The main function in presenting the basic concepts in Risk Management is to provide a leveling of knowledge among several players that work or interact with the area of risk management. For this, we present the main concepts:
It is the result of the effect of the realization of a certain risk, when it generates a partial or total loss or destruction of value. The severity of a risk without mitigation actions or transfer processes is known as magnitude of risk. The effects of this same risk when installed control mechanisms, mitigation actions or properly transferred, this effect is known as impact.
Refers to what repetitiveness certain risk event occurs. Frequency can be defined by means of probabilities when you have event histories or be defined by estimates using expert judgment.
3.1 Definition of the Risk Management Portal (Parameterized Risk Analysis)
Risk is the potential for deviation from the expected outcome of a particular activity caused by a particular action (or absence of action), uncertain of its occurrence and resulting from what happens when a threat encounters a vulnerability or set of vulnerabilities in the systems / mechanisms of action. protection in critical processes, allowing the accomplishment of the event that will cause destruction of value or deviation from the goal, goal or pre-established pattern.
3.2 ISO 31000 definition
ffects of uncertainties on objectives. Note that an effect can be positive, negative or a deviation from the expected. Risk is also sometimes described by an event, a change in circumstance or a consequence.
3.3 Definition of the Institute of Risk Management (IRM)
Risk is the combination of the probability of an event and its consequence. Consequences may range from positive to negative.
3.4 Definition of the Orange Book for HM Treasury
Uncertainty of results, within a range of exposure, emerging from a combination of impact and likelihood of potential events.
3.5 Definition of the Institute of Internal Auditors
The uncertainty of an occurring event could have an impact on the achievement of the objectives. Risk is measured in terms of consequences and probability.
4. Risk Management
It is a process that aims to identify and measure events that may cause losses or deviations from the organization’s objectives, so as to mitigate it through the balanced use of material / technological resources, allocation and training of intellectual capital, creation and / or redefinition of norms and procedures , establishment of control and management mechanism, generating the development of a robust organizational culture compatible with the Organization’s Risk Appetite.
It consists of the coordinated use of resources and governance and management tools to align objectives, actions and processes with risk management practices capable of delivering results aligned with the expectations of the shareholders and the organization in terms of appetite and Risk Tolerance.
Mitigating a risk consists in minimizing the probability of occurrence; or the impact (loss, loss, goal deviation, variance, etc.) arising from the attainment of certain risk.
Mitigating does not mean reducing a certain risk to zero, but reducing existing vulnerabilities in existing protection systems to protect the organization from this risk.
Normally, when we mitigate a certain risk, we reduce the likelihood of its occurrence or we can reduce the impact, should it materialize.
Risk Mitigation & Containment of Losses
Practical example: Mitigating certain risks presents a preventive character of measures involving the use of monitoring and control technologies and systems, the creation of plans, norms, procedures, the use of specialized human resources or their preparation to perform a certain function in an efficient and effective, all this in order that the probability and consequences of the occurrence of a certain risk are diminished.
Contingencies are the actions taken in a coordinated manner and based on specific plans to reduce the harmful consequences arising from the achievement of a certain risk.
A robust contingency plan increases the organization’s resilience to reestablish the effects of the risks. The two main characteristics of a contingency action is the ability to limit loss and speed in re-operating and allow organization to carry out its mission, albeit precariously.
Emergency plans are focused on coordinating emergency actions to address or minimize the immediate effects of certain loss. Contingency plans target subsequent actions that can limit the size of this loss.
Resilience is the ability to return to the original status quo after being hit by a certain risk, ie how quickly the company can resume its mission after a certain risk, catastrophe, accident or incident that momentarily its end activity.
Loss consists of a negative result caused by a specific event. Usually, loss is directly or indirectly linked to financial loss. Generally, the realization of risks implies losses.
9. Maximum Value at Risk
It is defined considering the total loss of the patrimony, originating from critical events or catastrophic events or other natural disasters.
10. Maximum possible loss
It is defined as the largest estimated loss as a result of a risk being realized, in an extreme way in a given location, caused by the worst case scenario, although this is not the most probable scenario, it is usually a scenario that is unlikely to occur.
