Risk Management

Overview
Contents
WHAT IS RISK MANAGEMENT ............................................................................................... 2
RISK MANAGEMENT DECISION CRITERIA ............................................................................ 3
COST BENEFIT....................................................................................................................... 3
RISK AVERSION...................................................................................................................... 3
AUTHORITATIVE REASONS ...................................................................................................... 4
POLICY BASED DECISIONS ..................................................................................................... 4
THE PROCESS OF MANAGING RISK ....................................................................................... 6
IDENTIFICATION OF HAZARDS ................................................................................................ 7
RISK ANALYSIS....................................................................................................................... 7
VALUE JUDGMENT OF THE RISK.............................................................................................. 7
Terminate ........................................................................................................................ 7
Transfer........................................................................................................................... 7
Treat ................................................................................................................................ 7
IMPLEMENTING AND MONITORING THE SYSTEM ....................................................................... 8
MEASUREMENT / AUDIT ......................................................................................................... 8
EVALUATION OF MEASUREMENT RESULTS ............................................................................... 8

R I S K

M A N A G E M E N T

O V E R V I E W

Risk Management Overview

What is Risk Management
Risk management is fast becoming one of the vital functions within organizations
of today. It encompasses occupational health and safety, fire protection and
prevention and a number of other disciplines. There is a growing understanding
and acceptance that there are principles that are common to all these disciplines managing risk and reducing losses. In fact, it has been said that risk management
is one of the few remaining areas of management with major cost reduction
potential. There is a need for a structured approach towards managing risk, as
resources have been allocated in the past for the reduction of injuries and other
forms of loss, without always first establishing the level of risk involved - often
resulting in either inadequate control measures or an overkill - sometimes literally
wasting money on safety.
The biggest motivation for applying risk management lies in the financial benefits
- reducing losses in order to improve the profitability of the organization. In the
process, a host of other benefits are gained for the organization and its employees
- including a reduction of the number of injuries, due to the fact that causes for
different types of loss are usually the same. For example, if a transformer is not
maintained properly and as a result it explodes due to a short circuit, it can result
in injuries to personnel, fire and damage to nearby equipment, substandard quality
of product that may still be in the process, environmental impact / oil pollution of
the soil, etc. It can therefore be said that, by taking better care of our business we
are taking better care of our employees. This explains why progressive
organizations have integrated their safety (covering not only occupational injuries
and diseases, but also damage to property, fire protection and prevention, etc.),
quality assurance and environmental management systems.
At this point it is important to look at some basic functional definitions:
Loss - avoidable waste of any resource
Control - compliance with standards or requirements
Risk - chance of loss
Risk analysis - assessment of the potential severity of loss along with the
probability and exposure of a hazard
Hazard - a condition or practice with a potential for loss
2

R I S K

M A N A G E M E N T

O V E R V I E W

Safety - control of accidental loss

Occupational health - control of work-related illness
Environmental protection - control of harm or damage to anything (living and
non-living) in the environment
Risk control - anything done to reduce loss from the business. It includes:
The elimination or reduction of loss exposures

The minimization of loss when loss-producing events occur

The termination or avoidance of risk

Risk management - A managerial function, aimed at protecting the organization,

its resources and profits against the adverse consequences of exposure to risk, by
reducing the frequency of occurrence and the consequence of the exposure.
Quality assurance - All the planned and systematic activities implemented within
the quality system and demonstrated as needed to provide adequate confidence
that an entity will fulfill the requirements for quality.
Quality control - Operational techniques and activities that are used to fulfill the
requirements for quality.

Risk Management Decision Criteria

Cost Benefit

There are four main reasons why people and organizations apply risk management:
As said earlier, the biggest reason for applying risk management is due to the
financial benefits. The basic philosophy is that money should only be spent if the
benefits outweigh the expenditure. In this context, the capital spent on installing a
sprinkler system is seen as an investment and it must produce a return. The return
on investment must be positive and preferably greater than the value usually
gained; otherwise the sprinkler should not be installed.
In order to be able to calculate a cost-benefit analysis, risk analysis plays a critical
role - as the comparison is basically between the risk involved vs. the money to be
spent in order to reduce the risk to an acceptable level.
Although important, it quite often happens that risk management is applied even
though it is not cost-effective, due to one or more of the reasons below.

