Risk management processes. The case of Greek companies.

Iordanis Eleftheriadis
University of Macedonia
Department of Business Administration
156 N. Egnatia Str.
54006 Thessaloniki
Greece
Tel. 00302310-891-591
fax. 00302310-891519
Email: jordan@uom.gr

Abstract: Whatever business you are in, there will be an almost limitless number of risks that
you must face. To be able to manage these risks you must first identify them. The use of risk
categories helps to provide a framework within which to look for, and latterly, to manage risks.
Thus, in their day-to-day business and in the strategic management of their balance sheet and
capital, companies seek to limit the scope for adverse variations in their earnings and control
exposure to stress events. Excellence in risk management is fundamentally based upon a
management team that makes risk identification and control critical components of its processes
and plans. Failure to identify, manage or control risks, including business risks, may result not
only in financial loss but also in loss of reputation. Although measurement of risk is clearly
important, quantification does not always tell the whole story, because not all risks are
quantifiable. The purpose of this paper is to collect and study observations and experiences from
risk management activities in Greek companies. We are using the answers given to a structured
questionnaire, in order to present some conclusions.

1. Introduction

Risk Management has been described as 'all the things you need to do to manage an uncertain future'.
In most cases risks are taken so as to achieve some advantage, and managing risks is associated with
making decisions. It is used in a wide range of areas including: engineering, business and finance,
health and safety, environmental management, healthcare, emergency management, business
continuity management, sport and recreation etc. In developing a risk management infrastructure, it is
important that companies follow a methodical process to determine the appropriate types of risk
measures, processes, policies and controls for their particular company. The purpose of this paper is to
investigate the risk management activities in Greek companies.

2. The Risk Management Process

The risk management process is defined as "the systematic application of management policies,
procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating,
treating, monitoring and communicating risk.". Risk management is also defined as "the culture,

-1-
processes and structures, which are directed towards the effective management of potential
opportunities and adverse effects."1 The Risk Management process is outlined in this diagram below:

Figure 1: the risk Management Process

The approach to risk management adopted in this paper is consistent with the Australian and New
Zealand Standard on risk management, AS/NZS 4360 (Figure 1). This approach is consistent with
similar approaches adopted by the major risk management professional bodies and government
agencies that have issued risk guidelines. The steps in the process address important questions for the
risk manager (Table 1).

Risk management process step Management question

Establish the context What are we trying to achieve?
Identify the risks What might happen?
Analyze the risks What might that mean for the
project’s key criteria?
Evaluate the risks What are the most important
things?
Treat the risks What are we going to do about
them?
Monitor and review How do we keep them under
control?
Who should be involved in the
Communicate and consult
process?

Table 1: Questions for the risk manager

Establish context: Establishing the context is concerned with developing a structure for the risk
identification and assessment tasks to follow. This step:
• establishes the company and project environment in which the risk assessment is taking place;
• specifies the main objectives and outcomes required;

1
Standards New Zealand and Standards Australia risk management standard (AS/NZS 4360: 1999 Risk
Management).

-2-
 • identifies a set of success criteria against which the consequences of identified risks can be
measured; and
• defines a set of key elements for structuring the risk identification and assessment process.
Context inputs include the execution strategy, the cost and schedule assumptions, scope definitions,
engineering designs and studies, economic analyses, and any other relevant documentation.
The output from this stage is a concise statement of the company objectives and specific criteria for
success, the objectives and scope for the risk assessment itself, and a set of key elements for
structuring the risk identification process in the next stage.

Identify Risks: Risk identification sets out to identify an company’s exposure to uncertainty. Every
company faces different risks, based on its business, the economic, social and political factors, the
features of the industry it operates in – like the degree of competition, the strengths and weaknesses of
its competitors, availability of raw material, factors internal to the company like the competence and
outlook of the management, state of industry relations, dependence on foreign markets for inputs,
sales, or finances, capabilities of its staff, and other innumerable factors. Each corporate needs to
identify the possible sources of risks and the kinds of risks faced by it. This requires an intimate
knowledge of the company, the market in which it operates, the legal, social, political and cultural
environment in which it exists, as well as the development of a sound understanding of its strategic
and operational objectives, including factors critical to its success and the threats and opportunities
related to the achievement of these objectives.
The risk identification process must be comprehensive, as risks that have not been identified cannot be
assessed, and their emergence at a later time may threaten the success of the company and cause
unpleasant surprises. Risk identification should be approached in a methodical way to ensure that all
significant activities within the company have been identified and all the risks flowing from these
activities defined. A number of techniques can be used for risk identification, but brainstorming is a
preferred method because of its flexibility and capability, when appropriately structured, of generating
a wide and diverse range of risks.
Information used in the risk identification process may include historical data, theoretical analysis,
empirical data and analysis, informed opinions, and the concerns of stakeholders.
The output is a comprehensive list of possible risks, usually in the form of a risk register, with
management responsibilities allocated to them. A list of the most important categories of risks is the
following2:
• Business risk, is the risk of failing to achieve business targets due to inappropriate strategies,
inadequate resources or changes in the economic or competitive environment.
• Credit risk, is the risk that a counterparty may not pay amounts owed when they fall due.
• Sovereign risk the credit risk associated with lending to the government itself or a party
guaranteed by the government.
• Market risk, is the risk of loss due to changes in market prices. This includes
ƒ interest rate risk
ƒ foreign exchange risk
ƒ commodity price risk
ƒ share price risk

