METHODS OF RISK MANAGEMENT

PREPARED BY :- DR GUNJAN BAHETI

Once risks have been identified and assessed, all techniques and methods to manage the risk fall into one
or more of these four major categories:

 Avoidance (eliminate, withdraw from or not become involved)

 Reduction (optimize – mitigate)
 Sharing (transfer – outsource or insure)
 Retention (accept and budget)

Risk avoidance
This includes not performing an activity that could carry risk. An example would be not buying
a property or business in order to not take on the legal liability that comes with it. Another would be not
flying in order not to take the risk that the airplane were to be hijacked. Avoidance may seem the answer to
all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk
may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning
profits. Increasing risk regulation in hospitals has led to avoidance of treating higher risk conditions, in
favor of patients presenting with lower risk.[13]
Risk reduction
Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of the loss
from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. This
method may cause a greater loss by water damage and therefore may not be suitable. Halon fire
suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between
negative risk and the benefit of the operation or activity; and between risk reduction and effort applied. By
an offshore drilling contractor effectively applying Health, Safety and Environment (HSE) management in
its organization, it can optimize risk to achieve levels of residual risk that are tolerable.[14]
Modern software development methodologies reduce risk by developing and delivering software
incrementally. Early methodologies suffered from the fact that they only delivered software in the final
phase of development; any problems encountered in earlier phases meant costly rework and often
jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a
single iteration.
Outsourcing could be an example of risk sharing strategy if the outsourcer can demonstrate higher
capability at managing or reducing risks.[15] For example, a company may outsource only its software
development, the manufacturing of hard goods, or customer support needs to another company, while
handling the business management itself. This way, the company can concentrate more on business
development without having to worry as much about the manufacturing process, managing the
development team, or finding a physical location for a center.
Risk sharing
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a risk, and the
measures to reduce a risk."
The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can transfer a
risk to a third party through insurance or outsourcing. In practice if the insurance company or contractor go
bankrupt or end up in court, the original risk is likely to still revert to the first party. As such in the
terminology of practitioners and scholars alike, the purchase of an insurance contract is often described as
a "transfer of risk." However, technically speaking, the buyer of the contract generally retains legal
responsibility for the losses "transferred", meaning that insurance may be described more accurately as a
post-event compensatory mechanism. For example, a personal injuries insurance policy does not transfer
the risk of a car accident to the insurance company. The risk still lies with the policy holder namely the
person who has been in the accident. The insurance policy simply provides that if an accident (the event)
occurs involving the policy holder then some compensation may be payable to the policy holder that is
commensurate with the suffering/damage.
Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the
risk for the group, but spreading it over the whole group involves transfer among individual members of
the group. This is different from traditional insurance, in that no premium is exchanged between members
of the group up front, but instead losses are assessed to all members of the group.

Risk retention
Risk retention involves accepting the loss, or benefit of gain, from a risk when the incident occurs.
True self-insurance falls in this category. Risk retention is a viable strategy for small risks where the cost
of insuring against the risk would be greater over time than the total losses sustained. All risks that are not
avoided or transferred are retained by default. This includes risks that are so large or catastrophic that
either they cannot be insured against or the premiums would be infeasible. War is an example since most
property and risks are not insured against war, so the loss attributed to war is retained by the insured. Also
any amounts of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if
the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great that
it would hinder the goals of the organization too much.

Risk Mitigation
Select appropriate controls or countermeasures to mitigate each risk. Risk mitigation needs to be approved
by the appropriate level of management. For instance, a risk concerning the image of the organization
should have top management decision behind it whereas IT management would have the authority to
decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for managing the
risks. For example, an observed high risk of computer viruses could be mitigated by acquiring and
implementing antivirus software. A good risk management plan should contain a schedule for control
implementation and responsible persons for those actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk assessment phase consists
of preparing a Risk Treatment Plan, which should document the decisions about how each of the identified
risks should be handled. Mitigation of risks often means selection of security controls, which should be
documented in a Statement of Applicability, which identifies which particular control objectives and
controls from the standard have been selected, and why.
Implementation
Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase
insurance policies for the risks that it has been decided to transferred to an insurer, avoid all risks that can
be avoided without sacrificing the entity's goals, reduce others, and retain the rest.
Review and evaluation of the plan
Initial risk management plans will never be perfect. Practice, experience, and actual loss results will
necessitate changes in the plan and contribute information to allow possible different decisions to be made
in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two primary reasons
for this:

