1

The Risk
Management
Process
Prepared By: Rusul M. Kanona
Supervised By: Dr. Loa i !.Ta"al#eh
!ra# !cademy $or Banking % &inancial
Sciences
'!!B&S(
&all )**+
2
What is the Risk Management
process ?
The Risk Management Process consists of
a series of steps that, when undertaken in
sequence, enable continual improvement in
decision-making .

Steps of the Risk Management

Process ?
!tep ". #ommunicate and consult .
!tep 2. $stablish the conte%t .
!tep . &dentif' the risks .
!tep (. )nal'*e the risks .
!tep +. $valuate the risks .
!tep ,. Treat the risks .
!tep -. Monitor and review .
(
+
Step 1.Communicate and consult
- #ommunication and
consultation aims to identif'
who should be involved in
assessment of risk .including
identification,anal'sis and
evaluation/ and it should
engage those who will be
involved in the treatment,
monitoring and review of risk .
,
- )s such, communication and consultation will be
reflected in each step of the process described
here .
- )s an initial step, there are two main aspects that
should be identified in order to establish the
requirements for the remainder of the process .
- These are communication and consultation
aimed at :
)- $liciting risk information
0-Managing stakeholder perceptions for
management of risk .
-
A !liciting risk information
- #ommunication and consultation ma' occur within
the organi*ation or between the organi*ation
and its stakeholders .
- &t is ver' rare that onl' one person will hold all the
information needed to identif' the risks to a
business or even to an activit' or pro1ect .

- &t therefore important to identif' the range of
stakeholders who will assist in making this
information complete .
2
"Managing stakeholder perceptions for
management of risk
3
Tips for effecti#e communication and
consultation
4 5etermine at the outset whether a communication
strateg' and6or plan is required
4 5etermine the best method or media for
communication and consultation
4 The significance or comple%it' of the issue or
activit' in question can be used as a guide as
to how much communication and consultation
is required7 the more comple% and significant to
the organi*ation, the more detailed and
comprehensive the requirement .
"8
Step $. !sta%lish the conte&t
pro#ides a fi#estep process to
assist 'ith esta%lishing the
conte&t 'ithin 'hich risk 'ill %e
identified.
"-$stablish the internal conte%t
2-$stablish the e%ternal conte%t
-$stablish the risk management

conte%t
(- 5evelop risk criteria
+- 5efine the structure for risk
anal'sis
""
1 !sta%lish the internal conte&t
- )s previousl' discussed, risk is the chance of
something happening that will impact on
ob1ectives .
)s such, the ob1ectives and goals of a business,
pro1ect or activit' must first be identified to
ensure that all significant risks are understood .
This ensures that risk decisions alwa's support the
broader goals and ob1ectives of the business.
This approach encourages long-term and
strategic thinking .
"2

(n esta%lishing the internal conte&t) the

%usiness o'ner ma* also ask themsel#es the
follo'ing +uestions:
- &s there an internal culture that needs to be
considered9 :or e%ample, are staff Resistant to
change9 &s there a professional culture that
might create unnecessar' risks for the
business9
- ;hat staff groups are present9
- ;hat capabilities does the business have in
terms of people, s'stems, processes, equipment
and other resources9
"
$ . !sta%lish the e&ternal conte&t

This step defines the overall environment in

which a business operates and includes an
understanding of the clients< or customers<
perceptions of the business. )n anal'sis of these
factors will identif' the strengths, weaknesses,
opportunities and threats to the business in the
e%ternal environment.
"(

A business owner may ask the following

questions when determining the external
context:
4 ;hat regulations and legislation must the
business compl' with9
4 )re there an' other requirements the business
needs to compl' with9
4 ;hat is the market within which the business
operates9 ;ho are the competitors9
4 )re there an' social, cultural or political issues
that need to be considered9
"+

