One analysis of the word “risk” and its impact on risk management processes uses RISK as an acronym for reasoning, intelligence, strategy and knowledge. The entire risk management process is influenced by these four basic activities.
Simply put, risk refers to some uncertainty that may have some adverse effects either on business or on peoples’ daily lives.
Once risk is identified, it needs to be defined and managed. The entire process requires reasoning, intelligence and strategy development to handle the risk and complete knowledge related to the object of the risk. While identifying the risk involved in a business process, the impact of such risk also needs to be assessed. Understanding the impact of each risk area helps organizations prioritize risk and analyze the options to find an effective resolution. Application of such best alternatives needs adequate knowledge of the subject to mitigate the risk. All such processes can be considered as essential elements of a successful risk management process. It is imperative to understand the individual risk elements and their relationships to effectively manage risk in real-life situations.
Reasoning
Whatever a person’s role—in business or in life—decisions that involve elements of risk need to be made.
Risk is made up of two parts: the probability of something going wrong and the negative consequences if something goes wrong. Once a decision is made, logic needs to be applied behind it—this is the concept of reasoning. Reasoning is the action of thinking about something in a logical and sensible way.1 There is a chance of both success and failure in this process. In the risk management process, the probability of something bad happening based on a decision should be identified; this process is defined as risk analysis. Risk analysis is used to analyze a situation, identify the potential problems and provide guidance in managing these problems that could undermine key business initiatives or projects.
To conduct a risk analysis, practitioners need to first identify the possible threats, then estimate the probability of occurrences of those threats. A risk mitigation plan can then be created based on those calculations. It is essential to apply reasoning during risk identification when determining the probability calculations of these perceived threats and their ultimate impact on a business or one’s personal life.
The risk management process is part of an enterprise’s business management process— the complexities involved in day-to-day business activities.
Intelligence
Risk is always guided by the perceived intelligence of human beings. Whether a certain event is considered a risk is based on a person’s intelligence, knowledge and understanding of the subject matter, and the ability to handle such risk as acceptable or not acceptable. The risk needs to be identified based on its association with assets or business processes. This identification process requires common intelligence or business intelligence for accepting the risk designation. Once the risk associated with a business process or assets is identified, the risk needs to be addressed.
Effective information is key in the risk management process. After collecting the necessary information, intelligence is applied to manage the risk. Computer-based tools and artificial intelligence (AI) can assist in risk identification and impact analysis.
AI can process large amounts of data for the automation of certain repetitive and burdensome risk management steps such as analyzing risk, ranking risk based on outcomes and regularly monitoring action plans. This allows risk managers to respond faster to new and emerging exposures. AI can help risk managers by “acting in real time and with some predictive capabilities, risk management could reach a new level in supporting better decision-making for senior management.”2
The risk management process is part of an enterprise’s business management process—the complexities involved in day-to-day business activities. When applying the risk management process, owners (i.e., senior managers, operation-level managers, risk professionals) need to apply business intelligence for deciding the quantum of risk involved and the outcome and treatment of the perceived risk. Application of such intelligence is gained from business experiences or environments and the use of different tools available for risk analysis.
Strategy
Risk mitigation requires the development of a strategy that manages the perceived risk. Things to consider include how much risk to avoid, how much risk to mitigate, how much risk to transfer through insurance coverage or some other established process, and how much risk to accept.
Enterprise risk management (ERM) and risk management in general cover a wider range of risk factors than any enterprise could potentially face. A risk may seem harmful, but if it does not actually negatively impact the overall health of an enterprise or its ability to meet its business objectives, then it is an acceptable risk. For example, a temporary data center outage can result in short-term problems or customer dissatisfaction, but once it is recovered, the enterprise can quickly get back on track. Conversely, there may be significant risk events that may lead to catastrophic situations that affect revenue, resulting in losses of income. These situations not only impair an enterprise’s ability to meet its objectives, but they may also threaten the enterprise’s survival.
These uncertainties in business have given rise to the application of strategic risk management. Business owners and process owners need to perform a risk analysis along with their business impact analysis. When completing a business impact risk analysis, strategies must be applied with respect to the treatment of each perceived risk area. This strategic process guides business owners and process owners on what action is required and when.
The strategic risk assessment process is designed to be tailored to an enterprise’s specific needs and culture. To be most useful, a risk management process and the resultant reporting process must reflect an enterprise’s culture so the process can be embedded and owned by management. Without proper strategy, the risk management process is incomplete.