• Liquidity risk the risk that amounts due for payment cannot be paid due to a lack of available
funds.

2
Carl Olsson, “Risk Management in Emerging Markets. How to survive and prosper.”

-3-
 • Operational risk the risk of loss due to actions on or by people, processes, infrastructure or
technology or similar, which have an operational impact including fraudulent activities.
• Accounting risk the risk that financial records do not accurately reflect the financial position
of an company.
• Country risk, is the risk that a foreign currency will not be available to allow payments due to
be paid, because of a lack of foreign currency or the government rationing what is available.
• Political risk is the risk that there will be a change in the political framework of the country.
• Industry risk is the risk associated with operating in a particular industry.
• Environmental risk, the risk that an company may suffer loss as a result of environmental
damage caused by themselves or others which impacts on their business.
• Legal/regulatory risk is the risk of non-compliance with legal or regulatory requirements.
• Systemic risk is the risk that a small event will produce unexpected consequences in local,
regional or global systems not obviously connected with the source of the disturbance.
• Reputational risk is the risk that the reputation of an company will be adversely affected.

Analyze Risks: During the Risk Analysis step the company transforms risk data into decision making
information. The company has to evaluate impact, probability and timeframe. This means that they
have to classify and prioritize risks. Risk analysis is the systematic use of available information to
determine how often specified events may occur and the magnitude of their consequences. The
analysis stage assigns each risk a priority rating, taking into account existing activities, processes or
plans that operate to reduce or control the risk.
The significance of a risk can be expressed as a combination of its consequences or impacts on the
company’s objectives, and the likelihood of those consequences arising. This can be accomplished
with qualitative consequence and likelihood scales and a matrix defining the significance of various
combinations of these. Table 2 shows the structure of a five-by-five matrix.
A matrix, like Table 2, can be structured according to the kinds of risks involved in the company’s
objectives, criteria and attitudes to risk. For example, the specific Table 2 is not symmetric, indicating
that the company is concerned about most catastrophic events, even if they are rare. This might be
appropriate where human safety is threatened and the company needs to ensure the associated risks are
being managed whatever the likelihood of their occurrence. Where the impacts of potential risks are
purely economic, and particularly where there may be limit to the potential exposure, catastrophic but
rare events may be viewed as moderate risks and not treated in such detail.
To implement a structure like this, it is important that clear and consistent definitions of the
consequence and likelihood scales are used.3

Consequences
Likelihood Insignificant Minor Moderate Major Catastrophic
Almost certain Medium Medium High High High
Likely Low Medium Medium High High
Possible Low Medium Medium Medium High
Unlikely Low Low Medium Medium High
Rare Low Low Low Medium Medium

3
1. Steinberg M. Richard, Everson E.A. Miles, Martens J. Frank, Nottingham E. Lucy, “Enterprise Risk
Management - Integrated Framework. Executive Summary”, Committee of Sponsoring Companys of the
Treadway Commission (COSO) , September 2004

-4-
 Table 2: Priority setting matrix

Scales like these often generate considerable discussion amongst senior managers and risk managers.
The numerical limits in a financial impacts scale are often linked to the size of the company
undertaking it, or the amount it can afford to lose. There is often a trade-off between risk and
opportunity, the resolution to which must usually take place at managerial levels. Generally, we
should review carefully the consequence scales we intend to use, to ensure they reflect the company’s
objectives and criteria for success. If they are not agreed and accepted by senior management the
outcomes from the risk assessment may not be accepted readily.
A consequence scale like Table 3 might be appropriate. It is important to remember that scales are to
be used for assessing priorities, so comparability and consistency are often more important than
absolute numbers.

