Business risk management
What is the risk?
You just bought a fresh salad at the market? Do you drink coffee in your favorite cafe? Are you waiting for the tram? Are you going on a long trip with your car? Do you do free climbing? Do you like diving? Skydiving at the weekend? Want to introduce a new product? Need a new source of financing? Looking for new markets? Do you need access to the Internet and e-mail?
In each of these activities, you are faced with the possibility of finding yourself in a not very desirable situation that may or may not materialize, and it is not always easy to recognize or predict. This effect of uncertainty for your goal is called risk (according to the ISO 31000 standard). Risks are an inevitable part of human activities and every job. They are always associated with uncertainty, which is true for our everyday life, but also for every business system. They are a function of assets, threats, vulnerabilities, probabilities and possible consequences. An asset is everything that a business system owns and that has some business value for it. These can be material assets, financial assets, information, processes, reputation, employees, etc. Threats are the possibility of harming assets, and their sources can be internal and external. Vulnerabilities are weaknesses due to inexperience, insufficient knowledge, lack or low level of asset protection. Risks exist in every business system. They appear from the mission, vision, determination and realization of business goals, through business processes, to the achievement or non-achievement of these objectives. There are always a number of threats with their sources, which can cause negative events and result in certain, unwanted consequences. To prevent them from happening, it is necessary to take adequate risk management measures. There are several ways of categorizing risks, and they can be specific to the particular branch to which they refer. Sometimes the categories are determined by regulatory, legal or industry requirements, and often they are adapted as needed. For example the insurance industry can divide risks into financial and non-financial, basic and special, static and dynamic, insurable and uninsurable, opportunity risks, hazardous and uncertain, etc. Risks can be categorized according to the environment where they arise: external and internal, etc.
If a business system does not have good strategic planning or does not implement it at all, has not defined its vision and mission, does not have its clear goals, it is evident that it is a matter of strategic risks. If he does not perceive constant changes in his environment that occur due to the development of technology, business conditions, growing environmental requirements, changes in competition, these are environmental risks. If the business system does not follow the constant changes in the market well enough, does not adapt its products and services to it, has poorly defined its niches, has a bad pricing policy or has poorly chosen its customers, these are market risks. In the event that unfavorable loans are used, it is obvious that there is a credit risk on the scene. If someone has not adapted their business to current laws, regulations or norms, but uses them non-transparently or even violates them, there are risks due to non-compliance. Risks appear in project management, personnel policy, and are pronounced when using information technologies
Ćurak, M. i Jakovčević, D., Osiguranje i rizici, RRIF plus, Zagreb, 2007
Drljača M., Bešker M.: Održivi uspjeh i upravljanje rizicima poslovanja, Zagreb, 2010.
Mr.Sc. Zoran Wittine, Rizici i upravljanje rizicima u međunarodnom poslovanju
What is risk management?
Risk management consists of a set of processes that are carried out with the purpose of increasing the probability that, in the event of threats, eliminating or reducing unfavorable situations and their consequences. Some of the objectives of the risk management process can be maximizing the value of the company, preserving the business function and existence of the company after the occurrence of damage, compliance with legal regulations, minimizing uncertainty related to major disasters and risks. All risks to which a business system is exposed cannot be recognized or completely eliminated, but by finding a reasonable relationship between different aspects of danger, possible consequences and measures for control and reduction, they can be reduced to an acceptable level. There are several ways of risk management, and the generally accepted norm for this area is ISO/IEC 3100. The norm defines the phases (set of activities) in the risk management process, as well as their interrelationship.
By setting the context in which the organization operates, its goals are clearly stated, external (e.g. PESTLE analysis) and internal parameters (e.g. SWOT analysis) that should be taken into account in risk management are defined, and the scope and criteria for risk assessment are set.
Risk identification is carried out by identifying all possible risks and their sources. The goal of this phase is to come up with a list of those events that could negatively affect the achievement of business goals. It is important to identify all potential risks, because those that are not recognized at this stage will be excluded from further risk management procedures in subsequent steps.
Risk analysis includes understanding the identified risks. The causes and sources of risk, their positive and negative consequences and the probability of occurrence are considered. Also, it is necessary to identify the factors that influence the consequences and probability. In the risk analysis, it is necessary to recognize all other risk attributes, because an event can have more than one consequence and can affect multiple goals. When analyzing risks, it is necessary to take into account the existing risk management measures (controls), if they exist, and to determine their effectiveness and efficiency.
Risk evaluation In the risk evaluation phase, decisions are made on the selection of those risks that require processing and the priorities of the implementation of the foreseen controls. Decisions are made based on the results of the risk analysis. Risk assessment involves comparing the level of a certain risk established during the analysis phase, with the criteria established during the determination of the context in which the occurrence of the risk is observed.
Dealing with risks involves the selection and implementation of one or more risk influencing options such as
risk reduction – implementation of controls that reduce the identified risk
risk transfer – the risk is transferred to a third party, eg an insurance company or a supplier;
risk acceptance – risk is accepted without implementing new controls;
risk avoidance – stopping or not starting activities within the business system that may cause a certain risk.
After the implementation of the measures taken, there remains a risk, which we call residual risk. It is a risk that includes all those threats and vulnerabilities that are considered not to require additional treatment in terms of its reduction. Also, residual risk can arise as a result of a “cost-benefit” analysis, which established that the costs of implementing possible measures would not be profitable. Risk management is one of the fundamental responsibilities of management.
How ZIH can help you?
You may also be interested in our services and education:
Compliance management in the business system
Why and how to manage information security risks?
Anti-corruption system management (ISO 37001)
ZIH has more than 20 years of rich experience in shaping a modern organization of risk management systems and closely monitors the development and application of norms related to this topic (such as ISO 31000, ISO 27005). He also successfully conducted a series of assessments of business risks, risks of the use of information technologies and risks of information security.