Risk
Aversion

Another major reason why people and organizations apply risk management is
because man is averse to risk. Even people who regard themselves as risk-takers
are in fact, averse to risk. For example, a banker who operates in the private sector
would regard himself as a risk-taker. He is not actually a risk-taker. Before lending
money, he will take every possible step to ensure that he has adequate security for
the loan.
3

R I S K

M A N A G E M E N T

O V E R V I E W

Because of this natural aversion, people take steps to reduce risks, even if the steps
are not cost effective. Imagine trying to convince the shareholders after a R50m
fire loss, that you had decided not to purchase a sprinkler system because you
regarded it as being not cost effective. After a major loss, no one is particularly
interested in cost to benefit calculations.
The decision to implement risk control measures - based on risk aversion - is
influenced by the magnitude of potential losses and the cost of the control
measures. The following usually influences the decision:

Authoritative
reasons

The magnitude of the possible loss

The size of the capital investment in relation to the risk control
expenditure
Authoritative Reasons
The magnitude of the maintenance budget in relation to the risk control
expenditure.

Authoritative reasons play a major role in the decision for the implementation of
risk control measures. Together with aversion to risk, not many managers would
argue about implementing a control measure if he knows that failure to do so
could result in a jail sentence or being charged with culpable homicide if an
employee is killed due to his failure to comply with legislation.
The most common forms of authoritative reasons are:

Legislation

Acceptable codes of practice

Another form of an authoritative reason is society or the community. Few people
realize the power that society has and that society can and will close an
organization down if the organization is not seen to be responsible enough.

Policy Based
Decisions

In practice, many decisions are simply policy based decisions. If the companys
policy is that its employees are important, it will probably have an effective system
for prevention and treatment of occupational injuries and illness in the work place.
Another company may decide that they want to obtain ISO 9000 certification in
order to enhance the quality and image of their product, and would therefore
develop and implement a quality assurance system. It often happens that chemical
companies for example, want to improve their image with the general public and
would spend large amounts of money on environmental issues. Although the
original motivation may not have been specific to risk management, risk
management would benefit.

R I S K

M A N A G E M E N T

O V E R V I E W

The Classic Risk Management Model

RISK MANAGEMENT

RISK CONTROL

RISK FINANCING

Fire
Security
Safety
Occupational Health
Environmental Management
Maintenance
Quality Management, etc.

Retention
Financing

External
Financing

In terms of this model, risk management consists of two components - risk

control and risk financing. Firstly, an attempt is made to control risk and secondly,
losses that result from the exposure to pure risks have to be financed. It is not
possible to prevent all losses - and sometimes not even cost effective to control all
risks - and therefore adequate and appropriate funding is necessary to pay for
these losses.
In terms of risk control, different disciplines have been developed over the years
to manage specific risk exposures - safety being developed for the control of
accidental loss such as injuries, occupational diseases, damage to property, etc.;
quality assurance management to control the risk of producing a substandard
quality product or rendering of a substandard quality service; maintenance systems
to control the risk of premature failure of equipment, extending life expectancy of
equipment, etc.; human resources departments for the control of the risk of
employing incompetent personnel, etc.
Risk financing is vital to ensure that adequate and appropriate funds are available
to pay for losses. The funds can be from the companys own sources or from
outside sources such as insurance.
The model is sometimes used to structure the risk management department in an
organization, however, the model does not reflect the process of managing risk; no
reference, for example, is made to risk assessment.
5

R I S K

M A N A G E M E N T

O V E R V I E W

The Process of Managing Risk

Risk has two dimensions, consequence and likelihood, or what would happen if
(consequence) and how likely is it to happen? (Likelihood). It should be clear
that total safety is impossible (and unjustifiable) and that zero risk is unachievable.
There are some potential hazards, although they are truly horrendous, are so
unlikely to occur that we have to live with that possibility. In other words, the risk
is tolerated. On the other hand, there are some smaller consequence events that
occur frequently that are controlled because they reduce the quality of our lives
and the profitability of our businesses. When thinking in this way, a paradigm
shift can occur; our view of reality changes.
Once we start to think in terms of risk, we automatically start to rank and
prioritize. This is another great virtue of risk assessment, it allows us to plan and
program our investments, enabling us to become proactive, to break the cycle of
reaction, to control and manage our risks.
The process of managing risk can be illustrated as follows:

Identification of loss exposures

Evaluation of risk
Develop the plan
TERMINATE

TREAT

TOLERAT

Implement the plan

Monitor / review

TRANSFER

R I S K

M A N A G E M E N T

O V E R V I E W

A process of managing risk needs to be in place, a process that would constantly

review and update information on risk and review and improve control measures
as appropriate.