Rating Consequence description

A Catastrophic Extreme event, potential for large financial costs or delays, or
damage to the company’s reputation
B Major Critical event, potential for major costs or delays, or
inappropriate products
C Moderate Large impact, but can be managed with effort using standard
procedures
D Minor Impact minor with routine management procedures
E Insignificant Impact may be safely ignored

Table 3: Consequence scale for a repetitive procurement

Likelihoods are rated in terms of annual occurrence on a five-point descriptive scale, showing the
likelihoods of specific risks arising and leading to the assessed levels of consequences. Table 4 shows
an example of a scale suitable for a major asset procurement, where the time span of the scale is linked
loosely to the 40-year nominal life of the asset. 4

Rating Likelihood description

The potential for problems to occur and lead to the assessed consequences
Probability over A similar outcome has
Very high, may
Almost 0.8 arisen several times per
A occur at least several
certain year in the same location,
times per year
operation or activity
B Likely High, may arise Probability 0.5– A similar outcome has
about once per year 0.8 arisen several times per
year in this company
C Possible Possible, may arise Probability 0.1– A similar outcome has
at least once in a 1– 0.5 arisen at some time
10-year period previously in this
company
D Unlikely Not impossible, Probability 0.02– 1 A similar outcome has

4
Dale F. Cooper, Stephen Grey, Geoffrey Raymond and Phil Walker, “Project Risk Management Guidelines:
Managing Risk in Large Projects and Complex Procurements”, John Wiley & Sons Ltd, 2005.

-5-
 likely to occur 0.1 arisen at some time
during the next 10 to previously in a similar
40 years company
A similar outcome has
Very low, very
Probability less arisen in the world-wide
E Rare unlikely during the
than 0.02 industry, but not in this
next 40 years
company
Table 4: Likelihood ratings

Evaluate Risk Priorities: Risk evaluation is the process of comparing the estimated risk against given
risk criteria to determine the significance of the risk. When the risk analysis process has been
completed, it is necessary to compare the estimated risks against risk criteria which the company has
established. The risk criteria may include associated costs and benefits, legal requirements, socio-
economic and environmental factors, concerns of stakeholders, etc. Any risks that have been accorded
too high or too low a rating are adjusted, with a record of the adjustment being retained for tracking
purposes. The outcome is a list of risks with agreed priority ratings. Adjustments to the initial
priorities may be made for several reasons.
• Risks may be moved down. Typically these will be routine, well-anticipated risks that are
highly likely to occur, but with few adverse consequences, and for which standard responses
exist.
• Risks may be moved up. Typically there will be two categories of risks like this: those risks
that are more important than the initial classification indicates; and those risks that are similar
to other high-priority risks and hence should be considered jointly with them.
• Some risks may be moved up to provide additional visibility if the project team feels they
should be dealt with explicitly.
Risk evaluation therefore, is used to make decisions about the significance of risks to the company and
whether each specific risk should be accepted or treated. For the purpose of risk management, risks
need to be classified as primary risks and secondary risks. Primary risks are those that are an essential
part of the business undertaken. Secondary risks are those that arise out of the business activities, but
are not integrally related to them. For example, the risks arising out of the industry structure are
primary in nature, foreign currency exposure arising due to exports are secondary in nature. To a large
extent, primary risks have to be borne in order to generate cash flows. They can be covered only
partly. Unlike primary risks, secondary risks can be covered to a large extent, and only a part of them
are unavoidable. This distinction becomes very important while deciding on the risks to be covered.
Further, it is generally observed that when a firm faces a high degree of primary risk, it can bear less
of secondary risk. A firm having a low degree of primary risk may be able to bear higher secondary
risk, depending on the management’s risk bearing capacity

Treat Risks: The purpose of risk treatment is to determine what will be done in response to the risks
that have been identified, in order to reduce the overall risk exposure. Unless action is taken, the risk
identification and assessment process has been wasted. Risk treatment converts the earlier analyses
into substantive actions to reduce risks. Any controls and plans in place before the risk management
process began are augmented with risk action plans to deal with risks before they arise and
contingency plans with which to recover if a risk comes to pass. At the end of successful risk
treatment planning, detailed ideas will have been developed and documented about the best ways of
dealing with each major risk, and risk action plans will have been formulated for putting the responses
into effect.

