Business

Introduction
Risk management is a “process of identifying, assessing, communicating and managing the risks facing an organization to ensure that an organization meets its objectives.”(lesrisk.com, n.d.)

The whole process entails finding options, analyzing them after considering legal, behavioral and economic factors so that risk can be mitigated.

Risk is a high probability of having an unfavorable outcome. This uncertainty is known as a risk. "Risk can be defined as the combination of the probability of an event and its consequences" (ISO/IEC Guide 73, 2002). For different companies, risk has different meanings. For instance, for a farmer, the risk is the probable loss of the crop due to bad weather, pest attacks, etc. Companies face risks due to manufacturing errors, errors in design of the product, loss of goods during shipping, doubtful debts that may turn into bad debts, etc. Companies also need to hedge against financial risk; which includes interest rate risk, market risk, liquidity risk and operational risk. (SBP, n.d.) For a manufacturer, increases in the cost of production due to inflation is also a risk.

There are different types of risks: financial, process, intangible, time, human, legal and physical risks. Financial risk is the not having enough funding of resources. Process risk means uncertainty in business processes can cause project failure. Intangible risks involve damage to the organization’s image or brand. Time risks are caused due to delays or forgone opportunity costs. Natural hazards can cause physical risks. Legal risks can be caused due to changes in government policies and regulations. Human risk is related to loss of important employees or their knowledge which in turn effects the organization.

The process of risk management is continuous. It is important to assess and identify risks so that one can minimize the unexpected losses to the business entity so that the adverse events causing them can be identified and avoided or mitigated. (Exforsys Inc, n.d.)

Risk management is a tool which helps in managing these risks in an uncertain environment. There are three goals of risk management:

To relate all the decisions of the organization to risk and to create an implementation process of decision making.
To allocate resources to different areas/ risks
To identify and understand trade offs and opportunity costs of any given decision.

The organizations can manage risk by transferring it to another party, avoiding it or reducing or mitigating the effect of the risk, or accepting the consequences of the risk. (Exforsys Inc, n.d.)
Risk Management Methodology:

Risk management is conducted in an orderly manner. First, the threats that pose risks need to be identified, characterized and assessed. Criticality of these threats is gauged and the most risky threats are identified. Then the expected consequences of these threats are identified. Then, the organizations need to identify ways to mitigate these risks. The risks can be transferred, avoided or reduced. The organizations need to decide what measures to take according to the strategy they choose. (ISO/DIS 31000, 2009)

This whole process of risk management is planned in a systematic manner. The stakeholders and their objectives are identified. The constraints of the risks are also evaluated. All these steps assist in building a framework for identifying and analyzing the risks. Risks can be mitigated using the technological, human and organizational resources.
Effective risk management requires a “strategic focus, forward thinking and active approaches to management, balance between cost of managing risk and anticipated benefits, and contingency planning when critical threats are realized.” (Murdoch.edu, 2003) The actual process of risk management varies from company to company. (Tatum, n.d.)

The risk management process requires the following decisions to be made. These decisions are explained in detail below: (Murdoch.edu, 2003)

1.    Establish a Context. The context gives the criteria for evaluating risks and for providing a structure for the risk.

2.    Identify Risks. The organizations need to identify what events can pose threats, why are some actions risky, what are the consequence and how can they prove to be risky.

3.    Analyze Risks. Once the risks are identified, they should be analyzed in terms of the consequences they may cause, and the likelihood and frequency of their occurrence. The risks are high when the financial impact is higher than a certain limit, the impact on the company's strategy and operational activities is higher and there is a significant stakeholder concern.

4.    Evaluate Risks. The analysis of the risk helps in their estimation of the “risk levels against the pre-established criteria". The criteria used are associated costs and benefits of the legal, socio-environmental, cultural factors, etc. This helps in ranking and prioritizing the risks. The rankings are given on the basis of requirement of the resources, number of competents vying for the same resource and pursuing it and the extent of the availability of the resources.

5.    Treat Risks. The risk is treated according to the funding considerations and risk vibration. Risks are monitored regardless of the low priority ranking. Risk treatment is the process of selecting and identifying ways to modify risk.

6.    Monitor and Review is the most important step that aims to improve the whole process, and help in identifying the risks, analyzing them and mitigating their affects.

7.    Communication and Consultation should occur at each stage of the process and also the process as a whole. It involves collaborating with the internal and the external stakeholders. The board and the shareholders should be aware of all the risks involved in the business. The business units need to know their own risks and how these need to be dealt with. The employees need to know those risks that they are accountable for, they can help mitigate, avoid or transfer.

