风险管理能识别、评估和排序,协调和资源减少,监测和控制经济的应用,或最大限度的实现机会。在这个声明中,人们已经意识到风险管理是一门科学。它涉及到几个步骤,导致组织的不断发展和改进。当正确执行时,一个组织通常繁荣。
在深入研究风险管理过程的主要部分之前,首先要认识到沟通和咨询在这个过程中起着重要的作用。因此,沟通将是显而易见的整个风险管理过程中的每一个步骤。有两个主要部分的沟通,需要建立第一手之前,进入过程。这些都是引发风险的信息和管理利益相关者管理风险的感知。
Risk managementis the identification, assessment, and prioritization ofrisksfollowed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events[1]or to maximize the realization of opportunities. Within this statement, one can already realize that risk management is a science. It involves several steps that results in an organization’s continuous development and improvement. When executed properly, an organization usually prospers.
Before I dive into the main parts of the risk management process, it is very important for one to realize that communication and consultation plays a major role within this process. Thus, communication will be evident all throughout each step of the risk management process. There are two main parts of communication that needs to be established first hand before going into the process. These are Eliciting Risk Information and Managing Stakeholder’s Perception for Management Risk.
Within every prospering and successful organization, effective communication and consultation is apparent between the organization and its stakeholders. Everyone in the organization (whether it be an employee, a department, or a stakeholder) should assist the risk management team by communicating the risk they have identified as soon as possible. Once the risk has been established, a plan or strategy cab be procured then effectively communicated to those involved so as to remedy the risk right away.
Moving on, the first step in the risk management process is to determine the objectives of the organization. One can do this by establishing the context of the organization. This involves five steps which are: Establish the internal context, establish the external context, establish the risk management context, develop the criteria, and define the structure for risk analysis.
Establishing the internal context implies the identification of an organization’s goals, objectives, plans, and activities to ensure that all potential and significant risks are understood. This guarantees that the decisions made always supports the overall goal and objective of the organization.
Establishing the external context implies the overall environment in which an organization functions. This includes their clients’ or customers’ view towards the business. An analysis of the external factors can pinpoint strengths to perfect and weaknesses to improve on outside company setting.
Establishing risk management context means setting the limits, objectives and scope of the risk under observation. Developing risk criteria is to define whether the level of risk is manageable or unmanageable for the business. Defining the structure for risk analysis isolates the category of risk that the risk management team wants to handle first.
The second step is to identify exposures to loss or risk. The risk management team cannot manage any loss or risk within or outside the organization if they cannot identify potential for loss or risk. The sole purpose of this part of the process is to detect possible risks that could either have a positive or negative effect on the organization’s overall goal. There are two main ways to identify risks which are retrospectively (looking into the organization’s past) or prospectively (looking into the future).
It is easier to identify risk retrospectively because, nowadays, everything is being recorded. It is said that “Experience is the best teacher.” An organization just needs to look into their past, identify all the risks that has ever happened, then come up with strategies to eliminate or minimize the risk. Through experience, an organization can learn and better prepare themselves whenever a certain risk will happen again. Conversely, prospectively identifying a risk is harder because an organization cannot see the future. They can try to come up with all the numbers and values that might indicate a risk but one can never accurately predict all potential risks.
The next step is to measure or analyse those same exposures or risks. Once the risk management team has identified all risks, the organization must be able to determine which risk to take on first. They can’t handle all the risks at once. They need to prioritize by combining which risk will have a greater impact on the organization with the chances that the risk ever happening. There are three types of analysis that can be used to determine the severity of the impact of a certain risk. These are qualitative (most common), semi-qualitative, quantitative.
The fourth step involves selecting alternatives by properly evaluating the risks. After analysing, measuring, and prioritizing which risk will have the greatest impact on the organization, here, the risk management team determines which risk is acceptable or needs immediate treatment or elimination. Also, the risk management team can use different alternatives to manage certain risks. For example, if the cost for eliminating such a risk is too high, the only alternative maybe to let the risk happen. Another example will be if the risk is too low, spending money to eliminate such a risk is inappropriate, then the alternative may be to let the risk happen or use whatever resources available to manage such a risk.
Next, is to treat the risk by implementing a solution. Those risks that were not acceptable or manageable will have to be treated as soon as possible in order to reduce the risk or to eliminate the risk all together. But the treatment of risk does not only eliminate or reduce the risk, this process needs to be documented so as to have a basis upon retrospective identification. Here are different options for an organization to choose from when treating a risk: Avoid the risk, change the likelihood of its occurrence, change the consequences, share the risk, and retain the risk.
The last step of the risk management process is to monitor and review the outcomes. This may be the last step, but similar to communication and consultation, it is best to monitor and review all parts of the risk management process. This is a vital part of the process because this will answer questions from business owners such as: Was the treatment successful? Was the strategy used effective? Is there room for improvement? Will this ever occur again?
