Functional Area 13: Risk Management
risk management
"coordinated activities to direct and control an organization with regard to risk." Risk management strategies are designed to change the probability of a risk event occurring and/or the degree of its impact on the organization's objectives.
External (category of risk)
(K/M) These sources of uncertainty are outside the organization and beyond its control. They would include changes in the economy or laws and regulations, disruptive technologies, and availability of trained employees.
Strategy (category of risk)
(K/M) This is desirable uncertainty that an organization willingly accepts when it commits to a strategy—for example, uncertainty whether loans can be repaid or employees will be fully productive
Internal and preventable (category of risk)
(Kaplan/ Mikes theory) These risks come from within the organization and could include violations of ethics and failures in routine processes
antifragility
(Talab theory) the ability to not just withstand high-impact events or shocks but to improve and benefit from them
principal-agent problem
(or agency dilemma). The problem arises when an agent (such as an employee) makes decisions or takes actions on behalf of a principal (an employer or owner) but has personal incentives that may not align with those of the principal.
benefits of effective risk management
1. A systematic approach to risk management aligns the process with the organization's strategy and strategic objectives 2. It leads to a more effective response to risk. The process of managing risk creates a broader understanding of a risk's causes and its potential 3. It leads to a more consistent response to risk across the organization 4. Losses are reduced, and the organization's resources are not wasted
barriers to risk management
1. Structural. Organizations that are structured in a silo fashion tend to respond to risk in an operational, rather than strategic, manner. They overlook dependencies within the organization that can create risks and/or interfere with proactive risk management 2. Cognitive. Managing risk effectively also requires imagination and openness to change. One of the reasons why compliance has traditionally consumed so much attention in risk management may be the attraction of its relative clarity: Risks have been clearly identified and responses fully defined. It is a realm of "if-then" scenarios 3. Cultural. The cultural barriers ultimately involve what types of mindsets are sought, instilled, and rewarded. Organizations must clearly communicate to their members just what the organization's position and appetite are regarding risk. They must educate anyone in a position of making a decision that involves uncertainty—and that ultimately can mean everyone in the organization—about the discipline of risk management. They must create risk awareness and risk intelligence throughout the organization.
factors that affect risk tolerance
1. The organization's strategic goals and the degree to which risk will help achieve those goals 2. The organization's characteristic attitude toward risk, heavily influenced by leadership and culture. Some organizations are risk-averse; they will avoid choices in which the gains are too low or the costs too high. Others are risk-seeking, 3. The organization's resources or risk capacity. Organizations with limited resources may be more risk-averse 4. Externally imposed requirements such as required insurance and risk management strategies 5. Loss expectancy. There are qualitative and quantitative approaches to assessing organizational risks.
responses to upside/ downside risks
1. eliminate uncertainty: the organization or function takes steps to guarantee that positive risk events will happen and negative ones will not happen. These steps must be thoroughly researched and analyzed to establish that desired absolute degree of certainty (optimize/ avoid) 2. redefine ownership: Ownership in this case refers to responsibility for financial costs and operations. Sharing means that another party will be brought in to help maximize the upside potential of an uncertain event (share/ transfer) 3. increase/ decrease effect: The risk management tactics of enhancing and mitigating seek to change the amount of risk through certain "levers." Enhancing involves increasing the probability that an opportunity will materialize. Mitigating aims at reducing the probability that a risk will occur or decreasing the negative impact it will have. Prevention is a form of mitigation. (enhance/ mitigate) 4. take no action: an organization decides to ignore or pass up possible opportunities or to accept the occurrence of a threat. These risk management strategies are used when the possibility of increased opportunity or threat is unlikely, when the gains and losses do not merit the investment of mitigation efforts (accept/ ignore)
establishing the context (ISO process for risk mgmt)
1st phase of risk mgmt. process. During this first phase of the risk management process, the organization tries to gain a sense of how prominent a role risk plays in the organization, where most of the risk resides, and what are the typical sources of this risk SWOT or PESTLE are useful tools to assess.
