LEARNING OUTCOME 5

Risk Management

Definition of Risk

Risk, as defined by ISO 31000, is the effect of uncertainty on objectives, whether positive or negative. It encompasses the potential for both favorable and unfavorable outcomes arising from various sources.

Definition of Risk Management

Risk management is the systematic process of identifying, assessing, and prioritizing risks, followed by the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of adverse events, or to maximize the realization of opportunities.

Sources of Risk

Risks can originate from a wide range of sources, including uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters, and deliberate attacks from adversaries. Various risk management standards have been developed by organizations such as the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO.

Prioritization and Challenges

In ideal risk management, risks are prioritized based on their potential loss and probability of occurrence. Risks with the highest potential loss and highest probability are addressed first, followed by risks with lower potential loss and probability. However, in practice, balancing risks with high probability but low loss against risks with low probability but high loss can be challenging.

Intangible Risk Management

Intangible risk management addresses risks that have a 100% probability of occurrence but are often overlooked due to a lack of identification ability. These risks include knowledge risk (deficient knowledge), relationship risk (ineffective collaboration), and process-engagement risk (ineffective operational procedures). Intangible risks can significantly reduce productivity, cost-effectiveness, profitability, service quality, reputation, brand value, and earnings quality.

Resource Allocation and Opportunity Cost

Risk management faces the challenge of resource allocation, considering the opportunity cost. Resources spent on risk management could potentially be used for more profitable activities. Effective risk management aims to minimize spending while mitigating the negative effects of risks.

Risk Management Process

Method

The risk management process typically involves the following steps:

1. Identify, Characterize, and Assess Threats: Determine potential threats that could impact the organization.
2. Assess Vulnerability: Evaluate the susceptibility of critical assets to specific threats.
3. Determine Risk: Calculate the expected consequences of specific attacks on specific assets.
4. Identify Risk Reduction Measures: Develop strategies to mitigate identified risks.
5. Prioritize Risk Reduction Measures: Implement risk reduction measures based on a strategic approach.

Principles of Risk Management

The International Organization for Standardization (ISO) outlines the following principles of risk management:

• Create Value: Risk management should contribute to the creation of value.
• Be an Integral Part of Organizational Processes: Risk management should be integrated into all organizational processes.
• Be Part of Decision Making: Risk management should inform decision-making processes.
• Explicitly Address Uncertainty: Risk management should explicitly address uncertainty.
• Be Systematic and Structured: Risk management should be systematic and structured.
• Be Based on the Best Available Information: Risk management should be based on the best available information.
• Be Tailored: Risk management should be tailored to the specific context of the organization.
• Take into Account Human Factors: Risk management should consider human factors.
• Be Transparent and Inclusive: Risk management should be transparent and inclusive.
• Be Dynamic, Iterative, and Responsive to Change: Risk management should be dynamic, iterative, and responsive to change.
• Be Capable of Continual Improvement and Enhancement: Risk management should be capable of continual improvement and enhancement.

Process (ISO 31000)

According to ISO 31000, the risk management process consists of several steps:

1. Establishing the Context:
   • Identification of Risk: Identify risks in a selected domain of interest.
   • Planning: Plan the remainder of the risk management process.
   • Mapping: Map out the social scope of risk management, stakeholders, and evaluation criteria.
   • Defining a Framework: Define a framework and agenda for risk identification.
   • Developing an Analysis: Develop an analysis of risks involved in the process.
   • Mitigation: Mitigate or solve risks using available resources.
2. Identification:
   • Identify potential risks that could cause problems.
   • Risk sources can be internal or external.
   • Problem analysis involves identifying threats related to risks.
   • Common risk identification methods include:
     • Objectives-based risk identification.
     • Scenario-based risk identification.
     • Taxonomy-based risk identification.
     • Common-risk checking.
     • Risk charting.
3. Assessment:
   • Assess the potential severity of loss and the probability of occurrence.
   • Make educated guesses to prioritize risk management.
   • Use statistical information and expert opinions.
   • Quantify risks using the formula: Rate of occurrence multiplied by the impact of the event equals risk.

Risk Options

• Risk mitigation measures include:
  1. Design new business processes with built-in risk controls.
  2. Periodically reassess and modify mitigation measures.
  3. Transfer risks to external agencies (e.g., insurance).
  4. Avoid risks altogether.

Potential Risk Treatments

• Techniques to manage risk fall into four categories:
  • Avoidance.
  • Reduction.
  • Sharing.
  • Retention.

Risk Avoidance

• Avoid activities that carry risk.
• Example: Not buying a property to avoid legal liability.
• Avoidance also means losing potential gains.

Hazard Prevention

• Prevent risks in emergencies.
• Eliminate hazards or mitigate them if elimination is impractical.