1. to evaluate whether the previously selected security controls are still applicable and effective
2. to evaluate the possible risk level changes in the business environment. For example, information
risks are a good example of rapidly changing business environment.
 Risk Measurement Methods and Techniques

A firm needs to understand the intensity and types of potential risks it is prone to. Finance
managers are supposed to thoroughly analyze the situation and they’ve to choose the most apt
approach or process or method to check that financial risk.
1. Regression Analysis –
This approach is used to study the effect on one variable when the other one changes.
Let’s say for instance what changes will cash inflow encounter when rate of interest
increases or decreases.
2. Value at Risk (VaR) –
Another popular approach in measuring and checking the financial risk is VaR analysis.
VaR is measured with respect to the amount of potential loss, the probability of that
amount of loss, and the time frame. For example, a financial firm is exposed to 5 per cent
one month value at risk of INR 50,000. This implies that there is a 5 per cent chance that
the firm has to bear a loss of INR 50,000 in any given month. Let’s understand this
concept with another example. Suppose another firm owns an investment portfolio on
which they determine the VaR to be INR 100,000, at a 50 per cent confidence level over a
40 day holding period. Now, if no investments are infused or sold over within 40 days
then there is a 50 per cent chance that the firm might lose out INR 100,000. VaR is
estimate of the possible maximum loss. Actual losses may be above or below the
estimated value.

3. Security Analysis –
Analysis of tradable financial instruments like debts (money borrowed from market),
equities (owner’s fund), mixture of these two and warrants of company is known as
security analysis. Sometimes futures contracts and tradable credit derivatives are also
included. Security analysis is further sub-categorized into fundamental analysis, which
works in accordance to different fundamental business factors such as financial
statements, and technical analysis, which focuses upon price trends and momentum.

Scenario Analysis –
Scenario analysis is another useful approach in quantifying risks. It is also known by stress
tests, sensitivity tests, or ‘what if?’ analyses. Financial managers create more than one
scenario and ask ‘what if’ this situation were to occur? For example:
What if the stock market crashed by 38 per cent?
What if interest rates were to rise by 100 basis points?
What if the exchange rate were to rise by 40 per cent?
What if an important client were to leave the firm?
Now, the results of these hypothetical scenario analyses are converted into a risk measure by
assuming the risk exposure based on the calculations and maximum loss predicted is assumed
to be the worst case scenario.
Standard Deviation
Standard deviation measures the dispersion of data from its expected value. The standard deviation is used in
making an investment decision to measure the amount of historical volatility associated with an investment
relative to its annual rate of return. It indicates how much the current return is deviating from its expected
historical normal returns. For example, a stock that has a high standard deviation experiences higher volatility,
and therefore, a higher level of risk is associated with the stock.

Beta
Beta is another common measure of risk. Beta measures the amount of systematic risk an individual security or
an industrial sector has relative to the whole stock market. The market has a beta of 1, and it can be used to
gauge the risk of a security. If a security's beta is equal to 1, the security's price moves in time step with the
market. A security with a beta greater than 1 indicates that it is more volatile than the market. Conversely, if a
security's beta is less than 1, it indicates that the security is less volatile than the market. For example, suppose a
security's beta is 1.5. In theory, the security is 50 percent more volatile than the market.

Conditional Value at Risk (CVaR)

Conditional value at risk (CVaR) is another risk measure used to assess the tail risk of an investment. Used as an
extension to the VaR, the CVaR assesses the likelihood, with a certain degree of confidence, that there will be a
break in the VaR; it seeks to assess what happens to an investment beyond its maximum loss threshold. This
measure is more sensitive to events that happen in the tail end of a distribution – the tail risk. For example,
suppose a risk manager believes the average loss on an investment is $10 million for the worst one percent of
possible outcomes for a portfolio. Therefore, the CVaR, or expected shortfall, is $10 million for the one percent
tail.