Knowledge
In the context of risk management, intelligence includes the capacity for understanding a thing and applying a logic toward considering an event as a risk, while knowledge refers to the values developed through a learning process and ideas generated from past events.
Developing a good strategy for managing risk also requires adequate knowledge of the perceived risk. Without the required knowledge of how to manage risk based on external inputs such as technical knowledge, knowledge on financial support or knowledge from recorded case studies, it is difficult to develop a risk management strategy.
Knowledge of the market, knowledge of third-party services and knowledge of past data are basic necessities for generating strategies to address any perceived risk. Without knowledge, the risk management process is not possible.
Risk Management Process
The relationship of RISK to the basic steps of the risk management process can be established as shown in figure 1.
Risk management practitioners need to apply strong reasoning when identifying an event as a risk. The application of business intelligence is also required to determine the risk’s impact. Strategy is also required to handle the risk by applying the knowledge gathered from past experiences or from other resources.
Consider the following example use case: A risk consultant is assigned to assess the associated risk of a data center. To complete the assigned role’s duties, the risk consultant needs to understand all the operational processes involved and the associated risk of each process. Then the consultant can convert the overall risk of the data center into three parts, such as facility risk, external risk and data system risk. In this case, the initial assessment of facility risk was identified as shown in figure 2:
Out of the risk areas listed in figure 2, loss of power is considered to be the most important because without it, nothing can run.
There are several factors responsible for attributing to this risk (figure 3).
Once the risk factors have been determined, the risk consultant must rank them as high risk, medium risk or low risk. In this case, though it appears that power generator availability is the highest priority, an uninterruptible power supply (UPS) is considered the highest risk with priority 1, because if the power supply goes off, UPS needs to be activated instantly. The consultant ranks each risk factor, which is likely guided by intelligence and other inputs such as probability and impact of such risk (figure 4).
Once the risk has been prioritized, the consultant must prepare a strategy regarding the determined risk mitigations in consultation with business owners and process owners based on the financial budget available. In this case, the consultant will first try to replace the storage battery of the UPS with a good-quality battery and then, based on the financial budget availability, current technical condition of the UPS and back-time requirement in the current business scenario, a better quality UPS system can be considered as a replacement. Next, a new annual maintenance contract for power generator should be started. If a dual source of power is not available, then that risk needs to be accepted.
In this case, to complete the risk mitigation activity, the consultant needs to have adequate knowledge of the latest available UPS systems for data centers in the market and their capacity. Hence, knowledge plays a vital role in strategy planning.
This strategic planning can be aided by knowledge from past experiences of handling such risk, for example, information on the latest technological developments, the cost of relevant hardware or software planned, information about industry or country-specific laws and regulations, and the cost of insurance coverage.
Conclusion
The entire risk management process is guided by reasoning, intelligence, strategy and knowledge. The individual letters of the word “risk” comprise the essence of the risk management process. Thus, the risk management process is an outcome of effective reasoning associated with the application of intelligence, strategy development and knowledge of the risk mitigation process.
Understanding the elements of risk management is key for risk consultants to be able to correctly identify risk objects and their attributes and develop a proper strategic plan for mitigating the risk factors.
Thus, risk consultants should focus on upgrading their knowledge and analytical skills and be more informed about the latest technical upgrades on relevant risk areas.
Endnotes
1 Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Guidance on Enterprise Risk Management,” http://www.coso.org/pages/erm.aspx
2 Federation of European Risk Management Associations (FERMA), “Artificial Intelligence Applied to Risk Management,” 12 April 2019, http://www.ferma.eu/publication/artificial-intelligence-ai-applied-to-risk-management/
Tapas Bhattacharya, PH.D., CISA
Is a SAP governance, risk, and compliance (GRC) consultant and a former senior consultant at IBM India. He has 31 years of industry experience. Bhattacharya has worked with different multinational enterprises in different capacities in the areas of finance management and IT consulting and has SAP implementation and support experience in India and abroad. He has also served as a board member of the ISACA® Kolkata (India) Chapter. He was associated with SAP Academy (Colombo, Sri Lanka) as a visiting faculty member, where he taught SAP FICO and SAP audit. He can be reached at dr.tapasbhattacharya11@gmail.com.