Risk Reduction

• Reduce the severity or likelihood of loss.
• Example: Sprinklers to reduce fire damage.
• Optimize risks by balancing negative risk and benefits.
• Modern software development methodologies reduce risk through incremental development.
• Outsourcing can reduce risk if the outsourcer has higher risk management capabilities.

Risk Sharing

• Share the burden of loss or benefit of gain.
• Risk transfer often refers to insurance, but the original risk remains with the policyholder.
• Methods of transferring risk include:
  • Partnerships and joint ventures.
  • BOOT contracts.
  • ROT contracts.
  • PPP contracts.
  • Insurance.

Risk Retention

• Accept the loss or benefit of gain.
• Self-insurance.
• Viable for small risks.
• All risks not avoided or transferred are retained.
• Individual cover (e.g., medical aid).
• Group cover (e.g., partnerships).

Risk Management Plan

1. Risk Mitigation and Control
   • Selection of Controls: Select appropriate controls or countermeasures to mitigate each identified risk. Ensure controls are effective and feasible.
   • Management Approval: Obtain approval for risk mitigation strategies from the appropriate level of management. Risks affecting organizational image require top management approval. IT-related risks can be managed by IT management.
   • Plan Documentation: Document the risk management plan, including the selected controls and their implementation schedule. Assign responsible persons for each action.
   • Risk Treatment Plan: Prepare a Risk Treatment Plan, documenting decisions on how to handle each risk. Document selected security controls in a Statement of Applicability (ISO/IEC 27001).
2. Implementation
   • Execution of Mitigation Strategies: Implement all planned methods for mitigating risks. Purchase insurance for transferred risks. Avoid risks that can be avoided without compromising organizational goals. Reduce and retain remaining risks.
3. Review and Evaluation of the Plan
   • Periodic Updates: Regularly update risk analysis results and management plans. Evaluate the effectiveness of existing security controls. Assess changes in the business environment that may affect risk levels.
   • Continuous Improvement: Use experience and actual loss results to improve the risk management plan. Adapt to changing circumstances and new information.
4. Limitations
   • Improper Risk Assessment: Misallocation of resources due to inaccurate risk assessment. Waste of time on unlikely risks. Qualitative risk assessment is subjective and inconsistent.
   • Over-Prioritization: Delay or stagnation of projects due to excessive risk management. Suspension of other work until risk management is complete.
   • Risk vs. Uncertainty: Distinguish between measurable risk (impact x probability) and unmeasurable uncertainty.
   • Legal and Bureaucratic Justification: The primary justification for risk assessments are often legal and bureaucratic.
5. Areas of Risk Management
   • Enterprise Risk Management (ERM): Identify and manage risks that can negatively impact the enterprise. Consider impacts on existence, resources, products, customers, and external factors. In financial institutions, ERM includes credit, interest rate, market, and operational risks. Develop contingency plans for probable risks. Project Managers can calculate: Cost impact (C), Schedule variance (Rs), Cost variance (Rc). Differentiate between Special Cause Variation and Common Cause Variation.
   • Risk Management in Project Management: Plan risk management tasks, responsibilities, activities, and budget. Assign a risk officer. Maintain a live project risk database. Create an anonymous risk reporting channel. Prepare mitigation plans. Summarize planned and faced risks, mitigation effectiveness, and effort spent.
   • Risk Management for Megaprojects: Address high risks in large-scale investment projects. Focus on finance, safety, and social and environmental impacts. Use specialized methods and education.
   • Risk Management of Information Technology (IT): Manage risks related to IT. Address information security and other IT-related risks. Use specific methodologies.
   • Risk Management and Business Continuity: Complement risk management with business continuity planning (BCP). BCP addresses the consequences of realized residual risks. Risk management provides inputs for BCP. BCP assumes disasters will occur.
   • Risk Communication: Communicate risks effectively to stakeholders. Reach the intended audience and make risks comprehensible. Respect audience values and predict responses. Improve decision-making. Relate to crisis communication.
   • Bow Tie Diagrams: Use visual diagrams to communicate risks and treatments. Illustrate hazards, causes, consequences, and controls. Enhance engagement in HAZID workshops. Communication advantages: Visual illustration of risk elements, Easy understanding at all personnel levels, Effective communication.
   • Seven Cardinal Rules for Risk Communication: Accept and involve the public as partners. Plan and evaluate efforts. Listen to public concerns. Be honest, frank, and open. Coordinate with credible sources.

Example Risk Management Plan Outline

1. Introduction: Purpose and scope of the plan.
2. Risk Assessment: Identification of risks. Assessment of risk probability and impact. Prioritization of risks.
3. Risk Mitigation Strategies: Selection of controls and countermeasures. Risk Treatment Plan. Statement of Applicability.
4. Implementation Plan: Schedule for control implementation. Assignment of responsibilities. Budget allocation.
5. Monitoring and Review: Periodic review and evaluation of the plan. Continuous improvement process.
6. Communication Plan: Risk communication strategies. Use of bow tie diagrams.
7. Contingency Planning: Business continuity planning. Disaster recovery strategies.
8. Limitations and Considerations: Acknowledging the limitations of risk management.