Categories of Risk Management

Beyond the particular measures, risk management is divided into two broad categories: systematic and
unsystematic risk.

Systematic Risk
Systematic risk is associated with the market. This risk affects the overall market of the security. It is
unpredictable and undiversifiable; however, the risk can be mitigated through hedging. For example, political
upheaval is a systematic risk that can affect multiple financial markets, such as the bond, stock, and currency
markets. An investor can hedge against this sort of risk by buying put options in the market itself.

Unsystematic Risk
The second category of risk, unsystematic risk, is associated with a company or sector. It is also known as
diversifiable risk and can be mitigated through asset diversification. This risk is only inherent to a specific stock
or industry. If an investor buys an oil stock, he assumes the risk associated with both the oil industry and the
company itself.

For example, suppose an investor is invested in an oil company, and he believes the falling price of oil affects
the company. The investor may look to take the opposite side of, or hedge, his position by buying a put option
on crude oil or on the company, or he may look to mitigate the risk through diversification by buying stock in
retail or airline companies. He mitigates some of the risk if he takes these routes to protect his exposure to the
oil industry. If he is not concerned with risk management, the company's stock and oil price could drop
significantly, and he could lose his entire investment, severely impacting his portfolio.
 Risk Control
What Is Risk Control?
Risk control is the set of methods by which firms evaluate potential losses and take action to reduce or
eliminate such threats. It is a technique that utilizes findings from risk assessments, which involve
identifying potential risk factors in a company's operations, such as technical and non-technical
aspects of the business, financial policies and other issues that may affect the well-being of the firm.
Risk control also implements proactive changes to reduce risk in these areas. Risk control, therefore,
helps companies limit lost assets and income.

Risk control is a key component of a company's enterprise risk management (ERM) protocol.

How Risk Control Works

Modern businesses face a diverse collection of obstacles, competitors, and potential dangers. Risk
control is a plan-based business strategy that aims to identify, assess, and prepare for any dangers,
hazards, and other potentials for disaster—both physical and figurative—that may interfere with an
organization's operations and objectives.

 Avoidance is the best method of loss control. For example, after discovering that a chemical
used in manufacturing a company’s goods is dangerous for the workers, a factory owner finds
a safe substitute chemical to protect the workers’ health.
 Loss prevention accepts a risk but attempts to minimize the loss rather than eliminate it. For
example, inventory stored in a warehouse is susceptible to theft. Since there is no way to
avoid it, a loss prevention program is put in place. The program includes patrolling security
guards, video cameras and secured storage facilities. Insurance is another example of risk
prevention that is outsourced to a third party by contract.
 Loss reduction accepts the risk and seeks to limit losses when a threat occurs. For example, a
company storing flammable material in a warehouse installs state-of-the-art water sprinklers
for minimizing damage in case of fire.
 Separation involves dispersing key assets so that catastrophic events at one location affect
the business only at that location. If all assets were in the same place, the business would face
more serious issues. For example, a company utilizes a geographically diverse workforce so
that production may continue when issues arise at one warehouse.

 Duplication involves creating a backup plan, often by using technology. For example,
because information system server failure would stop a company’s operations, a backup
server is readily available in case the primary server fails.
 Diversification allocates business resources for creating multiple lines of business offering a
variety of products or services in different industries. A significant revenue loss from one line
will not result in irreparable harm to the company’s bottom line. For example, in addition to
serving food, a restaurant has grocery stores carry its line of salad dressings, marinades, and
sauces.

No one risk control technique will be a golden bullet to keep a company free from potential harm. In
practice, these techniques are used in tandem with one another to varying degree and change as the
corporation grows, as the economy changes, and as the competitive landscape shifts.

KEY TAKEAWAYS
 Risk control is the set of methods by which firms evaluate potential losses and take action to
reduce or eliminate such threats. It is a technique that utilizes findings from risk assessments.
  The goal is to identify and reduce potential risk factors in a company's operations, such as
technical and non-technical aspects of the business, financial policies and other issues that
may affect the well-being of the firm.
 Risk control methods include avoidance, loss prevention, loss reduction, separation,
duplication, and diversification.