-6-
Risk treatment might also include alteration of the base plans of the business. Occasionally the best
way to treat a risk might be to adopt an alternative strategy, to avoid a risk or make the company less
vulnerable to its consequences.
During the response identification and assessment process, it is often helpful to think about responses
in terms of broad risk management strategies. The following are the different approaches5:
• Risk Avoidance: An extreme way of managing risk is to avoid it altogether. This can be done
by not undertaking the activity that entails risk. Though this approach is relevant under certain
circumstances, it is more of an exception rather than a rule. It is neither prudent, nor possible
to use it for managing all kinds of risks. The use of risk avoidance for managing all risks
would result in no activity taking place, as all activities involve risk, while the level may vary.
• Loss Control: Loss control refers to the attempt to reduce either the possibility of a loss or the
quantum of loss. This is done by making adjustments in the day-to-day business activities.
• Combination: Combination refers to the technique of combining more than one business
activities in order to reduce the overall risk of the firm. It is also referred to as aggregation or
diversification. It entails entering into more than one business, with the different businesses
having the least possible correlation with each other.
• Separation: Separation is the technique of reducing risk through separating parts of businesses
or assets or liabilities. A firm having two highly risky businesses with a positive correlation
may spin-off one of them as a separate entity in order to reduce its exposure to risk.
• Risk Transfer: Risk is transferred when the firm originally exposed to a risk transfers it to
another party which is willing to bear the risk. This may be done in three ways. The first is to
transfer the asset itself. There is a subtle difference between risk avoidance and risk transfer
through transfer of the title of the asset. The former is about not making the investment in the
first place, while the latter is about disinvesting an existing investment. The second way is to
transfer the risk without transferring the title of the asset or liability. This may be done by
hedging through various derivative instruments like forwards, futures, swaps and options. The
third way is through arranging for a third party to pay for losses if they occur, without
transferring the risk itself. This is referred to as risk financing. This may be achieved by
buying insurance. A firm may insure itself against certain risks like risk of loss due to fire or
earthquake, risk of loss due to theft, etc.
• Risk Retention: Risk is retained when nothing is done to avoid, reduce, or transfer it. Risk
may be retained consciously because the other techniques of managing risk are too costly or
because it is not possible to employ other techniques. Risk may even be retained
unconsciously when the presence of risk is not recognized. It is very important to distinguish
between the risks that a firm is ready to retain and the ones it wants to offload using risk
management techniques. This decision is essentially dependent upon the firm’s capacity to
bear the loss.
• Risk Sharing: This technique is a combination of risk retention and risk transfer. Under this
technique, a particular risk is managed by retaining a part of it and transferring the rest to a
party willing to bear it.

Risk Monitor and Review : Effective risk management requires a reporting and review structure to
ensure that risks are effectively identified and assessed and that appropriate controls and responses are

5
Project Management Institute; “A Guide to the Project Management Body of Knowledge (PMBoK Guide);
2000 Edition”; Algonquin College Bookstore; (Approved by ANSI as American National Standard ANSI-PMI
99-001-2000), 2000

-7-
in place. Regular audits of policy and standards compliance should be carried out and standards
performance reviewed to identify opportunities for improvement. It should be remembered that
companies are dynamic and operate in dynamic environments. Changes in the company and the
environment in which it operates must be identified and appropriate modifications made to systems.
Continuous monitoring and review of risks ensures new risks are detected and managed, and that
action plans are implemented and progressed effectively. The monitoring process should provide
assurance that there are appropriate controls in place for the company’s activities and that the
procedures are understood and followed. Any monitoring and review process should also determine
whether:
ƒ the measures adopted resulted in what was intended
ƒ the procedures adopted and information gathered for undertaking the assessment were
appropriate
ƒ improved knowledge would have helped to reach better decisions and identify what lessons
could be learned for future assessments and management of risks
Review processes are often implemented as part of the regular management meeting cycle,
supplemented by major reviews at significant project phases and milestones. Monitoring and review
activities link risk management to other management processes. They also facilitate better risk
management and continuous improvement.
The main input to this step is the risk watch list of the major risks that have been identified for risk
treatment action. The outcomes are in the form of revisions to the risk register, and a list of new action
items for risk treatment. Risk monitor and review involves:
ƒ Choosing alternative response strategies
ƒ Implementing a contingency plan
ƒ Taking corrective actions
ƒ Re-planning
The risk manager reports periodically to the senior managers on the effectiveness of the plan, any
unanticipated effects, and any correction that the company must take to mitigate the risk.

Communication and consultation: Communication and consultation may be a critical factor in

undertaking good risk management and achieving outcomes that are broadly accepted. They help
owners, clients and end users understand the risks and trade-offs that must be made. This ensures all
parties are fully informed, and thus avoids unpleasant surprises. Within the risk management team,
they help maintain the consistency and ‘reasonableness’ of risk assessments and their underlying
assumptions.
In practice, regular reporting is an important component of communication. Managers report on the
current status of risks and risk management as required by sponsors and company policy. Senior
managers need to understand the risks they face, and risk reports provide a complement to other
management reports in developing this understanding.
The risk register and the supporting action plans provide the basis for most risk reporting. Reports
provide a summary of risks, the status of treatment actions and an indication of trends in the incidence
of risks. They are usually submitted on a regular basis or as required, as part of standard management
reporting.

