
when it comes to choosing a risk manager. Category I: Preventable Risks: This risk
category is best managed through active

1
 Principles of Management | Risk Management

prevention: monitoring operational processes and
guiding people’s behaviors and decisions toward
desired norms. Since considerable literature
already exists on the rules-based compliance
approach, we refer interested readers to the
sidebar “Identifying and Managing Preventable
Risks” in lieu of a full discussion of best practices
here.
Category I: Strategy Risks: Over the past 10
years of study, experts have come across three
distinct approaches to managing strategy risks.
Which model is appropriate for a given firm
depends largely on the context in which an
organization operates? Each approach requires
quite different structures and roles for a risk-
management function, but all three encourage
employees to challenge existing assumptions and
debate risk information. Our finding that “one size
does not fit all” runs counter to the efforts of
regulatory authorities and professional
associations to standardize the function.
Category I: External Risks: External risks, the
third category of risk, cannot typically be reduced
or avoided through the approaches used for
managing preventable and strategy risks. External
risks lie largely outside the company’s control;
companies should focus on identifying them,
assessing their potential impact, and figuring out
how best to mitigate their effects should they occur.
2.3 VW's Risk Management Unit
Volkswagen do Brasil (subsequently
abbreviated as VW), the Brazilian subsidiary of the
German carmaker. VW’s risk-management unit
uses the company’s strategy map as a starting
point for its dialogues about risk. For each
objective on the map, the group identifies the risk
events that could cause VW to fall short of that
objective. The team then generates a Risk Event
Card for each risk on the map, listing the practical
effects of the event on operations, the probability of
occurrence, leading indicators, and potential
actions for mitigation. It also identifies who has
primary accountability for managing the risk. The
risk team then presents a high-level summary of
results to senior management.
The Risk Event Card: VW do Brasil uses risk
event cards to assess its strategy risks. First,
managers document the risks associated with
achieving each of the company’s strategic
objectives. For each identified risk, managers
create a risk card that lists the practical effects of
the event’s occurring on operations. Below is a
sample card looking at the effects of an interruption
in deliveries, which could jeopardize VW’s strategic
objective of achieving a smoothly functioning
supply chain.

Some external risk events are sufficiently

imminent that managers can manage them as they
do their strategy risks. For example, during the
economic slowdown after the global financial crisis,
Infosys identified a new risk related to its objective
of developing a global workforce: an upsurge in
protectionism, which could lead to tight restrictions
on work visas and permits for foreign nationals in
several OECD countries where Infosys had large
Risk Report Card: VW do Brasil summarizes
client engagements. Although protectionist
its strategy risks on a Risk Report Card organized
legislation is technically an external risk since it’s
by strategic objectives (excerpt below). Managers
beyond the company’s control, Infosys treated it as
can see at a glance how many of the identified
a strategy risk and created a Risk Event Card for it,
risks for each objective are critical and require
which included a new risk indicator: the number
attention or mitigation. For instance, VW identified
and percentage of its employees with dual
11 risks associated with achieving the goal “Satisfy
citizenships or existing work permits outside India.
the customer’s expectations.” Four of the risks
If this number were to fall owing to staff turnover,
were critical, but that was an improvement over the
Infosys’s global strategy might be jeopardized.
previous quarter’s assessment. Managers can also
Infosys therefore put in place recruiting and
monitor progress on risk management across the
retention policies that mitigate the consequences
company.
of this external risk event.

2
 Principles of Management
2.4 Why Risk is Hard to Talk About?
Multiple studies have found that people
overestimate their ability to influence events that,
in fact, are heavily determined by chance. We
tend to be overconfident about the accuracy of our
forecasts and risk assessments and far too narrow
in our assessment of the range of outcomes that
may occur.
We also anchor our estimates to readily
available evidence despite the known danger of
making linear extrapolations from recent history to
a highly uncertain and variable future. We often
compound this problem with a confirmation
bias, which drives us to favor information that
supports our positions (typically successes) and
suppress information that contradicts them
(typically failures). When events depart from our
expectations, we tend to escalate
commitment, irrationally directing even more
resources to our failed course of action—throwing
good money after bad.
Organizational biases also inhibit our ability to
discuss risk and failure. In particular, teams facing
uncertain conditions often engage in groupthink:
Once a course of action has gathered support
within a group, those not yet on board tend to
suppress their objections—however valid—and fall
in line. Groupthink is especially likely if the team is
led by an overbearing or overconfident manager
who wants to minimize conflict, delay, and
challenges to his or her authority.
3. Results and Discussion
Several other approaches to risk
management can be found in literature such as,
Procurement Risk Management or Quality Risk
Management. From the analysis of the different
risk management perspectives, two
majorly different approaches to risk can be
distinguished (Table 1). On one hand we have a
functional approach that translates a "silo" way of
managing risk. Financial risk, insurance risk and
information technology risk management, for
example, are functional approaches. On the
opposite side we have a process-oriented
approach to risk management, were the cross
functional view of the management of the
organization risk is present. Supply chain risk
management, business process risk management,
enterprise risk management are some of these
approaches.
Table 1. Risk Perspectives
Functional Process Oriented
Perspective Perspective
Financial Risk Supply chain Risk
Insurance Risk Business Process
Risk
IT Risk Enterprise Risk
Acknowledgements
I acknowledge the efforts of my supervisor and
course instructor, Dr. Tariq Majeed, and the help I
took from my classmates.
I want to thank EVERYONE who ever said
anything positive to me or taught me something. I
heard it all, and it meant something.
References
[1] Robert S. Kaplan, “Managing Risks: A NEW
FRAMEWORK”, Harvard Business School, Cambridge,
Massachusetts, 2012.
https://hbr.org/2012/06/managing-risks-a-new-
framework/
[2] Reference for Business, RISK MANAGEMENT, 2019.
https://www.referenceforbusiness.com/management/Pr-
Sa/Risk-Management.html/
[3] Reference for Risk Management, PRINCIPLES OF
RISK MANAGEMENT, 2017.
https://www.wikipedia.com/managing-risks-and-
different-principles-of-risk/