So, like all organizations, the risk management process is interrelated. Without the other, it will not work as effectively as possible. It is a science that has multiple processes. Each process has its own function. Though different in function, these processes work hand in hand to attain a common goal. Every part is essential and vital.
Due to the increasing demand for guidance in creating and implementing effective and efficient risk management in an organization, the Committee of Sponsoring Organizations (COSO) established the Enterprise Risk Management – Integrated Framework in 2004. This has been the standard framework for most organizations. In this framework, enterprise risk management components are being defined, key ERM concepts and principles are discussed, and a clear guide to ERM is provided.
There are four categories in which enterprise risk management is driven to attain an organization’s goals and objectives. These categories are:
Strategy – these are high level goals that are associated with the organization’s mission. These goals play a supportive role.
Operations – is the effective and efficient use of the organization’s resources.
Reporting – reliable reporting of operational and financial activities.
Compliance – should be in line with applicable laws, regulations, and rules.
This categorization of an organization’s objectives allow the risk management team to focus on a particular aspect separately as well as having a distinction of what can be expected from each category.
Aside from the categories, enterprise risk management has eight different components which are unified within the management process. It is safe to assume that these categories were observed to be present when management runs an organization. Below are the eight categories:
Internal Environment – this basically means the culture of an organization. How they view risks and how they usually approach risks.
Objective Setting – objectives being set during ERM should be in line with an organization’s mission. If not, responding to a risk might steer the organization on a different path.
Event Identification – any event, whether internal or external, must be identified and then scrutinized whether this event is a risk or an opportunity.#p#分页标题#e#
Risk Assessment – once an event is identified as a risk, it should be assessed properly. The impact of a certain risk will determine the response.
Risk Response – depending on the impact of the risk, management must decide whether to accept, avoid, reduce, or share the risk.
Control Activities – rules and regulations must be established so that the people involved will be able to carry out the response properly.
Information and Communication – must be present in every component so that everyone in the organization will be aware and be better prepared..
Monitoring – same as the previous component, this should also be present all throughout to ensure continuous growth.
So, in order for the ERM framework to be successful, both the objectives and the components should be related to each other. The objectives are what the organization wants to achieve while the components are the tools needed to achieve it. Without one, the other is just useless.
Risk assessment process involves most of the parts of the risk management process except the treatment stage. Having this in mind, one should realize that the steps above is more or less the same from that of the management process. This means that communication and consultation is present in all stages as well as monitoring.
Identification of relevant business objectives simply means that everyone in the organization should be on the same page when it comes to the success of the organization as well as the proper ways to determine and eliminate risks found in the organizations. If people are not on the same page, then it will be hard to solve problems found within the organization.
Identifying events that could affect the achievement of objectives is the second step to assessment. It is important for one to remember that events can really affect the objectives of the organization and recognizing these events ahead of time is very vital. If the organization can recognize this events ahead of time, it may be possible for the organization to actually avoid the risk. This will really save the company from any unnecessary expenses.
The third step is determining risk tolerance. The organization, together with the risk management team, should try to analyse the risk and see whether they can stand the risk. There are some risks that are not so gigantic that an organization is willing to stand it rather than spend money to eliminate the risk.
The next step is more or less similar to determining risk tolerance. Assessing the inherent likelihood and impact of risks is analysing the chances of a certain risk to happen as well as determining the effect it will have on the organization. If the impact is great, the organization needs to prioritize this kind of risk before dealing with those having less impact. It is only common sense to fix the biggest problem before fixing the little ones.
Evaluating the portfolio of risks and determining risk responses happens after determining the tolerance and assessing the impact. To be prepared for the worst, an organization needs to plan ahead of time how to eliminate the risk having the biggest impact on the organization. One should come up with a plan or strategy how to solve every risks assessed in steps C and D so that they can maximize time and minimize cost. The less cost they spend and the shortest time they solve the issues will be the ideal way to solve every risk in an organization.
The last step to the assessment process is assessing residual likelihood and impact of risks. There are times when an organization tries to eliminate or solve a risk but can’t do it completely. Sometimes there will be residual risks. These risks should be assessed and not taken too lightly. If the remaining risk is not so big of a problem, they might just ignore it or set it aside for the meantime. However, if the aftermath is just as bad, the organization should start planning a strategy to solve this risk.
In conclusion, risk assessment should be properly done before managing the risk. One needs to scrutinize every detail of the risk before management happens. One needs to know all the details first before solving the problem. If one just dives right in, they might end up in shallow waters and will not be ready for the after effects. Knowing is always half the battle. Know the enemy first before charging in.
|