3. Methodology

We carried out the survey between October and December 2005. The purpose of the survey was to
provide an overview of the extent and practice of risk management across Greek companies. The
survey asked them about their understanding of risk management and its importance to their

-8-
performance, how they identify and assess risks, and the action they take to deal with them. The
survey used a written questionnaire and was directed to the appropriate manager in each company. The
questionnaire was, therefore, designed to identify the extent to which companies identify, assess,
manage and report on risk across the whole company, covering all aspects of risk linked to the
achievement of the company’s objectives.
In order to carry out our survey we used a sample of Greek companies from the commercial,
manufacturing construction and services sectors. Recipients were followed up with a telephone chase
for completion and return of the questionnaire. A number of questionnaire responders were
interviewed. The interviews gathered qualitative information which gave a more in-depth
understanding of the risk management activities undertaken in these companies. We sent the
questionnaire to 80 companies. No distinction has been made between the types of company or their
size. In the future this survey needs to be done in a way that reflects the nature and size of the
company. A total of 50 responses were received (a 62,5 per cent response). The size of the sample is
not efficient to perform pure quantitative analysis. However we performed qualitative analysis which
guided to very important conclusions.
The questionnaire is based predominantly on the requirements of Risk Management Standard AS/NZS
4360.1999 issued by Standards Australia. Generally ‘questions’ are of three types:
• Questions containing a statement.
• Multiple response questions.
• Text response questions.

4. Findings

We carried out this survey in order to determine how well risk management is understood and
implemented. The purpose of the survey was to provide an overview of the extent and practice of risk
management across Greek companies. Risk management involves a series of well defined steps that
support better decision-making contributing to a greater insight into risks and their likely impacts. We
focused our examination on the following steps:
STEP 1: Clarity of objectives. This means that their objectives are clearly expressed and
communicated throughout the company. If objectives are unclear then the risks of under-performance
or failing to meet objectives will be unclear also.

Seventy-eight percent of companies responding to our survey agree or strongly agree that they have
set out the priority of the company’s business and policy objectives. Only ten percent give a negative
answer in this question.(Figure 2)
Eighty-four per cent of companies responding to our survey agree or strongly agree that effective risk
management is important in the achievement of the company’s objectives (Figure 3).
We asked companies whether they have clear management statements on the importance of risk
management and guidance on how to implement it. Sixteen percent of companies responding to our
survey say that their risk management objectives have been clearly set out. On the other hand sixty
four per cent say they have not (Figure 4).

-9-
 Figure 2: The relative priority of the company’s business and policy objectives are set out

The relative
priority of the Strongly Disagree
4%
company’s Disagree
Strongly Agree 6%
business and 16% Neutral
12%
policy
objectives are
set out
Agree
62%

Figure 3: Effective risk management is important in the achievement of the company’s objectives

Effective risk Strongly Disagree

0%
management is Disagree
4%
important in Strongly Agree Neutral
24% 12%
the
achievement of
the company’s
objectives
Agree
60%

Figure 4: The company’s risk management objectives have been clearly set out

The company’s
risk
Strongly Agree Strongly Disagree
management Agree
16% 0% 12%
objectives have
been clearly
set out Neutral
20%

Disagree
52%

Thirty two percent say they use a common definition of risk management throughout the company.
However, forty four percent disagree or strongly disagree with this statement. (Figure 5).

- 10 -
 Figure 5: There is a common understanding of risk management across the organization

There is a
common
understanding Strongly Agree Strongly Disagree
2% 10%
of risk Agree
30%
management
across the
organization Disagree
34%

Neutral
24%

Twenty percent of companies say that there are clear management statements on risk management in
the company. However, sixty percent disagree with this statement. (Figure 6)

Figure 6: There are clear management statements on risk management in the company

There are
clear
management
Strongly Agree Strongly Disagree
statements on Agree
20%
0% 14%
risk
management
in the
Neutral
company 20%
Disagree
46%

Only twenty percent say that the linking of risks to objectives is effective with forty four percent
saying that the link is ineffective and 10 percent saying that the link is not in place. That means that
not enough attention is paid by managers to identifying the main factors that could put the
achievement of key objectives at risk.

