Risk Management Framework-Part 2

The article explains the following steps of risk management framework to be implementing.

Step 1: Determine Vision, Mission and Objectives

The first phase of the risk management process is to determine the short and long term objectives of a company. This is important to understand the objectives before identifying the possible risks, which would disrupt a business in achieving the objectives.

Step 2: Risk Identification

The first step in risk identification is to gain as much as possible knowledge of key processes, activities of the organisation, business culture and the relevant external factors related to the business.

The step would involve the following techniques:

* Analysis of strategies to achieve the objectives, whether the strategies are viable to achieve the objectives
* Analysis of the processes (policies, procedures, flowchart etc.), to determine adequate controls
* Analysis of financial statements, to obtain financial performance
* Analysis on the previously highlighted issues and reports, to gather the common or possible risks
* Analysis of all organisation charts, to see the delegation of duties
* Analysis on staff (turnover, behaviour, moral)
* Analysis on the compliance (ISO 9002, CIDB, MOF, PKK, OSHA, EPF, Socso, Labour Act etc.)
* Analysis on data and information security

The possible risk factors and exposure would be the following (not exhaustive):

1. EXTERNAL

Risk Categories:-

* Political
* Economic
* Industry changes
* Country infrastructure
* Reputation/Image
* Competition level
* Natural resources
* Technology changes
* Environmental changes
* Market risks
* Legal risks
* Investor
* Supplier
* Strategic partner
* Computer virus
* Theft of sensitive data
* Money laundering

2. FINANCIAL

Risk Categories:-

* Asset liquidity
* Outstanding accounts
* Outstanding reconciliation
* Foreign exchange
* Interest rate
* Loan payment
* Creditors
* Debtors
* Revenue
* Cost management
* Financial reporting
* Expenses checking
* Payment authorization
* Delegation of authority
* Budget control
* Insurance
* Records
* Jobs review
* Fraud
* Policies & Procedures

3. REGULATORY

Risk Categories:-

* Understanding law/regulation
* Compliance to law/regulation
* Changes in law/ regulation

4. STRATEGY

Risk Categories:-

* Direction and planning
* Corporate governance
* Internal audit function
* Corporate resources utilization

5. INTERNAL PROCESS

Risk Categories:-

* Written policies and procedure
* Policies/Procedure adequacy
* Process understanding
* Support by departments
* Staff training
* Software licence
* Transparency

6. CUSTOMER & PRODUCT

Risk Categories:-

* Marketing Strategy
* Meeting customer requirement
* Customer integrity
* Product price
* Quality product
* Capability
* Timely delivery

7. PEOPLE

Risk Categories:-

* Staff training
* Staff welfare
* Key man
* Staff adequacy
* Job description
* Resignation
* Relationship after resign

Step 3: Risk Assessment

Based on the factors and exposures, the risk assessment will be carried out using the following three measurements (i.e likelihood, impact and controls available).

a) Likelihood

To measure the probable of a risk exposure in a business, the judgement could be made based on the rating below.

5 Common - The risk is expected to occur in most circumstances.

4 Likely- The risk will probably occur in most circumstances.

3 Moderate- The risk should occur at some time.

2 Unlikely -The risk could occur at some time.

1 Remote -The risk may only occur in exceptional cases.

b) Impact

To measure the severity of the effect of a risk, the rating could be based on the following.

5 Catastropic - Loss of ability to sustain ongoing operations. A situation that would cause a business to cease operations.

4 Major- Significant impact on achievement of strategic objectives and targets relating to corporate plan.

3 Moderate - Disruption of normal operation with a limited effect on the achievement of strategic objective or targets relating to corporate plan.

2 Minor- No material impact on the achievement of business objectives or strategies.

1 Insignificant - Negligible impact.

c) Controls Available

To measure the strength of the available controls, it could be based on the following rating.

Preventive - Prevent risk from occurring - Strong

Detactive - Detect risk in the process - Moderate

Corrective - Correct risk upon occurrence - Weak

d) Risk Rating

Based on the likelihood and the impact rating, we will get Gross Risk Rating. The Net Risk Rating is obtained after considering the controls available and its strength.

Gross Risk Rating – Controls Available = Net Risk Rating

Step 4: Risk Prioritisation

The risk later on, will be ranked from “Critical” (the most important) to “Very Low” (the least important), for treatment purpose.

Step 5: Risk Treatment

This phase is primarily a decision making process, in which it is decided on how each risk is to be treated or dealt with. Basically, as a treatment, management could whether to accept, avoid, fully or partially transfer, reduce the impact or reduce the likelihood of a risk. In deciding a treatment for each risk, there are few criteria that should be taken into consideration:

1. The probable cost of managing the risk
2. The resources available to recover the loss incurred
3. The size of potential gain or benefit
4. The size of potential loss or harm

How to choose treatment?

a. Accept

* Minor impact/immaterial financial loss
* Potential gain/benefit more than potential harm/loss
* Cannot be avoided, reduced or transferred

b. Avoid

* Unacceptable impact
* Potential gain/benefit less than potential harm/loss
* Unable to be reduced or transferred

c. Transfer

* Reduce impact
* Potential gain/benefit more than potential harm/loss
* Through insurance, subcontracting, joint-venture or other agreements

d. Reduce impact/likelihood

* Potential gain/benefit more than potential harm/loss
* Impact/likelihood is controllable
* Through internal controls