11. Probable Maximum Loss
It is the largest loss estimated as a result of the realization of a certain risk and mitigated by the expected effectiveness of the existing protection mechanisms or limited by the lay out itself that makes it impossible for the risk materialization to destroy all equity. We could exemplify with the risk of fire of the buildings of a condominium cut in the middle by a river. So the maximum possible loss would be all the houses, but the probable maximum loss would hardly be the entire condominium, but half or even a single block, fire pit would probably not spread to properties that were not direct neighbors.
12. Expected Loss
It estimates the occurrence of a scenario of losses during normal operating conditions, considering the existence of adequate and functioning protections, taking into account their impact and probability.
The concept of expected loss means the impact (severity) of a given loss multiplied by the probability (frequency) of its occurrence.
Practical Example: Let’s say that a company has an average of 100 shipments per month and has 1 damage per month with an average loss of $ 150,000.00 for each malfunction event. And that this average has remained practically unchanged in the last 3 years. Therefore, your expected loss for loading is $ 150,000.00 X 1/100 = $ 1,500.00 per load.
Roughly, we could say that we should discount R $ 1,500.00 per load to make a fund to cover future losses or to contract a policy and include its costs as a cost of the business. Otherwise, we may be expecting a profit that will not occur or will be greatly affected in terms of the result due to a claim that will occur.
13. Estimated Expected Loss
It is the expected loss obtained when there is no statistical basis for arriving at probability (frequency). In this case, the value of the loss (estimated or exact) multiplied by the Estimation of Probability (EP) is used to obtain the Estimated Expected Loss, the Probability Estimation (EP) being obtained by a mathematical process defined in the methodology Risk Analysis Parametrized 2.0 and not by a traditional statistical model.
14. Critical Risks
These are the risks that affect the Critical Success Factors of an organization. These risks, as a consequence of their consequences, are considered a priority for the risk manager; and should be identified, quantified, mitigated and monitored with particular care by the risk management team.
15. Critical Success Factors
They are the variables (variables) in terms of resources or capabilities that a company must have in order to achieve its mission, its vision of the future, its strategic objectives or to deliver its value proposition.
The Critical Success Factors of an organization can be tangible (eg, control systems, storage capacity, etc.) or intangible (eg, image, credibility, etc.).
These factors are defined according to the type of business of the organization, and regardless of how they are presented or classified, are considered vital to the organization, and should receive special and continuous attention.
Any event that may affect them can potentially harm the organization’s current activities, its strategic objectives or the fulfillment of its mission.
Here are examples of critical success factors for a pharmaceutical industry:
3. Research & Development
4. Intellectual Capital
If we use as an example a steel company, other critical success factors are usually considered:
1. Logistic Capacity
3. Strategic Partnerships
4. Access to natural resources
5. Managerial Capability
6. Operational Capacity
16. Inherent risk
It is the risk inherent in the business being the pure risk, which regardless of having undergone any treatment for its mitigation will continue to exist simply because the operation or that equity exists.
17. Residual Risks
Risks already identified and treated, after being mitigated, are considered as residual risks.
18. Risk appetite
It refers to the predisposition of a particular organization, or group of shareholders, to accept certain levels of risk in its operations.
Risk appetite: according to ISO 31,000, it consists of the “size and types of risks” that an organization is prepared to seek, maintain or assume.
Aversion to risk: an attitude of avoiding risks.
According to the 5th edition of the PMBOK Guide, risk appetite is the degree of uncertainty that the entity is willing to take in anticipation of a reward.
The risk appetite of an organization shows how much an organization is willing to take a risk in order to grow. It is the amount of risk that an organization is willing to accept to achieve its business purpose.
19. Risk Tolerance
According to the 5th edition of the PMBOK Guide, risk tolerance is the degree, amount or volume of risk that an organization or individual will bear.
Risk tolerance tells you how sensitive the organization or people are to risks. High tolerance means that the organization can withstand a high risk and low tolerance means that the organization will not be able to bear much risk. It also relates to the resilience / financial capacity that the company has to bear losses.