- 11 -
 Your company carries out a comprehensive and systematic identification of its risks relating to
Figure 7: each of its declared aims and objectives

Your company
carries out a
comprehensive Strongly Agree Strongly Disagree
Agree
and systematic 20%
0% 10%

identification
of its risks
relating to
Disagree
each of its Neutral
26% 44%

declared aims
and objectives

STEP 2: Identification of risk. This means recognizing and identifying the key risks for which they are
responsible and those risks which are most likely to impact on their performance. Ensuring that risks
are identified and managed requires that responsibility for risk management activities is clearly
allocated to appropriate staff; the frequency with which risk is assessed is determined; the types of
risks most likely to impact on a company’s performance are identified; and appropriate techniques are
used to assess risk. Our survey covered these aspects of risk management.

Companies say that they face a range of risks (Figure 8). The most common risk that was referred
from companies (100 per cent) is market risk. Eighty-eight percent of companies refer to business
risk, eighty percent to credit risk and seventy four percent to liquidity risk. Very significant reference
was also made to reputational (72 percent) , environmental (70 percent), and operational risk (68
percent).

Figure 8: What Kind of risks are identified

What Kind of
risks are Environmental risk

Reputational risk
identified Systemic risk

Legal/regulatory risk

Industry risk

Political risk

Country risk

Accounting risk

Operational risk

Liquidity risk

Market risk

Sovereign risk

Credit risk

Business risk

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Forty two percent of companies told us that responsibility for the identification of risk rests with the
Director of Finance, twenty two percent with the Production Manager, sixteen percent with the Chief
Executive and eight percent say it is the responsibility of the Board or senior management team
(Figure 9). Ten percent of companies say that a mechanical engineer has responsibility for identifying
risks. Only one company (2 percent) indicated the existence of a dedicated risk manager with
responsibility for identifying risk.

- 12 -
 Figure 9: Who has responsibility for Risk Identification

Who has
responsibility
for Risk Other (please specify)
10% Chief
Identification All staff Executive/Director
0% 16%
Board / Management
Production managers Team
22% 8%

Risk manager
2%
Internal Audit Director of Finance
0% 42%

We asked the companies about the terms that they use to identify risks. The answers show that most of
them use a combination of terms. Seventy four percent say that they identify the source of risk, fifty
eight percent try to answer the question what can happen or why and how risk arises. Only eighteen
percent investigates the area of impact. (Figure 10)

Figure 10: Does your company identify risks in terms of:

Does your
company
identify risks the source of the risk?
in terms of:

area of impact?

how and why risks arise?

what can happen?

0% 10% 20% 30% 40% 50% 60% 70% 80%

Another important issue that we covered in our survey concerns the tools and techniques that
companies use for risk identification. Seventy percent of companies referred to past company
experience, fifty six percent referred to judgment, forty four percent to brainstorming, thirty percent to
physical inspection and only four percent to surveys. It is important to mention that there is no
reference in the use of a “scientific” method, such as process analysis, operational modeling or SWOT
analysis.

- 13 -
 Figure 11: What tools and techniques are used by your company for identifying risks:

What tools and

techniques are
used by your other? (please specify below)
process analysis?
company for past companyal experience?
operational modelling?
identifying scenario analysis?

risks: surveys/questionnaires?
judgemental?
interview/focus group discussion?
SWOT analysis?
examination of local/overseas experience?
brainstorming?
audits or physical inspection?

0% 10% 20% 30% 40% 50% 60% 70%

STEP 3: Assessment of risk. Risk assessment involves an analysis and evaluation of risks to provide
the potential impact of identified risks, and the timescale over which the risks need to be managed.
Analysis should determine the likelihood maturing and the consequences of risk. Consequence and
likelihood may be combined to produce estimated level of risks, quantified wherever possible, or
qualified in a range of low to high. Evaluation then enables identified risks to be ranked.

Forty percent of companies told us that responsibility for risk assessment rests with the Director of
Finance, twenty four percent with the Chief Executive, twenty percent with the Board or senior
management and ten percent say it is the responsibility of the Production Manager team (Figure 12).
Only one company (2 percent) had a dedicated risk manager who is responsible for risk assessment.

Figure 12: Who has responsibility for Risk Assessment

Who has Other (please specify)

4%

responsibility All staff

0%

for Risk Production managers

10%
Assessment Risk manager
2% Chief Executive/Director
24%
Internal Audit
0%

Board / Management
Director of Finance Team
40% 20%

Over half of companies say that they do not find it difficult to assess the likelihood of risks occurring
(52 per cent). However 30 percent of them face difficulties when they try to assess likelihood of risk.
Similar are the results concerning the prioritization of main risks. Forty six percent of companies find
no difficulties to assess the relative priority which they should give to risks. However, thirty eight
percent of companies find difficulties in risk prioritization. On the other hand forty percent that they
do not find it difficult to assess the potential impact of risks and forty two percent do find it difficult.
(Figure 13); 16-18 percent neither agree nor disagree with these statements.

