Risk Management School

[class #2] How to manage your organization's risks

by Risk Management School on 12 de May de 2023

 
🎓 Risk Management School
In this session, Alejandro Orrego, CEO of Pirani, teaches us how to identify improvement risks, risks factors in operational risk management, 5 simple methods for identifying risks, the three lines of defense, how to measure them from impact and likelihood, how to read the heat map, and what is the treatment. 
 Get start now
Risks
In the context of risk management and ISO 31000, risk is defined as the effect of uncertainty on objectives. This means that risk is the possibility of an event or situation occurring that could have an impact on the achievement of an organization's goals and objectives. Risk can be seen as the likelihood and potential consequences of a threat or opportunity.
 
  • Strategic risk
    Strategic risk refers to the potential negative impact on an organization's ability to achieve its strategic objectives or mission. It is the risk associated with an organization's overall strategy, including its business model, goals, and approach to achieving them.

  • Operational risk
    Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This can include risks associated with a wide range of activities, such as financial reporting, information technology, human resources, legal and compliance, and supply chain management, among others.

Risks factors

  • Operational risk management
  1. People This includes risks related to human error, misconduct, fraud, or inadequate training or supervision of employees.
  2. Processes This includes risks related to errors or inefficiencies in business processes, inadequate documentation, or failure to comply with policies or regulations.
  3. Systems This includes risks related to technology failures, cyber attacks, data breaches, or inadequate IT infrastructure.
  4. External events This includes risks related to natural disasters, political instability, supply chain disruptions, or changes in regulations or market conditions.
  5. Legal and regulatory This includes risks related to non-compliance with laws and regulations, legal disputes, or fines and penalties for violations.
  6. Reputational This includes risks related to negative publicity, loss of customer trust or confidence, or damage to brand reputation.
  • Internal

Are those that arise from within the organization itself.

  1. Human error Mistakes or errors made by employees, such as incorrect data entry, miscommunication, or failure to follow procedures, can result in operational failures or process disruptions.
  2. Fraud Misconduct by employees or third parties, such as theft, embezzlement, or financial statement fraud, can result in financial losses or damage to an organization's reputation.
  3. Information security breaches Internal threats, such as unauthorized access or disclosure of sensitive information, or malicious activity by employees or third parties, can result in data breaches or cyber attacks.
  4. Inadequate processes or controls Poorly designed or implemented processes or internal controls, or lack of oversight or monitoring, can result in errors, inefficiencies, or compliance failures.
  5. System failures Technical issues or system failures, such as hardware or software malfunctions, power outages, or network disruptions, can impact an organization's ability to operate effectively.
  6. Culture and conduct A toxic or dysfunctional corporate culture, or behavior that is inconsistent with the organizationx's values or ethical standards, can result in a range of risks, including reputational damage, regulatory scrutiny, or legal liabilities.
  • External

Those that arise from outside the organization, and are often beyond its control.

  1. Natural disasters Events such as hurricanes, floods, earthquakes, wildfires, and other natural disasters can disrupt an organization's operations and supply chain, and result in property damage, loss of life, and business interruption.
  2. Political events Political instability, changes in government policies or regulations, civil unrest, and terrorism can all have a significant impact on an organization's operations, particularly if it operates in a politically sensitive region.
  3. Economic factors Changes in economic conditions, such as recessions, inflation, currency fluctuations, and interest rate changes, can impact an organization's revenue, profitability, and ability to access capital.
  4. Competitive factors Changes in market conditions, such as new market entrants, disruptive technologies, or shifts in consumer preferences, can impact an organization's ability to compete effectively and maintain market share.
  5. Supply chain disruptions Changes in the availability or cost of raw materials, labor, or transportation can impact an organization's ability to produce and deliver goods and services, particularly if it relies heavily on suppliers or logistics providers.
  6. Legal and regulatory Changes related to laws and regulations, legal standards, or fines and penalties for violations.
  7. Public health Public health situations such as epidemics or pandemics such as the COVID-19 outbreak is an example of an external risk factor that can impact an organization's operations.

