A Noob’s Guide to Risk Management

guide to risk management

Here is a simple way to understand risk management. Forget about the textbook, standards and jargon. If you can get this, you’re ready to manage risks.

The Elements of Risk

  1. Politics – mass influences on policy shifts.
  2. Economics – competition for wealth.
  3. Social – way of life and equality.
  4. Technology – new tools and methods.
  5. Environment – biosphere. Nature’s living and non-living things.
  6. Legal – boundaries of allowable actions.

The Components of Risk

  1. Risk – future results that you might not like.
  2. Sources of Risk – any object or action that can cause distress.
  3. Causes of Risk – when your control mechanisms fail to make your sources of risk behave properly.
  4. Risk Event – a happening you can detect with your five senses or what the computer sensors tell you. And you don’t like it.
  5. Risk Consequence – the final happening that carry dollar losses.
  6. Risk Causality – chain of risk events.

Measuring Risk

  1. Possibility – any event that can happen.
  2. Probability – chances of an event happening.
  3. Impact – dollar losses itself.
  4. Risk Appetite – how aggressive you are in pursuing risks.
  5. Risk Tolerance – how strong is your defense and resilience.
  6. Risk Severity – how bad is the situation relative to your tolerance.

Managing Risk

  1. Risk Identification – hunting down and sorting risks by component.
  2. Risk Analysis – measuring the risks you have identified.
  3. Risk Evaluation – deciding what to do with risk.
  4. Risk Assessment = Risk Identification + Risk Analysis + Risk Evaluation
  5. Risk Treatment – finding ways to reduce risk.
  6. Innovation – exercising creative ways to treat risks. Solution must be generally accepted by stakeholders. Otherwise it is mere creativity, not innovation.

How do Risks Manifest?

Things are created to serve a purpose. People design tools, systems and structures to make them functional. Being functional means meeting their purpose without breaking down. But man-made products suffer wear and tear and impact from external factors. Eventually, a cause of risk would activate. A control fail to control. At this stage we may not realise it yet. This is because sensors are not placed at every process checkpoint at micro levels. It is impractical to do so.

Soon, one part stops to function properly and the problem spreads through the system. A person or machine detects the failure. What you have just detected is the manifestation of risk event.

Through causality principles, risk events undergo chain reactions to affect other areas. That is why we see a problem that started with a small device on a plane eventually caused the entire plane to crash.

The Most Important Features in Risk Management

For an effective risk management, you must have 5 key features in your risk model:

  • causality map – to allow you to chain events and visualize their spread.
  • probability measures – you need real statistics.
  • impact estimates – this helps you measure your risk management performance.
  • risk movement – you must know how your risks evolve. This allows you to predict problems.
  • innovation – you need a more formal concept and tool to solve problems, not figure things out of thin air. Brainstorming help in creative ideas. You need more than creativity to innovate.

This sums up the basics of risk management. If you understand these base concepts, you have what it takes to be a risk manager.

Source Link: https://www.winstonpeng.com/blog/a-noob-s-guide-to-risk-management

Why GRC is becoming extremely inevitable in today’s world?

infographic-why grc is inevitable

Organizations today are operating in a Complex, geographically distributed and highly dynamic environment and most organizations without realizing are affected in some manner by Governance, Risk and Compliance (GRC) issues. What organizations are also failing to realize is that Governance, Risk and Compliance work together and not in silos in achieving an organization objective.

What happens when there is no GRC?

When organizations do not consider implementing a GRC framework then they lately realize that their corporate objectives are not being met. However here are some of the most visible issues that surface in any organization.

Reputational Damage: these days business conduct is woven deeply on corporate fabric and non-adherence to code of conduct affects the organizations perceived value

Expenditure increase: When there is no Integrated approach of GRC, there will not be a clear focus on the financials which may increase the expenditure which in turn effects the revenue

Duplicated work: Without GRC there might be a similar process duplicated across the business which is hugely an inefficient way to operate

Negative impact:Lack of GRC may result in having too many procedures, especially ones that aren’t working in a logical manner and can waste a lot of time for staff across a business.

allocation of resources: without GRC getting more information and understanding more about areas becomes difficult which in turn results in duplicated work

Less ability to repeat processes: when there is no GRC , processes cannot  be standardized across the functional areas, which doesn’t allow  them to function more easily and with greater consistency and efficiency.

Employee Management: Any large business has numerous issues with staff working where information doesn’t flow in or out in a productive manner.

How to realize that an organization needs a GRC Solution?

While every organization may think that their business processes are intact, their operational efficiency is at its best, their risks are well mitigated and they are fully compliant as per the needs, it is understood that there are still many unknown areas which are not possible to comprehend without using an Integrated GRC platform.

We believe there are 3 important vital signs that an organization should be looking at and monitor to realize if they are indeed in need for a GRC solution.

  1. Strict Regulatory Need

Most organizations are subject to Regulations and these regulations change as per the business domain and location. A few industries are required to follow more regulations over others and hence may be in need of a GRC solution compared to others. Also, each country handles regulatory affairs differently from other country and hence the location of operation makes a company to follow GRC strictly over others.

  1. Multi Geography operations

When a company operates its businesses in multiple locations and producing from multiple manufacturing facilities there is a greater chance of risk. Further, when a manual regulatory and compliance processes are followed with so many individual parts to worry, operations will become unsustainable

  1. Non-optimal risk posture

Every organization handles risks differently and each has a different capacity to handle risks. What is considered as Risk to one organization may not be a Risk to another. Depending on the risk handling capability some organizations may intend to live with risk without any mitigation which might result in a potential consequence for the other organization.

So if you think your organization has the need to strictly follow Regulations due to the nature of your business or have multiple facilities where you operate from or have a very low-risk appetite or all of the above then we highly recommend that you seriously look for an Integrated GRC Platform to help your organization achieve its overall objectives