- 14 -
 Figure 13: Risk Prioritization - Assessment of Likelihood - Impact

Risk
40%
Prioritization -
35%
Assessment of
30%
Likelihood -
25%
Impact
20%

15%

10%

5%

0%
Strongly Disagree
Disagree Neutral Agree Strongly
Agree
The company finds it difficult to prioritize its main risks
The company finds it difficult to assess the likelihood of risks occurring
The company finds it difficult to assess the potential impacts of risks materializing

Sixty four percent also say that the level of risk which they face has increased in the last five years.
Only ten percent of the companies, say that they believe that the risk they face have decreased in the
last five years (Figure 14).

Figure 14: In the last five years the level of risk faced by the company has ....

In the last five

years the level
of risk faced Not sure
by the 14%

Not changed
company has 12%

....

Decreased Increased
10% 64%

STEP 4: Response to risk. This means determining the level and type of risk that is acceptable,
determining resources needed to manage identified risks, and prioritizing and allocating responsibility
for them.
In order to determine what do the companies believe that will be done to the risks that they have
identified, in order to reduce the overall risk exposure, we asked them to what extent does your
company use the risk treatment option of:
• transferring the risk
• accepting/ retaining the risk
• reducing the risk
• avoiding the risk
Forty four percent say that they prefer risk transfer, thirty eight percent say that they prefer to avoid
the risk, fourteen percent accept/ retain the risk, and only four percent try to reduce the risk

- 15 -
 Figure 15: To what extent does your organisation use the risk treatment option of:

To what extent
does your
company use accepting/retaining
the risk the risk?
14%
treatment transferring the risk eg
insurance?
option of: 44%

avoiding the risk eg

not proceeding with
reducing the risk eg activity?
controlling the risk? 38%
4%

The company’s response to risk is the prioritization of risks that they need active management. Sixty
percent of the companies agree with this statement. On the other hand, twenty two percent of the
companies say that response to risk includes an evaluation of the effectiveness of the existing controls
and risk management responses. Only twenty six percent of the companies say that response to risk
includes action plans for implementing decisions about identified risks. Finally only twenty six percent
of the companies say that response to risk includes an assessment of the costs and benefits of
addressing risks.

Figure 16: The company’s response to risk includes ..

The company’s 60%

response to
50%
risk includes ..
40%

30%

20%

10%

0%
Strongly Disagree Disagree Neutral Agree Strongly Agree

An evaluation of the effectiveness of the existing controls and risk management responses
Action plans for implementing decisions about identified risks
An assessment of the costs and benefits of addressing risks
Prioritizing of risks that need active management
Other

STEP 5: Monitoring and review. Risk management is a continuous process which should include
monitoring and reviewing identified risks, and being open to new or changed risks and opportunities
resulting from evolving circumstances.

We asked the companies how regularly they review their insurance coverage. Sixty six percent of the
companies say that they review their insurance coverage annually. Fourteen percent of the companies
say that they review their insurance coverage quarterly and four percent of the companies say that they
review their insurance coverage monthly. Only sixteen percent of the companies say that they review
their insurance coverage less frequently than annually.

- 16 -
 Figure 17: How regularly does the company review its insurance coverage:

How regularly
does the
company less frequently than
annually (please
monthly?
review its specify below) ?
16% 4%
quarterly?
14%
insurance
coverage

annually?
66%

We asked the companies if they believe that their management procedures have improved, worsened
or did not change at all, in the last five years. Most of them (62 percent) believe that nothing have
changed. Twenty four percent say that their management procedures have improved. It is impressive
that no one says that his management procedures have worsened.

Figure 18: In the last five years the company’s risk management procedures have .

In the last five

years the
company’s risk Not sure
Improved
management 14%
24%

procedures Worsened
have 0%

Not changed
62%

In the last part of the questionnaire we examined the companies’ culture about risk. The questions tent
to relate the culture of the company and the degree to which policies and procedures support risk and
risk management.
Although in practice companies can be major risk takers they tend to regard themselves as more risk
averse than risk taking. We asked those in our survey to rate their department on a scale of 1 to 5 with
1 representing a more risk taking approach and 5 suggesting a risk averse culture. Forty six percent of
companies told us that they tend to be more risk averse than risk taking, whereas twenty six percent
regarded themselves as more risk taking than risk averse (Figure 19).