5 simple methods for identifying risks

  • Brainstorming: is a simple and effective method for identifying risks. Gather a group of people from different departments or areas of the company, and have them identify potential risks related to their areas of responsibility. Encourage the group to think creatively and consider all potential risks, even if they seem unlikely or far-fetched.
  • SWOT analysis: strengths, weaknesses, opportunities, and threats analysis is another simple method for identifying risks. The analysis involves identifying internal strengths and weaknesses, as well as external opportunities and threats. Risks can be identified by analyzing the weaknesses and threats.
  • Checklists: can be used to identify risks in specific areas of the company. For example, a safety checklist could be used to identify potential safety risks, while a financial checklist could be used to identify potential financial risks.
  • Expert interviews: conducting interviews with experts in the company can be a simple way to identify risks. Experts can provide insights into potential risks based on their experience and expertise.
  • Observation: observing the company's processes and activities can also be a simple way to identify risks. Look for potential hazards, bottlenecks, or other areas where problems could arise.

The three lines of defense

1. First line of defense: Operation

This is the operational level of the organization where the day-to-day business activities take place. It includes all employees and departments that are responsible for managing and controlling risks. The first line of defense is responsible for identifying and managing risks as they arise, and for implementing controls to prevent or mitigate those risks.

2. Second line of defense: Risk & compliance

This is the risk management and compliance function within the organization. The second line of defense provides oversight and guidance to the first line of defense to ensure that risks are properly identified, assessed, and managed. It also ensures that the organization is in compliance with relevant laws and regulations.

3. Third line of defense: Internal audit

This is the internal audit function within the organization. The third line of defense provides independent assurance that the first and second lines of defense are working effectively to manage risks and comply with regulations. The internal audit function also identifies opportunities for improvement in the risk management processes and provides recommendations for addressing any deficiencies.

Measure improvement Risks

  • Impact: refers to the potential consequences or effects of a risk event on an organization's objectives. The impact can be positive (an opportunity) or negative (a threat), and can affect various aspects of the organization, such as financial performance, reputation, safety, or environmental factors.

Impact variables:

  • Operational The impact of a risk can also affect a company's operational efficiency, such as through supply chain disruptions, equipment failures, or cyber attacks. This can result in lost productivity, delays in delivery, and decreased customer satisfaction.
  • Financial performance The impact of a risk can have significant financial consequences, such as increased costs, decreased revenue, or loss of income. This can affect a company's profitability, cash flow, and overall financial stability.
  • Reputational The impact of a risk can also affect a company's reputation, particularly if it involves unethical behavior, legal violations, or negative publicity. This can damage the company's brand, reduce customer loyalty, and lead to decreased sales.
  • Legal and regulatory These are risks associated with compliance with laws and regulations, including changes in regulations, fines and penalties, and legal disputes.
  • Environmental The impact of a risk can also affect the environment, such as through pollution, resource depletion, or climate change. This can result in regulatory fines, legal liabilities, and reputational damage, as well as harm to ecosystems and public health.
  • Health and safety The impact of a risk can also affect the safety of employees, customers, and other stakeholders. This can result in injuries, fatalities, or property damage, as well as legal liabilities and reputational damage.

Likelihood: refers to the probability or chance of a risk event occurring. It is a measure of the frequency or occurrence of the risk, and can be expressed qualitatively (e.g., low, medium, high) or quantitatively (e.g., a percentage or frequency rate).

Risk heat map

A risk heat map is a visual representation of risks that uses a color-coded matrix to illustrate the likelihood and impact of different risks.

The matrix typically has a vertical axis representing the likelihood of a risk event occurring (e.g., low, medium, high), and a horizontal axis representing the impact or consequence of the risk event (e.g., low, medium, high). Each risk is then plotted on the matrix based on its likelihood and impact score, with the resulting position indicating the level of risk.

The use of color-coding makes it easy to identify risks that require more attention or resources, as high-risk areas are typically highlighted in red or other bright colors. Conversely, lower-risk areas are often represented in green or cooler colors.

Risk heat maps can be used to communicate risk information to stakeholders and decision-makers in a clear and easy-to-understand way. They can also help organizations prioritize risks and determine appropriate risk management strategies based on the level of risk.

Get started

Play to learn more! → 

ebook What is reputational risk and how to manage it?

Topics: Risk Management

No Comments Yet

Let us know what you think