Tips for esta%lishing internal and

e&ternal conte&ts
-5etermine the significance of the activit' in
achieving the organi*ation=s goals and
ob1ectives
- 5efine the operating environment
- &dentif' internal and e%ternal stakeholders and
determine their involvement in the risk
management process.
",
, !sta%lish the risk management conte&t
- 0efore beginning a risk identification e%ercise, it
is important to define the limits, ob1ectives and
scope of the activit' or issue under e%amination.
- :or e%ample, in conducting a risk anal'sis for a
new pro1ect, such as the introduction of a new
piece of equipment or a new product line, it is
important to clearl' identif' the parameters for
this activit' to ensure that all significant risks are
identified.
"-

Tips for esta%lishing the risk

management conte&t
4 5efine the ob1ectives of the activit', task or
function
4 &dentif' an' legislation, regulations, policies,
standards and operating procedures that need to
be complied with
4 5ecide on the depth of anal'sis required and
allocate resources accordingl'
4 5ecide what the output of the process will be,
e.g. a risk assessment, 1ob safet' anal'sis or a
board presentation. The output will determine the
most appropriate structure and t'pe of
documentation.
"2
-. .e#elop risk criteria
Risk criteria allow a business to clearl' define
unacceptable levels of risk. #onversel', risk
criteria ma' include the acceptable level of risk
for a specific activit' or event. &n this step the
risk criteria ma' be broadl' defined and then
further refined later in the risk management
process.
"3

Tips for de#eloping risk criteria

4 5ecide or define the acceptable level of
risk for each activit'
4 5etermine what is unacceptable
4 #learl' identif' who is responsible for
accepting risk and at what level.
28
/ . .efine the structure for risk anal*sis

&solate the categories of risk that 'ou want

to manage. This will provide greater depth
and accurac' in identif'ing significant
risks.

The chosen structure for risk anal'sis will

depend upon the t'pe of activit' or issue,
its comple%it' and the conte%t of the risks.
2"
Step ,. (dentif* the risks

Risk cannot be managed

unless it is first identified.
>nce the conte%t of the
business has been defined,
the ne%t step is to utili*e the
information to identif' as
man' risks as possible.
22

The aim of risk identification is to identif'

possible risks that ma' affect, either negativel'
or positivel', the ob1ectives of the business and
the activit' under anal'sis. )nswering the
following questions identifies the risk7
2

There are t'o main 'a*s to identif*

risk:
1- (dentif*ing retrospecti#e risks
Retrospective risks are those that have
previousl' occurred, such as incidents or
accidents. Retrospective risk identification is
often the most common wa' to identif' risk, and
the easiest. &t<s easier to believe something if it
has happened before. &t is also easier to quantif'
its impact and to see the damage it has caused.
2(

There are many sources of information

about retrospective risk. These include:
4 ?a*ard or incident logs or registers
4 )udit reports
4 #ustomer complaints
4 )ccreditation documents and reports
4 Past staff or client surve's
4 @ewspapers or professional media, such as
1ournals or websites.
2+
$(dentif*ing prospecti#e risks

Prospective risks are often harder to identif'.

These are things that have not 'et happened,
but might happen some time in the future.

&dentification should include all risks, whether or

not the' are currentl' being managed. The
rationale here is to record all significant risks and
monitor or review the effectiveness of their
control.
2,

Methods for identif*ing prospecti#e

risks include:

4 0rainstorming with staff or e%ternal stakeholders
4 Researching the economic, political, legislative
and operating environment
4 #onducting interviews with relevant people
and6or organi*ations
4 Andertaking surve's of staff or clients to identif'
anticipated issues or problems
4 :low charting a process
4 Reviewing s'stem design or preparing s'stem
anal'sis techniques.
2-
Tips for effecti#e risk identification

!elect a risk identification methodolog'

appropriate to the t'pe of risk and the nature of
the activit'

&nvolve the right people in risk identification

activities

Take a life c'cle approach to risk identification

and determine how risks change and evolve
throughout this c'cle.
22
Step -. Anal*0e the risks

5uring the risk identification

step, a business owner ma'
have identified man' risks
and it is often not possible
to tr' to address all those
identified.

The risk anal'sis step will

assist in determining which
risks have a greater
consequence or impact than
others.
23

What is risk anal*sis?