identify and analyze risks (ISO process for risk mgmt)
2nd phase gather information about risk and current controls, evaluate and prioritize risks
manage risks (ISO process for risk mgmt)
3rd phase adopt and implement risk responsesev
evaluate (ISO process for risk mgmt)
4th/ final phase audit risk controls, evaluate effectiveness and monitor for changes in risks
errors & omissions insurance (E&O)
A common form of transferring risk for HR professionals is professional liability
risk control
An action taken to manage a risk
risk management tactics (choosing strategy/ implementation)
Avoidance. The decision not to become involved in or action to withdraw from a risk situation. Reduction. The actions taken to lessen the probability, negative consequence, or both associated with a risk Sharing. Sharing with another party the burden of loss or benefit of gain for a risk. Risk sharing can be done through insurance or other agreements. Retention. The acceptance of the burden of loss or benefit of gain for a risk
HR risk management performance targets
Be strategically focused. (succession planning to ensure stable, continuous strong leadership) Combine activities and results (prevention strategy) Combine lagging and leading metrics. (new methods to recruit quality candidates) Modifying risks related to noncompliance (educating staff on regulations) Instilling risk management principles in the organization's members and processes. ( workshops delivered to Boards)
risk (COSO vs. ISO definition)
COSO defines risk as having an adverse effect, ISO defines risk simply as "the effect of uncertainty on objectives." Although risk is commonly seen as something negative, strictly speaking it is neither positive nor negative. It is potential—what could happen The goal then is to anticipate, prioritize, and manage as many risks as is reasonably possible.
how orgs improve understanding of risks
Consulting experts and information sources. focus groups surveys Process analysis. HR has identified certain of its own processes as especially critical, given the organization's values and strategic priorities. Direct observation. Vulnerabilities can be observed by walking through a facility as an employee or visitor might.
ISO's 11 principles of risk management
Create and protect value. Be an integral part of all organizational processes. Be part of decision making. Explicitly address uncertainty. Be systematic, structured, and timely. Be based on the best available information. Fit an organization's risk and control environment. Take into account human and cultural factors. Be transparent and inclusive. Be dynamic, iterative, and responsive to change. Facilitate continual improvement of the organization
emergency preparedness/ business continuity
Emergency preparedness and business continuity require: Preparedness for foreseen and unforeseen events. This includes risk identification and development of contingency plans for emergencies of long or short duration Response capability to secure employee health and safety and continue productivity. This may involve developing plans, implementing policies, securing necessary equipment, and practicing response plans.
analyzing risk questions
How likely is a risk event to occur? This is referred to as an event's probability If it does occur, how will it affect the organization? This is commonly referred to as the event's impact How quickly is the event likely to emerge? Are controls currently in place to manage this risk? If so, are they effective? What is the probable root cause of the risk? Considering root causes for risks can help address the ME part of the MECE acronym.
ISO's org framework for creation of a risk-aware and risk-intelligent culture
Management commitment to risk management and clear direction that risk management is part of the organization's strategy and culture. Design of a framework for managing risk that includes the organization's governance layer of explicit policies and processes designed to fulfill those policies Implementing risk management to determine the management approach for specific risks. Periodic monitoring and review of the framework to make sure that it is delivering on the goals of risk management. Continual improvement of the framework, which could involve realigning the framework to a new organizational strategy for risk management, making the framework more responsive to emerging risks, increasing awareness of and experience with new management approaches, and improving auditing tactics
examples of potential threats
Political and social risks, including terrorism, high levels of poverty and communicable diseases (e.g., Ebola, antibiotic-resistant tuberculosis, or AIDS), unreliable transportation, kidnapping, theft, assault, and war Environmental health risks due to poor air quality and lack of clean water Weak public and legal infrastructures in certain locations, which affects health-care facilities and supplies, telecommunications, transportation, and regulations aimed at improving building healthy and safety Natural disasters, such as typhoons, tsunamis, and earthquakes—which are made worse by weak local infrastructures Occupational hazards specific to certain business sectors, such as exposure to inherently unsafe conditions (e.g., mining or oil drilling) or toxic materials (e.g., chemical processing)
risk level equation
Probability of occurrence x Magnitude of impact
examples of development of KRI's for strategic HR risks
Retention rates at two years can signal emerging issues in recruitment methods, compensation systems, or employee engagement. Economic upturns of a certain percentage can signal an impending increase in demand for goods and services and an expansion of the workforce. Individual absenteeism rates can signal an individual performance problem that must be addressed. Changes in worker entry regulations may create opportunities for employee mobility. Alerts from health authorities can trigger contingency plans for organizations that foresee the need to implement anti-infective procedures, such as remote work, reinforcement of hygiene, sick leave policies
ERM risk framework (4 categories)
Strategy—risks that affect the organization's ability to achieve its objectives (HR- talent mgmt/ recruit.) Operations—risks that affect the myriad ways in which the organization creates value (HR- performance mgmt, workplace safety, employee relations, benefits mgmt) Financial reporting—risks that affect the accuracy and timeliness of information about the organization's financial performance and condition (HR- workforce data, technology) Compliance—risks associated with meeting the requirements of laws and regulations (HR- req reports, employee communication)
list of risk mgmt considerations for HR
Talent acquisition: Are employment laws and regulations observed to avoid potential discriminatory practices? Is the screening of potential applicants thorough to help ensure the hiring of suitable candidates? Onboarding and assimilation: Are sufficient orientation and training provided to new hires? Training and development: Is sufficient training provided to current employees assuming new responsibilities or positions? Occupational safety and health: Are safe working conditions provided? Is staff adequately trained in safety procedures? Is appropriate safety clothing and equipment provided on the job? Are safety checks (e.g., fire drills and emergency evacuations) conducted regularly? Are they compliant with local codes? Employee conduct: Are job descriptions clearly written? Are orientation and/or training comprehensive and adequate? Is supervision adequate? Performance management: Is a robust performance management program in place? Are written records of documented performance issues retained? Are antiharassment policies and procedures adequate? Exiting employees: Are exit interviews conducted? Are all access codes, passwords, etc., deactivated?