Example of Risk Control

As part of Sumitomo Electric’s risk management efforts, the company developed Business Continuity
Plans (BCPs) in fiscal 2008 as a means of ensuring that core business activities could continue in the
event of a disaster. The BCPs played a role in responding to issues caused by the Great East Japan
earthquake that occurred in March 2011. Because the quake caused massive damage on an
unprecedented scale, far surpassing the damage assumed in the BCPs, some areas of the plans did not
reach their goals.

Based on lessons learned from the company’s response to the earthquake, executives continue
promoting practical drills and training programs, confirming the effectiveness of the plans and
improving them as needed. In addition, Sumitomo continues setting up a system for coping with risks
such as outbreaks of infectious diseases, including the pandemic influenza virus.

RISK REPORT
Risk reports are a way of communicating project and business risks to the people who need to know.
Below, we explain four different types of risk reporting that enable teams to communicate risk to the
right people at the right time.

1. Project Risk Reporting

Project risk reporting is at the lowest level in the project risk hierarchy. This is carried out by each
project manager and the appropriate members of the project team.

Project-level reporting covers risks that are relevant to the scope of the project work, and external
factors that may affect the project in some way. For example:

 The risk of price changes for key materials

 The risk of resources not being available to carry out work at the required time
 The risk of suppliers not being able to complete their contracted work.

Each project should have a risk log that documents the risks specifically related to the project. The
risk log records the tasks that are being done to actively manage the risk and the owner – the person
responsible for completing the action plan.

The project risk report is used by the project manager, and created with input from the project team
members. All the risks will be in the risk log; only the top risks make it into the risk report as these are
the ones that need management attention right now. While the risk log is likely to be in use weekly, if
not more frequently, risk reporting is probably only done as part of a management reporting cycle,
such as at the end of each month.
2. Program Risk Reporting
When a project is part of a program, the program manager will also have a record of relevant
program-level risks.

Program-level risks are those that relate to:

 A particular project within the program where the risk is significant enough to need to be
escalated to the program manager
 Overlaps or dependencies between projects within the program
 The program overall, and do not naturally link back to a specific project.

“Significant” project risk is a determination that you can work out with the project and program
managers, but would typically relate to things that had a high financial, operational or strategic
implication.

The program risk report is used by the program manager and created by the program team. It is
produced at a frequency determined by your program management framework, which could be
monthly.

3. Portfolio Risk Reporting

Portfolio-level risk reporting is a way of showing the aggregated risk profile for all the projects and
programs in the portfolio.

The major risks per program (or per project, for those projects that do not form part of a program) are
drawn together and presented in a way that makes it easy to see an overall summary. The report
should highlight areas where management teams need to be aware, for example, where risk action
plans could take two or more routes. This draws attention to the decisions that need to be taken so that
program and project teams can get on with executing the work.

The portfolio risk report is created by the PMO, with data drawn from program and project risk
reports. Ideally, this should be pulled directly from an enterprise project management software tool to
ensure it reflects the most up-to-date information.

This report is likely to be produced monthly.

4. Business Risk Reporting

Finally, there is business-level risk reporting. Some businesses include operational activity in the
scope of the portfolio, so wouldn’t have a need for this level fo reporting. However, it’s common to
see projects managed across the organization with a portfolio approach, and operational work falling
outside that.

If this sounds like your company, a risk report that shows the aggregated risks across the portfolio
isn’t the true risk profile for your business. Each business unit and function will have their own risks
that relate to their operational activity. These risks can be significant.
Principles of Effective Risk Reporting

1. Governance
2. Data architecture and IT infrastructure
3. Accuracy and Integrity
4. Completeness
5. Timeliness
6. Adaptability
7. Accuracy
8. Comprehensiveness
9. Clarity and usefulness
10. Frequency
11. Distribution
12. Review
13. Remedial actions and supervisory measures
14. Home/host cooperation