The process of risk management is graphically depicted as follows: (Murdoch.edu, 2003)

The sources of the risks are:

1.    Humans in strikes sabotage and riots.

2.    Natural disasters like fire, earthquake, disease, etc.

3.    Legislative changes in the government policies

4.    Technological issues such as obsolescence, innovation, etc.

5.    Poor management control and inadequate security

6.    Fraudulent activities in the organization.

Risks have various areas of impact. They can be assets of the company, the human resources, the costs and revenues of the company, the business processes, the internal and the external environment and the company's goodwill and reputation.

Business decision making is very complex and there is no right or wrong answer in it. While deciding, one needs to conduct a cost and benefit analysis of taking that decision. Similar is the case for making decisions regarding risk management. Cost benefit analysis is an analytical tool that can help decide whether a certain decision is worth it or not. It is helpful institutions where consequences are subjective and can't be properly quantified. Risk benefit analysis can also be conducted. It is similar to cost and benefit analysis but trade off needs to be made between risks and benefits. (foodrisk.org, n.d)

The basic decision that the top management has to make is to either accept the risk or to modify it. When treating the risk, the internal controls need to be analyzed properly. Their effectiveness refers to the degree to which they can be modified. Cost effectiveness of these controls means that when benefits of these controls are exceeding the expected benefits. The cost of implementing these internal control measures is also added to the total cost and deducted from the benefits. This exercise can also help in obtaining insurance on the financial risk or any other risk. (The IRM, n.d.)
Direct Costs and Benefits:

There are three ways to deal with risks: reviewing business policy decisions, cash market transactions, and derivatives. Business policies need to be made regarding financial performance objectives and competitive position. In the cash market transactions, the organization needs to realize the industry practices and the government regulations. Also, the role of the financial intermediaries in minimizing the risk should be considered. The derivatives should be the last option that should be considered. Risk/ reward profile should be used for evaluating the options that are pursued for managing the risk. The risk managers need to have a strategy or more so for the implementation so that management needs are met properly. (Strategies &Tactics, 2006)

The organization needs to assess the company’s internal capability of dealing with risk. The organization should have appropriate, robust systems and resources that they can utilize for risk management. (The IRM, n.d.)

The monitoring and review objects help in determining whether the measures adopted resulted in what was intended, what new procedures need to be adopted, how effective were those that have been implemented and what were the lessons learnt. Regular audits help revise risk policies and standards and also identify opportunities for improvement. (The IRM, n.d.)

Risks can be assessed qualitatively and also by quantifying them. Qualitative forecasts are made and then integrated into decision making. Intuitive methods are used for reducing the subjectivity bias. (Edinburgh Business School, 2008)

It is difficult to quantify risk exposure. There are three things need to be looked at while quantifying risk exposure: assets and liabilities, the length or the term of the risk exposure and the direction of the risk exposure. Assets and liabilities are both exposed to risk, therefore the individual risk and the net risk exposure should be considered. The length of the risk exposure should also be considered. Also, one should determine if it is a one-time risk or is it recurrent. Moreover, the risk managers need to determine if the risk is proportional to the direction of the interest rates, price or exchange rate movement. (The IRM, n.d.)

To quantify the risk, the risk manager should also graphically map the AS-IS balance sheet, or the business process. This is the ideal situation that is required by the organization.

The direct costs of risk management are cost of insurance, hedging, alliances and control activities. Insurance policies have a cost attached to them. The comprehensive the organizations; policy, the higher is the cost of reducing risk through insurance. Companies also use hedging techniques for limiting the losses associated with unfavorable movements of the economic variables such as interest rates, prices, exchange rates, etc. it is important to form alliances and partnerships with other companies in the value chain or in the industry. However, there is a risk premium charged for these alliances. The higher the risk, the higher is the risk premium charged by a partner. These direct costs are not difficult to estimate. (Ballou et al. 2009)
Indirect Costs and Benefits:

Indirect costs can be reputation costs, i.e. losses due to loss of reputation due to risks being incurred. (Ballou et al. 2009)

An indirect benefit of conducting this risk management process is that it helps the organization plan and critically evaluates all the aspects that may cause risk such as the organization’s strategy, human resources, business processes, etc. This indirectly helps with the documentation. Moreover, thorough analysis can also help root out problems or any inconsistencies in the business processes this is an indirect benefit as it is not the objective of the risk management process.

In addition to this, the success of the risk policy requires commitment from the top management, teamwork and cohesiveness in the organization, transparency and accountability and allocation of appropriate resources for training and development. (The IRM, n.d.)

Another indirect benefit of effective enterprise risk management is aligning risk management with strategy. It helps in evaluating the company strategy and then developing mechanisms to manage related risks. Moreover, alternatives for dealing with risk need to be considered. This process helps in reducing operational losses and enhancing the capability to identify the events so that losses from the risks can be minimized. In addition to this, companies should have robust risk information that fulfills overall capital needs and also enhancing the capital allocation. (COSO, 2004)