While “risk appetite” is associated with the level of risk that the organization can accept in pursuing and fulfilling its mission / vision, return on investment, “risk tolerance” refers to the acceptable level of variability in achieving goals, objectives (more activity associated with monitoring, and tolerability / capacity to absorb losses).
Risk appetite can be considered as a tendency for an individual or group of people to take risks.
Risk tolerance is an acceptable variation, for example between 5% and -5%. Tolerance is a limit of support.
It will be incumbent upon the Management Committee, or Executive Board in the absence of the CA, to discuss and clearly define the organization’s risk appetite and the appropriate direction to be suggested as guidance from senior management.
This committee should also suggest limits of tolerance to the different risks identified as acceptable by the board of directors.
Boundaries will constitute the tool for the executive area to conduct company policies.
20. Global risk-taking ability
It is the maximum capacity a company has to support certain bait. This ability is closely tied to your financial resilience.
21. Culture of Risk
It refers to the posture adopted by an organization to deal with risks. It defines the degree of sensitivity to how a particular organization treats risks and how it takes into account the risk factors for making certain decisions.
As companies gain more maturity on this issue, they are able to take risk factors into account in their decisions almost automatically. All executives recognize the importance of the topic and take it into account for their decision-making process.
Attitude towards risk: according to ISO 31,000, it represents the organization’s approach to evaluate and eventually seek, maintain, assume or depart from it.
As indicated above, Danger (unsafe condition) – expresses an exposure relating to a risk, which leads to its materialization in personal or material damages.
Normally, danger is linked to situations of risk that can generate threats or serious consequences for the life or physical safety of people.
Refers to faults or deficiencies in our protection systems. These systems include:
1. Intellectual Capital – are the human resources and their essential competences necessary to adequately perform their functions
2. Materials Resources – refers to the software, hardware and infrastructure used to operate the security and risk monitoring systems (sensors, detectors, monitoring, blockers, etc.) and physical infrastructure / lay out.
3. Norms and procedures a set of norms and procedures that define processes and how human resources are to act in order to achieve a certain task) that work together to prevent or mitigate the attainment of a given risk or set of risks. It is the policies, plans, standard operating procedures, flowcharts, etc. that serve to link intellectual capital to technology, ensuring that the operation takes place within an acceptable level of risk and in an efficient and effective manner. In addition, they model the behavior of people according to the values of the organization.
4. Organizational culture – degree of resilience of the organizational culture regarding the evaluated subject, that is, how people accept and spontaneously adhere to actions aimed at reducing the risks of a given organization.
5. Management Capacity – Refers to the ability to control processes, risk management processes and their critical indicators continuously and adheres to the level of appetite and tolerance to appropriate risks.
24. Risk Factor
Risk Factor is closely related to the deficiencies of the protection systems or variables that directly influence the potentialization of a certain risk. Most often, risk factors are vulnerabilities in protection systems.
25. Origin of Risk
The origin of Risk is directly linked to the igneous cause of this risk or its threat, internal or external agent, human or non-human that is responsible for performing an activity or action that may generate the destruction of value and the realization of a certain risk. They are the main causes of a risk.
Threats are considered all agents capable of performing any action that may culminate in the attainment of a certain risk.
Threats are the agents that cause or allow risks to occur.
Threats can be external or internal to an organization. It is not necessarily a human agent. Lightning is a clear example of a threat (from a non-human agent) that can cause a fire hazard.
27. Risk Analysis
Risk analysis is the process composed of the following phases:
1. – Risk assessment
2. – Identification of critical risks
3. – Evaluation and classification of the same
Such information shall support the following phases:
1. – Vulnerability analysis ( gaps in protection systems)
2. – Cost analysis X benefit of the solutions
3. – Definition of risks to be eliminated, assumed and transferred
– Preparation of action plans to reduce identified gaps
1. – Prioritization of the implementation of the solutions
The first step in determining what treatment will be given to each risk is to determine the organization’s degree of exposure to that risk, and its potential effect – the probability of occurrence and the impact of potential losses.
