Risk Management Principles PDF
Document Details
Uploaded by CharismaticPythagoras
The College of Tourism and Hospitality Management
Tags
Summary
This document covers the principles of risk management, including risk-based thinking, terminologies, and processes. It discusses various aspects like proactive and holistic approaches, opportunity-focused decision-driven concepts and kinds of organizations.
Full Transcript
Principles of Risk Management Terminologies Risk-Based Thinking Risk Proactive - Effect on uncertainty - Focuses on anticipating objecti...
Principles of Risk Management Terminologies Risk-Based Thinking Risk Proactive - Effect on uncertainty - Focuses on anticipating objectives potential risks Risk management Holistic - Coordinated activities to - Considers the entire direct and control an organization & organization with regard Interconnected system to risk Opportunity-focused Stakeholder (interested parties) - Looks into potential - Person / organization that benefits in a risk/certain can affect, be affected by, situation or perceive themselves by a decision or activity Decision Driven - Helps to make a thorough Risk Source decision - Element which alone or in combination has the KINDS OF ORGANIZATIONS potential to give rise to risk (origin / cause) 1. External (Controlled) 2. Internal Factors (Limited Event Control) - Occurrence or change of a particular set of Managing Risk circumstances It is interactive (Repeatedly) and assists organizations in setting Likelihood strategy, objectives, and decision - Chance of something making happening Part of a governance & leadership Control Part of all activities associated - Measure that maintains & within an organization and modifies risk interaction with stakeholders Principle, Framework, Process Principles E. Dynamic The purpose of Risk Management - Risk management is the creation and protection of anticipates, detects, value. acknowledges, and responds to those changes Improves performance, and events in an encourages innovation, and appropriate and timely supports the achievement of manner objectives. F. Best available information A. Integrated - The inputs on risk - Risk management is an management are history integral part of all and past mistakes organizational activities G. Human & Control factors B. Structured & Comprehensive - Human behavior and - This contributes to culture significantly consistent and influence all aspects of comparable results risk management C. Customized H. Continual Improvement - The risk management - Risk management is framework and process continually improved are customized and through learning and proportionate to the experience organization’s external & internal content related to its objectives D. Inclusive - Appropriate & Timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered. Framework of Risk Management External context The purpose is to assist the organization in integrating risk management into significant activities and functions. Leadership and Commitment Top management and oversight bodies, where applicable, should ensure that risk management is Internal context integrated into all organizational activities Top Management Accountable for managing risk Oversight bodies Accountable for overseeing risk management Articulating risk management FRAMEWORK commitment - Top management & 1. Integrating risk management oversight bodies should - Relies on an understanding of demonstrate and organizational structures and articulate their continual context commitment to risk - Structures differ depending on management through purpose, goals, and complexity policy, statement, forms 2. Design Assigning organizational roles, authorities, responsibilities, and Understanding the organization accountabilities and its context - Top management & - The organization should oversight bodies should examine and understand ensure that the its external and internal authorities, context responsibilities, and accountabilities are assigned to 4. Evaluation organizations Periodically measure risk management framework Allocating resources performance against its purpose, 1. People, skills, experience, and implementation, plans, competence indicators, and behavior 2. Organization’s processes, methods, and tools to be used for 5. Improvement managing risk 3. Documented processes and Adapting procedures - Organization should 4. Information and knowledge continually monitor and management systems adapter the risk 5. Professional development and management framework training needs to address external & internal changes Establishing communication and consultation Continually improving - Organization should established - Organization should an approved approach to continually improve the communication and consultation suitability, adequacy, and in order to support the effectiveness of the framework and facilitate framework and the way effective application of risk the process is integrated management 3. Implementation The organization should implement the risk management framework by: Developing an appropriate plan How types of decisions are made Across the organization & by who Modifying the applicable decision making processes Ensure that organization arrangements for managing risks are understood and practiced Popular Risk Management OCTAVE (Operationally Critical Frameworks Threat Analysis and Response) - Collaborative approach NST Risk Management that involves a team of Framework (RMF) stakeholders from - By the National Institute departments of Standards and Technology - Used in the United States government & private sector COSO Enterprise Risk Management (ERM) - Provides a structured approach to managing enterprise-wide risks ISO 31000 - International standard that offers framework for risk management - Applicable to organizations of all sizes and sectors FAIR (Factor Analysis of Information Risk) - Quantitative risk assessment methodology that calculates the financial impact of information security risks Risk Management Process Defining risk criteria - Specify the amount and type of The risk management process should be risk that it may or may not take, an integral part of management and relative to objectives decision making and integrated into the - Define criteria to evaluate the structure, operations and processes of significance of the risk and to the organization. support decision making Process 3. Risk Assessment - It is the overall process of risk 1. Communication and identification, analysis, and Consultation evaluation - The purpose is to assist relevant - Should be conducted stakeholders in understanding systematically, iteratively, and risk, the basis on which decisions collaboratively, drawing on the are made and the reasons why knowledge and news of particular actions are needed. stakeholders 2. Scope, context, and criteria Risk Identification - The purpose is to customize the - Purpose is to find, recognize, risk management process, describe risks that might help or enabling effective risk prevent an organization assessment and appropriate risk achieving its objectives treatment Risk Analysis Defining the scope - The purpose is to comprehend - The organization should define the nature of risk and its the scope of its risk management characteristics activities. - Involves a detailed consideration of uncertainties, sources etc. External and internal context - The external and internal context Risk Evaluation is the environment in which the - The purpose is to support organization seeks to define and decisions achieve its objectives. - Comparing the results of the risk analysis with the established risk criteria to determine where additional action is required and reported through appropriate mechanisms 4. Risk Treatment - Purpose is to select and Factors to consider for reporting, but implement options for addressing are not limited to: risk 1. Differing stakeholders, and their Selection of risk treatment specific information needs and options requirements - Involves balancing potential 2. Cost, frequency, timeliness of beliefs derived in relation to the reporting achievement of the objectives 3. Method of reporting against cost, effort, or 4. Relevance of information to disadvantages of implementation organizational objectives and decision making Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Preparing and implementing risk treatment plans - Purpose is to specify how the chosen treatment options will be implemented, so that arrangements are understood by those involved - Clearly identify the order in which risk treatment should be implemented 5. Monitoring and Review - The purpose is to assure and improve the quality and effectiveness of process design, implementation and outcomes 6. Recording and Reporting - The risk man processes and its outcomes should be documented