It's important for organizations to develop a structured process that helps them recognize and prepare for a wide range of risks, including the proactive establishment of internal controls, corporate values, and strong leadership. This structured process is a risk management process.
In this article, we take a closer look at a key topic in the Investment Foundations course of study — risk management (Module 7) — to understand different types of risk and how organizations can manage them.
Is Risk Avoidable?
We'll start off by stressing that some degree of risk is unavoidable. If you think about it, risk is part of your daily life, and you often act as a risk manager.
Before crossing a busy road, you first assess that it is safe to do so; if you take a toddler to the swimming pool, you make sure she is wearing inflatable armbands before she gets into the water. In the course of your life, you are well acquainted with identifying risks, assessing them, and selecting the appropriate response, which is what risk management is about.
For organizations, risk can take many different forms:
- Business risk: The risk of not being able to operate profitably in a given competitive environment, typically because of a shift in market conditions.
- Credit risk: The risk for a lender that a borrower will fail to honor a contract and make timely payments of interest and principal.
- Operational risk: The risk of losses from human, system, or process failures and from events that are beyond the control of the organization but affect its operations. Typical examples include human error, internal fraud, system malfunctions, technology failure, and contractual disputes.
- Legal risk: The risk that an external party could sue for breach of contract or other violations.
- Political risk: This risk is inherent in all markets. A change in the ruling political party of a country can lead to changes in policies that can affect taxation, interest rates, investment incentives, public investments, and procurement.
A structured risk management process typically includes these five steps:
- Set objectives. For example, identify the organization’s risk tolerance. Risk tolerance is the level of risk the organization is able and willing to take on. Its willingness to take on risk, which is also called its risk appetite, depends on its attitude toward risk and on its risk culture.
- Detect and identify events. The aim of risk management is to try to capture the full range of risks, including hidden or undetected ones.
- Assess and prioritize risks. Two elements are typically considered: the expected frequency of the event and the expected severity of its consequences.
- Select a risk response. Formulate responses to deal with the risks identified in the previous step. For each risk, management must select the appropriate response and develop actions to align the company’s risk profile with its risk tolerance.
- Control and monitor. Policies and procedures provide a framework to help ensure that the risk responses are effectively carried out and monitored. Relevant information must be identified, captured, and reported accurately to enable people to carry out their responsibilities.
Although risk management is sometimes viewed as a specialist function, a well-established risk management process should encompass the entire organization and filter down from senior management to all employees, giving them guidance in carrying out their roles.
One individual can damage the reputation of a large institution and even lead to its demise. Reputations take years to build but can be lost in an instant. Markets are increasingly interdependent, and media and the internet can spread the news of a mistake or disaster across the globe in a matter of minutes.
Bottom Line: Risk Management
To some extent, everyone faces and addresses risks at work on a daily basis, whether consciously or not. The risk management process helps managers deal with uncertainty and identify the risks and opportunities their organization faces; this process is critical to protecting reputations and maintaining confidence among market participants.