Risks are inevitable in any business organisation. In this case, a company must put in place comprehensive measures to address various types of risks that a company may face. A senior manager of any organisation has a significant role to play in designing risk management strategy for the company. This report is, therefore, about the role of senior management in risk assessment, development of the company’s risk management strategy, communication and resourcing risk management strategies and the evaluation of outcomes.
Risk management can be defined as the process of identifying, evaluating and prioritising risks supported by a well-coordinated efficient investment of resources to minimise, monitor and control the probability of the occurrence of the unfortunate events and maximise attainment of opportunities (Al-Thani & Merna, 2013). Risks originate from several sources, such as uncertainty in the financial markets, threats of project failure, legal issues, accidents, credit risks, and natural occurrences, among others. There are also cases where some events that have never happened before can occur, such as 9/11 terror attacks. These risks are referred to as ‘unforeseeable risks’. According to NassimTaleb, unforeseeable risks are events, which are the rare but high impact on the business or organisation (Lambert, 2010). In the contemporary business environment, inventions, such as social media and natural issues, such as global warming can have a massive impact on business thus the management should prepare for such issues or events appropriately.
Risk management, therefore, encompasses strategies adopted by the organisation to ensure that the negative effects of these uncertainties are limited by avoiding, reducing, transferring or accepting the risk. However, risk management initiatives must also consider strategic risks. Basically, strategic risks refer to long-term risks that may arise from long-term decisions taken by the company. That is, a strategic risk refers to potential losses that the company may incur as a result of pursuing wrong business or long-term plans (Al-Thani & Merna, 2013). In this regard, strategic risk management could be described as identifying, assessing and managing risks process that arises from the company’s business strategy, which includes taking necessary actions if such risks are identified. It encompasses the evaluation of a broad range of probable incidents and circumstances that may disturb the company’s strategy and its performance.
Senior management includes senior executives with significant responsibilities for risk management in the company. They include chief risk officer, chief financial officer, chief legal officer, and chief audit executive, just to name a few. The main role of senior management in risk management is to offer support to the organisation’s risk management philosophy and vision, ensure compliance with its risk appetite and oversee management of risks in a manner consistent with their respective risk tolerances (Lambert, 2010).
The senior management influences the company’s attitude toward risk. For instance, when the company is willing to take higher risks, then the potential returns should also be equally high. On the other hand, low-risk investments are likely to offer lower returns to the company (Hubbard, 2009). A good attitude to risk implies that the chosen investments are well balanced and the available money and assets can help the company realise its objectives within a particular timeframe. There are at least four different criteria that can be used by the management in making decisions regarding uncertainties. For example, Hurwicz — optimism–pessimism criterion focuses on finding a middle ground between risk and opportunity by choosing an outcome, which has the best combination of pay-off and loss while Wald - maximin criterion attempts to select an alternative that is least risky regardless of the opportunity. Other criteria include Savage — minimax or regret criterion, which considers the maximum opportunity value and Laplace — insufficient reason criterion, which is in cases where there is lack of information on the likelihood of various outcomes (Lambert, 2010). In this scenario, the criterion assumes all likelihoods are equal thus the alternative with the highest average opportunity value is selected.
In the meantime, Allan and Beer experiment on risk vulnerability of managers found that manager’s risk awareness was inversely proportional to the actual exposure to risk (Lambert, 2010). That is, the more aware the managers were of risks and its interdependencies in specific areas, the less likely these risks would occur in that area. The findings of this experiment implied that by awareness of risks by the senior managers was a crucial step in risk management thus organisations should always invest in identification and measuring of its risk perception. In addition, the senior management plays a role of risk oversight through development of policies and procedures, which are in harmony with the company’s strategy & risk appetite and follow up management’s implementation of risk management policies and procedures, taking steps to foster risk awareness, and encouraging an organisation culture of risk adjusting awareness (Al-Thani & Merna, 2013).
In line with the risk management roles of senior management highlighted in the text, they have a responsibility to oversee, evaluate and monitor risk management strategy of the organisation. First, the senior management must acknowledge that every activity within an organisation comprises of some degree of threat or uncertainty. The management must ensure that both generic and inherent threats are identified to limit the risk of failure of a particular activity. Second, the senior management has a responsibility to evaluate the probability of occurrence of such risks and estimate the possible impact and cost of the risk on the project. Finally, the management must design and implement a strategy to assist in the management of the prioritised risks (Al-Thani & Merna, 2013). The management develops a plan that outlines various steps to be undertaken in the management of major risks while also allowing the project to continue with minimal probability of failure. Some of the strategies that can be adopted include avoidance strategy, modification strategy, retention strategy and sharing strategy (Al-Thani & Merna, 2013). Avoidance strategy encompasses the development of an action plan that focuses on the complete cessation of service provision or project. Modification strategy aims at changing project tasks to reduce the possibility of the threat occurring. Retention strategy refers to management acknowledging the risks thus preparing for the consequences by first accepting them. Lastly, the management can adopt a risk-sharing strategy, which refers to signing an agreement with a third party to share costs, such as insurance.