In general, impacts are measured by financial losses over time. However, it is important to incorporate in the analysis the most difficult impacts to measure – image, market, retention of people and many others.
The quantification of the degree of exposure is not always trivial and there may be interdependence between risks. Thus, a given event can generate “multiple impacts”, with effects on different types of risks, in several areas.
In this case, the degree of exposure will depend on the consolidated financial impact and the joint probability of all events.
28. Risk Retention
Refers to the fact that the organization assumes all responsibility for the payment of the consequences of a certain risk, without carrying out any form of transfer (insurance, hedge, mutual, etc.)
29. Risk Management
Assuming that there is no risk-free activity, the alternative is to administer them according to appropriate treatment in each case.
To do so, we may choose to eliminate operations that are not in accordance with the risk appetite of the organization, work on its prevention or its treatment bringing them to an acceptable level of risk.
After treating them, they are now considered residual risks. Only then, they must be transferred. Transferring risks without addressing them means taking high insurance premium costs. Therefore, it is a good idea that only the risks are treated before being inserted into insurance programs.
Risk Management must offer practical and effective measures, based on the reduction of the existing vulnerability index, interfering as little as possible in the day to day of the company.
The costs of risk management can not be greater than the cost of the realization of the risk, and risk management measures can not be impeding the company from fulfilling its mission or delivering its value proposition.
It should be remembered that any risk, after its realization, has direct and indirect consequences, affects tangible assets (real estate, utensils, etc.) and intangible assets (brand, image, credibility, etc.). Therefore, it is important to take into account the effects of intangible assets in calculating the cost of the solution to be used to mitigate them.
The contracting of insurance is one of the most known forms of risk financing, constituting a mechanism of transfer or sharing of risk.
In reality the effect of this risk is diluted by those who contract the same type of insurance. The risk is “shared” by the various companies that make up that portfolio.
Alternatively, the enterprise may decide to assume (fully or partially) the risks and establish a fund with its own financial resources to support any losses. If they do not, the resource is converted to profit.
In this case, it is important to make sure that you are dealing with residual risks, that is, to minimize the level of vulnerability in your protection systems related to these risks. One of the most common mistakes in risk management is to adopt risk transfer processes without first treating them. In this case we say that the pure risk is being transferred.
The company may decide to eliminate or avoid certain declining risk of the transaction or business that would bring this risk.
Assuming that there is no risk-free activity, the alternative is to manage them, so that appropriate treatment can be given. To do this, we can work on your prevention or treatment. Through prevention we can eliminate them when we completely solve or reduce them through measures or installation of specific equipment capable of reducing its achievement. Sometimes it becomes impossible to effectively address the risk or it is closely linked to the nature of the business in question and thus a way of financing this risk is needed.
Among the most known forms of risk financing we have the purchase of insurance. When the company hires an insurer, it is actually financing its risk. Insurance has two basic purposes: to restore the loss and protect the company’s cash flow. Sometimes the risk materialization can assume proportions of such a magnitude that would generate a catastrophic impact for the company, and may even put it in a bankruptcy stage. When the company hires the insurer, it actually transfers / shares its risk on a mutual basis with the other insured. However, the company may decide to assume the financial management regarding the replacement of the loss of its risk. In this case it initiates some preventive measures to reduce the risk and at the same time collects an amount every time it will start the activity of risk; as if it were the collection carried out by the insurer. In this way it does the auto insurance, that is, in the event of a claim it pays itself / restores the loss, if there are no accidents, the money that would be paid to the insurer returning to its cash in the form of saving.
30. Holding Limit
It is the limit between what will be transferred to an insurance program and what will be absorbed by the organization, ie from what amount the risk will be covered by an insurance policy. Below this value the company has no coverage and it must bear the impact of this risk.
31. Catastrophic Risks
They are risks that can cause the extinction of the business by exceeding its financial capacity or by the constringent erosion in its image, credibility or reputation.
32. Crash Numbers
They are auditors or consultants who directly apply the Parameterized Risk Analysis Worksheets to make the evaluations of the protection systems.