- 17 -
 Figure 19: The organization regard itself as having a risk taking or risk averse culture? from 1: risk taking to 5: risk
averse
The company
regards itself 14

as having a
12

risk taking or
10
risk averse
culture? from 8

1: risk taking 6

to 5: risk
4
averse
2

0
1 2 3 4 5

Thirty six percent of the companies say that they know how much risk they may take in order to
achieve their objectives. However thirty two percent of the companies say that they do not know how
much risk they may take in order to achieve their objectives.

Figure 20: The company knows how much risk it may take in the achievement of its objectives

The company
knows how
much risk it
Strongly Strongly
may take in the Agree 4% Disagree
10
%
achievement of Agree Disagree
32% 22%
its objectives

Neutra
l 32%

In responding to our survey companies identify the lack of appropriate training in risk management.
Thirty four percent of companies say that they covered training about risk management strategies.
Twenty percent of companies say that they covered training about risk management processes. Only
two percent (one company) of companies say that they covered training about risk taking

- 18 -
 Figure 21: Management have received training in ...

Management
have received
training in ...
Risk taking

Risk management processes

Risk management strategy

0% 5% 10% 15% 20% 25% 30% 35%

5. Conclusions

Risk management is part of any company’s strategic management. It is the process whereby
companies methodically address the risks attaching to their activities with the goal of achieving
sustained benefit within each activity and across the portfolio of all activities. The focus of good risk
management is the identification and treatment of these risks. Its objective is to add maximum
sustainable value to all the activities of the company.
Our survey asked companies about:
• their understanding of risk management and its importance to their performance;
• how they identify and assess risks; and
• the action which they take to manage risks.
While our survey found growing recognition of the importance of risk management, companies were
less sure as to how it should be implemented in practice.
The results of the survey indicate that:
• Determination of objectives is the first step in the risk management function. The objective of
risk management needs to be decided upon by the management, so that the company may
fulfill its responsibilities in accordance with the set objectives.
• The impact of risk management was seen as too low. With systematic risk management,
however, this impact can be improved.
• The number of identified but not analyzed risks is quite large. A relatively small proportion of
identified risks were considered during risk analysis.
• A few companies apply systematic, documented risk management methods, most managers
rely on intuition and luck instead of managing risks systematically and consistently.
• Companies need effective training on risk and risk management.

There is some inconsistency in companies' approach to risk management in that while many recognize
that it is important to the achievement of their objectives they are less clear on how risks should be
managed and few provide training on how to do so. Risk management will only become standard
practice in companies if there is better understanding of what it involves and the benefits which it can
help to secure in terms of improved service delivery and achieving key objectives.
The findings suggest that a significant amount of work still needs to be done by companies to achieve
best practice.

- 19 -
This was the first in a series of such surveys, to be produced regularly to provide comparisons over
time, and updates on this rapidly changing business environment.

6. References

1. AIRMIC, “A Risk Management Standard”, The association of Insurance and Risk Management.,
2002
2. Carl Olsson, “Risk Management in Emerging Markets. How to survive and prosper.”, Prentice
Hall, Pearson Education, 2002.
3. Cooper Dale, Grey Stephen, Geoffrey Raymond, Walker Phil, “Project Risk Management
Guidelines”, John Wiley & Sons, Ltd, 2005.
4. Dan Paterson, Improving Project Decision Making and Reduction Exposure Through Risk
Management, A Welcome White Paper, 2004
5. Ian Hawkins, “Risk Analysis Techniques”, www.EuclidResearch.com, 1998.
6. Project Management Institute; “A Guide to the Project Management Body of Knowledge (PMBoK
Guide); 2000 Edition”; Algonquin College Bookstore; (Approved by ANSI as American National
Standard ANSI-PMI 99-001-2000), 2000.
7. Steinberg M. Richard, Everson E.A. Miles, Martens J. Frank, Nottingham E. Lucy, “Enterprise
Risk Management - Integrated Framework. Executive Summary”, Committee of Sponsoring
Companys of the Treadway Commission (COSO) , September 2004
8. Kontio Jyrki, Getto Gerhard and Landes Dieter, “Experiences in improving risk management
processes using the concepts of the Riskit method”, Proceedings of the Sixth International
Symposium on the Foundation of Software Engineering, SIGSOFT’ 98, Florida USA, November
1998.
9. Freimut Bernd, Hartkopf Susanne, Kontio Jyrki, Kobitzsch Werner, “An Industrial Case Study of
Implementing Software Risk Management”, ESEC/FSE, Vienna, Austria, 2001.
10. Swiss Bank Corporation, Goldman Sachs & Co, “The Practice of Risk Management”,
EUROMONEY BOOKS, London, 1998.

- 20 -