Identification
of hazards

In order to manage risk, the first step is to identify hazards.

Risk Analysis

Once the hazards have been identified, the level of risk and the threat that it poses
to the organization has to be analyzed and determined. At this stage the adequacy
of present safeguards must also be considered.

Value
judgment of
the risk

With the extent of the risk known, a decision has to be taken whether with the
existing safeguards, the risk is acceptable or whether something needs to be done
about it. Should the level of risk be found to be acceptable, it could be tolerated
but measuring and monitoring is required to detect any change in the level of risk.
Risk reduction
This is part of the risk management process where the strategy for dealing with
specific risks is formed. Any of the techniques of risk control or risk financing
may be selected here; as a general guideline, however, it is wise to combine at least
one control measure with at least one financing technique for each risk faced.
Terminate
This is strictly a risk control technique and this approach is a synonym for risk
avoidance. It should be thought of as including both the refusal to expose the
organization to a risk in the first place and the complete elimination of a risk that
is already present in the operation. This is the only risk management technique
designed to be used without any others.
Transfer
Perhaps the most common risk transfer is to finance losses through insurance, but
many types of contractual transfers are also common. Risk control plays an
important part here too, since transfers are not foolproof and almost always leave
some chance that the transferor may suffer a loss.
Treat
Also related to risk control, treating the risk includes the techniques known as
risk control, or loss prevention, and reduction. Note that when these techniques
are applied, the risk still exists; the tools are designed to stop or reduce losses only.
For example, wearing a hard hat does not eliminate the risk of being struck by
falling objects; it only prevents or reduces injuries. Risk treatment is a vital area of
activity for reasons that will be examined later.
7

R I S K

M A N A G E M E N T

O V E R V I E W

Implementing
and
monitoring
the system

With work identified and standards set, the required control measures are
implemented.

Measurement
/ audit

It is often found that control measures are implemented and never reviewed unless something drastic - e.g. a major incident - occurs. Therefore, in order to
ensure that the control measures are indeed as effective as was intended, they need
to be monitored and measured. This measurement can be in the form of regular
measurement by sampling, or by comprehensive measurements - such as auditing on a periodic basis.

Evaluation of
measurement
results

Following the measurement or audit, the results need to be analyzed in order to

understand what the measurement revealed.
The measurement evaluation may reveal that:

Firstly, everything is on target and therefore one would want to commend

somebody for good performance.
Secondly, it may reveal a deviation from the set standards, in which case
one has to apply constructive correction.
Thirdly, the measurement may reveal that the control measures are
ineffective or that the standards or work to be done are inadequate to
control the hazard adequately or possibly even that not all hazards have
been identified, in which case the process starts again at hazard
identification.

Once all the risks have been reduced to acceptable levels, the Risk Management
process will not end. It is necessary to continue with risk control. This is the
process to ensure that all the measures put in place to reduce the risks to
acceptable levels are adhered to, or to identify hazards that have not been
identified earlier. As can be seen from the Figure below, risk control can be done
by means of inspections and incident/accident investigations.

R I S K

M A N A G E M E N T

O V E R V I E W

Risk Control
Verification
by
Inspection

Incident/Accident
Investigations
Corrective Action

Update
Risk Profile

Figure: Risk control

It will be essential that corrective action be taken and the risk profile be updated.
If all the mitigating measures do not remain in place, the risk profile will look a lot
different, and, without implementing risk control measures, one may not even be
aware that certain risks are again exceeding acceptable limits. Alternatively, risks
that one had not identified initially, but which are present, will not be recognized.

-------------X------------