The definition of risk is usually taken from different perspectives and it is not surprising that definition of risk is always as diverse as the number, type and background of the persons or organisations defining risk. To many, risk is seen as a chance or possibility of danger, loss, injury or other adverse consequences. The Institute of Risk Management (IRM) defined risk as the combination of the probability of an event and its consequence. Companies define risk as anything that can impact the fulfilment of corporate objectives as it signify negative consequences, result in a positive outcome, or relate to uncertainty of outcome.
Risks are part of life and no society can develop without elements of risks in its various dimensions. Risk is normal in life and we cannot do without it. We can only manage it for our successes.
Before analysing the principles of risk management, it is important to examine the types of risk.
In Fundamentals of Risk, Paul Hopkin divided risk into three categories. These are:
Hazard (or pure) risks, can only result in negative outcomes; control (or uncertainty) risks, are frequently associated with project management and also associated with unknown and unexpected events; and opportunity (or speculative) risks, in order to achieve a positive return, are mainly often ﬁnancial in nature.
An organization will have a speciﬁc appetite for investment in such risks. E.g. moving a business to a new location, acquiring new property, expanding a business and diversifying into new products.
In managing hazard it, the organisation must identify the risk especially its nature and the circumstances in which it could materialize; it must be ranked or evaluated in terms of its magnitude and likelihood; response must be provided either to tolerate it, treat it, transfer it or terminate the risk; necessary resources to control the risk must be provided; reaction planning for disaster recovery or business continuity must be in place; reporting and monitoring of risk performance, actions and events and communicating on risk issues, via the previously designed risk architecture of the company; and reviewing the risk management system, including internal audit procedures and arrangements for the review and updating of the risk architecture, strategy and protocols.
Risk can be classified in different ways especially according to the nature of the attributes of the risk. These include
- Timescale for impact.
- Likely magnitude of the risk.
- The timescale of impact after the event occurs.
- The source of the risk
- The origin, such as counterparty or credit risk.
- The nature of the impact.
- On the finances
- On the activities or the infrastructure
- On reputation
- On its status and the way it is perceived in the marketplace.
- Risk management standards and frameworks
Risk management principles involves the PACED acronym. This stands for proportionate, aligned, comprehensive, embedded and dynamic.
Proportionate means that the risk management activities of the organisation must be proportionate to the level of risk faced by the organization.
Aligned mean that risk management activities need to be aligned with the other activities in the organization. This will ensure that the whole organisation works in agreement thereby checking unnecessary acrimony.
Comprehensive means that in order to be fully effective, the risk management approach must be comprehensive. All risk prone element must be identified and properly treated.
Embedded means that risk management activities need to be embedded within the organization.
Dynamic means that risk management activities must be dynamic and responsive to emerging and changing risks especially in a world that keeps changing with technological innovations.