Recent studies indicated that there are several examples of qualitative and quantitative risk models. Some of the most common examples include enterprise risk management model (ERM), ISO 31000:2009, MoR (Management of Risk) framework among others (Lambert, 2010). ERM is a standardised framework used to develop, revise and review the objectives of the company vis-à-vis the risks that it may be exposed to. ERM model is effective for risk management as it allows for risks and costs to be evaluated comprehensively. It also allows for the identification of mechanisms that can be used to address constraints and take advantage of opportunities (Hubbard, 2009). The model also allows the company to focus its resources onthe management of the downside of risks as well as the upside they represent. Therefore, the model will help organisation leaders to develop a strategic plan to address risks thus enhancing investor confidence in the company. Despite its numerous advantages, the model has two main disadvantages that may hinder its effective implementation. First, employing ERM is costly and takes a lot of time. Second, if the risks and opportunities are not well understood, the model could lead to incorrect strategies being implemented. Nevertheless, if the model is used in a systematic and disciplined manner, its benefits will outweigh weaknesses by a huge margin.
Another important example of a risk management model is the ISO 31000:2009. The main purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. The main advantage of this model is that its guidelines and principles can be applied throughout the life of the company thus it helps in decision making regarding operations, service delivery and even core assets. The model also facilitates standardisation of risk management plans and strategies throughout the company. Due to its simplicity, the model has been accepted by many at the workplace. Nevertheless, concern remains regarding what happens after the outcomes of the risk assessment process have been found. Despite this limitation, this model is more effective as it makes the scheme’s execution of risk management plans and framework under this model rely on the unique needs of the specific company, specific goals, structure, context, functions, assets and specific practices much simpler (Hubbard, 2009).
On the other hand, ISO 31000:2009 risk criteria is designed to empower strategic, management and operational tasks of a company across various projects, functions and processes are lined up to a common set of risk management objectives (Hubbard, 2009). This criterion is the most effective as it provides a clear framework for risk management regardless of the organisation’s size, activity and sector. The criteria can also help organisations to enhance the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment (Lambert, 2010).
This appropriateness of this approach is also based on its ability to help in classifying risks based on their effect and frequency in accordance with the scales used within the organisation. Basic risk management criteria should be as shown in table 1 (not included in this publication).
Based on the criteria, specific risks are then evaluated in terms of frequency, i.e. frequent, likely, occasional, seldom and unlikely. The risk criteria should then be combined with occurrence frequency leading to a consistent risk classification scheme consisting of extremely high risk (E), high risk (H), moderate risk (M) and low risk (L). When the particular risk is extremely high, then the project is at a high chance of failure, thus the management should not implement it. When the risks are high, then there is a high chance of considerable failure in some parts of the project thus the management should consider changing those activities, outsourcing or insurance (Lambert, 2010). When the risks are moderately high, there will be a high chance of noticeable failure in some parts of the project thus insurance will limit the company’s exposure. Finally, the management should accept low risks.
There are several techniques that can be used to identify and quantify risks. First, risks can be identified during the information gathering stage; that is, the manager can identify risks facing the company by interviewing other stakeholders, such as for the employees, customers, or even competitors. Risks can also be identified when reviewing project related documents, such as project report, articles, and process assets. Brainstorming with other people can also lead to the identification of risks, which may face the project. For instance, the project manager can consult a team of experts anonymously to obtain the required information. Conducting SWOT, root cause and checklist analysis can also lead to the identification of risks (Al-Thani & Merna, 2013). Second, the development of risk register helps in the ranking of risks that the company project may face. A risk register can be defined as an updated document throughout the life cycle of the project and include historical records, which can be used for future projects. Some of the main components of the risk register include a list of risks, a list of potential responses, root causes of risks, and updated risk categories.
The manager can use techniques, such as probability and impact matrix and risk data quality assessment to quantify risks identified using qualitative models highlighted above. Probability and impact matrix assist in the identification of risks that require an immediate response from the company. The matrix is usually designed depending on project needs. However, some organisations have standardised templates for probability and impact matrix which are used by managers to leverage risks, which are repeatable within the project. On the other hand, risk data quality assessment is used where data is collated for the identified risks. The project manager uses this approach in an attempt to find data accuracy, which has to be analysed to complete the qualitative analysis of risks. In Risk Data Quality Assessment, the project manager has to determine the extent of the understanding of the risk, the existing data, quality and consistency and integrity of the data for each risk (Lambert, 2010).