Business Ethics

Nature of Ethics

Ethics is the study of right and wrong actions, focusing on how conduct should be judged as good or bad. It's about how we should live our lives and behave towards others. These moral principles guide thinking, decision-making, and action across all human activities. Business ethics is not separate from general ethical principles; professionals, including entrepreneurs, should apply these principles in their work. It's crucial to understand that ethics and law are distinct, though related, concepts.

Ethics and Social Responsibility

An organization demonstrates social responsibility when its actions respect the public interest. Social responsibility mandates that organizations avoid actions that harm the public or are socially irresponsible. While business ethics focuses on business morality, social responsibility addresses the broader impact on society. Given that corporate decisions encompass marketing decisions, the terms are often used interchangeably.

Ethics and the Law

Ethics involves personal moral principles and values, while laws are enforceable rules. Actions may be unethical without being illegal. Cultural differences influence ethical perspectives. For example, intellectual property is widely accepted in Europe and the USA, but other regions have different standards. Unauthorized use of copyrights, trademarks, and patents is prevalent in countries like Taiwan, Mexico, and Korea, reflecting differing cultural values.

Ethical Issues in Business Marketing

• Product Issues: Ethical issues related to products typically involve safety, quality, and value, often arising from inadequate customer information. This can range from omitting crucial facts to deliberate deception. Changing product specifications to reduce costs can compromise product function and safety, potentially necessitating product recalls.
• Promotion Issues: Promotional practices are rife with ethical considerations. Advertising and personal selling can tempt individuals to manipulate information. Corrupt selling practices, such as bribery and extortion, pose significant ethical dilemmas. Determining the line between acceptable gifts and unethical bribes is crucial.
  • (a) Extortion: Threats from government officials to close operations unless payments are made.
  • (b) Bribery: Payments made to obtain unauthorized services.
  • (c) Grease Money: Payments to expedite services delayed by officials.
  • (d) Gifts: Cultural practices where gifts are essential for negotiation.
• Pricing Issues: Several pricing practices raise ethical concerns:
  • (a) Active Collusion: Illegal agreements among suppliers to fix prices.
  • (b) Predatory Pricing: Established suppliers using resources to drive out new competitors.
  • (c) Failure to Disclose Full Price: Hiding additional costs, though some situations may genuinely prevent full price calculation.
• Place Issues: Long and complex distribution channels can lead to disputes and conflicts of interest. Manufacturers may engage in practices that distributors deem unfair:
  • Requiring high stock levels.
  • Manipulating discount structures.
  • Terminating agreements abruptly.
  • Dealing directly with end-users.

Ethical Codes

Businesses often specify ethical standards, with some publishing formal codes of conduct. These codes typically cover payments to officials, customer and supplier relations, conflicts of interest, and record accuracy. Ethical standards can lead individuals to act against their organization. Many business people adhere to utilitarian principles, weighing costs and benefits to justify actions.

AMA Code of Ethics

The American Marketing Association (AMA) has established a code of ethics for its members, emphasizing:

• Responsibility for actions.
• Adherence to laws and regulations.
• Accurate representation of qualifications.
• Promotion of the code of ethics.

Honesty and Fairness

Marketers should uphold integrity and honesty:

• Being honest with all stakeholders.
• Avoiding conflicts of interest.
• Establishing equitable fee schedules.

Rights and Duties in the Marketing Exchange Process

Participants should expect:

• Safe and fit products.
• Truthful communications.
• Good faith obligations.
• Equitable grievance resolution.

This includes responsibilities in:

• Product development: Disclosing risks, identifying substitutions, and avoiding misleading advertising.
• Attribution: Avoiding manipulation, coercion, and undue influence.
• Pricing: Avoiding price fixing and predatory pricing.
• Marketing research: Prohibiting deceptive practices and maintaining research integrity.

Violations of the AMA code may result in membership suspension or revocation.

Social Responsibility

Businesses should consider community concerns as they operate within society. Social responsibility involves:

• Moral obligation to solve problems.
• Leading by example.
• Enlightened self-interest.
• Public relations benefits.
• Self-regulation to avoid legislation.

Organizations must consider the consequences of their actions on society.

Concepts of Social Responsibility

• Profit Responsibility: Maximizing profits within legal and ethical boundaries.
• Stakeholder Responsibility: Obligations to those affected by the organization's actions.
• Societal Responsibility: Responsibilities to the general public, including environmental and employment concerns.

Strategies for Social Responsibility

• Proactive Strategy: Taking action before external pressure.
• Reactive Strategy: Addressing issues only when forced.
• Defensive Strategy: Minimizing obligations through legal and lobbying efforts.
• Accommodation Strategy: Acknowledging responsibility to avoid further pressure.