Risk anal'sis involves combining the possible

consequences, or impact, of an event,

with the likelihood of that event occurring. The

result is a Blevel of risk<. That is7
Risk = consequence x likelihood
8

!lements of risk anal*sis

The elements of risk anal'sis are as follows7
". &dentif' e%isting strategies and controls that act to
minimi*e negative risk and enhance opportunities.
2. 5etermine the consequences of a negative

impact or an opportunit' .these ma' be
positive or negative/.
. 5etermine the likelihood of a negative
consequence or an opportunit'.
(. $stimate the level of risk b' combining
consequence and likelihood.
+. #onsider and identif' an' uncertainties in the
estimates.
"

T*pes of anal*sis
Three categories or types of analysis can be used
to determine level of risk:
4 Cualitative
4 !emi-quantitative
4 Cuantitative.

- The most common t'pe of risk anal'sis is the
qualitative method. The t'pe of anal'sis chosen will
be based upon the area of risk being anal'*ed.
2

Tips for effecti#e risk anal*sis

4 Risk anal'sis is usuall' done in the conte%t of
e%isting controls D take the time to identif' them
4 The risk anal'sis methodolog' selected should,
where possible, be comparable to the
significance and comple%it' of the risk being
anal'*ed, i.e. the higher the potential
consequence the more rigorous the
methodolog'
4 Risk anal'sis tools are designed to help rank or
priorities risks. To do this the' must be designed
for the specific conte%t and the risk dimension
under anal'sis.

Step /. !#aluate the risks

Risk evaluation involves comparing

the level of risk found during the
anal'sis process with previousl'
established risk criteria, and deciding
whether these risks require
treatment.

The result of a risk evaluation is a

prioriti*ed list of risks that require
further action.

This step is about deciding whether

risks are acceptable or need
treatment.
(

Risk acceptance
A risk may be accepted for the following reasons:
4 The cost of treatment far e%ceeds the benefit, so
that acceptance is the onl' option .applies
particularl' to lower ranked risks/
4 The level of the risk is so low that specific
treatment is not appropriate with available
resources
4 The opportunities presented outweigh the
threats to such a degree that the risks 1ustified
4 The risk is such that there is no treatment
available, for e%ample the risk that the business
ma' suffer storm damage.
+
Step 1. Treat the risks

Risk treatment is about

considering options for treating
risks that were not considered
acceptable or tolerable at !tep +.

Risk treatment involves identif'ing

options for treating or controlling
risk, in order to either reduce or
eliminate negative consequences,
or to reduce the likelihood of an
adverse occurrence. Risk
treatment should also aim to
enhance positive outcomes.
,

2ptions for risk treatment:

identifies the following options that ma' assist in
the minimi*ation of negative risk or an increase
in the impact of positive risk.
"- )void the risk
2- #hange the likelihood of the occurrence
- #hange the consequences
(- !hare the risk
+- Retain the risk
-

Tips for implementing risk treatments

4 The ke' to managing risk is in implementing
effective treatment options
4 ;hen implementing the risk treatment plan,
ensure that adequate resources are available,
and define a timeframe, responsibilities and a
method for monitoring progress against the plan
4 Ph'sicall' check that the treatment implemented
reduces the residual risk level
4 &n order of priorit', undertake remedial measures
to reduce the risk.
2
Step 3. Monitor and re#ie'

Monitor and review is an

essential and integral step in the
risk management process.

) business owner must monitor

risks and review the
effectiveness of the treatment
plan, strategies and
management s'stem that have
been set up to effectivel'
manage risk.
3

Risks need to be monitored periodicall' to

ensure changing circumstances do not alter the
risk priorities. Eer' few risks will remain static,
therefore the risk management process needs to
be regularl' repeated, so that new risks are
captured in the process and effectivel'
managed.

) risk management plan at a business level

should be reviewed at least on an annual basis.
)n effective wa' to ensure that this occurs is to
combine risk planning or risk review with annual
business planning.
(8
Summar* of risk management steps
("