risk matrix
a simple grid in which the horizontal axis represents the probability that an event will occur and the vertical axis relates to the severity of the impact on the organization or function if the event occurs.
risk scorecard
a tool used to gather individual assessments of various characteristics of risk (e.g., frequency of occurrence; degree of impact, loss, or gain for the organization; degree of efficacy of current controls). Risks identified as relevant to the organization are listed in a template. Individual risks may be weighted more heavily according to their strategic importance. Each risk is scored and adjusted by its weight. When scores are aggregated, the result indicates how the organization perceives specific risks. This may lead directly to consideration of management tactics or to further analysis
MECE
acronym stands for: mutually exclusive; comprehensively exhaustive In other words, the organization wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business, but it wants to avoid duplication or overlapping in the identification. Duplicate risks may mean wasted resources and burdensome reporting that could discourage compliance. Overlapping risks could lead to incomplete management of a risk, conflicts among the different owners of the risk, and loss of organizational control over the management of the risk
known unknowns (ISO's category of risk)
are uncertainties that we know exist but we don't know much about their probability or impact.
downside tactics
avoid, transfer, mitigate, accept
after-action debrief
comes from the discipline of emergency management. It is usually applied to meetings to examine the effectiveness of a risk response strategy The debrief can be an educational opportunity for everyone attending. There is a good argument to be made, therefore, that the principles of the debrief should be applied whenever a risk management plan has been invoked. The debrief team asks question such as: What happened, why did it happen, and what were the results of the event? What did we do in response? Did we follow the plan? What were the results relative to the requirements for managing this risk?
hazard
defined as the potential for harm, often associated with a condition or activity that, if left uncontrolled, can result in injury or illness. Hazards have the potential for immediate
known knowns (ISO's category of risk)
events that are to be expected and so involve little uncertainty
moral hazard
exists when one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss. Insurance, for example, can have the unintended consequence of creating moral hazard by incentivizing people to act more recklessly than they would have had they not had insurance.
conflict of interest (risk management)
in which a person or organization has the potential to be influenced by two opposing sets of incentives. Examples of potential conflicts of interest include: An employee selects a vendor company owned by a personal friend. An employee is directly supervised by his or her spouse. An outside consulting company is simultaneously retained by two competing organizations
contingency plan
is a protocol that an organization implements when an identified risk event occurs A contingency plan must be developed with specific goals in mind, including immediate security for employees, company assets, and all stakeholders; compliance with local laws and regulations; documentation and reporting as required; and follow-up.
Single loss expectancy (SLE)
is the expected monetary loss every time a risk occurs. It involves the asset value (AV) and an exposure factor (EF) and is expressed by the following formula: SLE = AV x EF
Annualized loss expectancy (ALE)
is the expected monetary loss for an asset due to a risk over a one-year period. It involves SLE and an annualized rate of occurrence (ARO) and is represented by the following formula: ALE = SLE x ARO
providing oversight
last phase of risk management process Increasing transparency and accountability by measuring and reporting risk management results. Making sure of compliance with requirements. Assessing the effectiveness of individual risk management strategies. Assessing the effectiveness of the organization's risk management framework—its values, policies and processes, and culture. Continually improving risk management by investigating incidents and identifying opportunities for improving both strategies and framework.
audit to evaluate compliance (risk mgmt)
may be conducted internally or externally to check that policies for risk management are adequate, in place, being followed, and producing the anticipated results. Audits require having the right person—an unbiased third party—equipped with the right tools, which include risk management expertise, understanding of the organization's business and processes, and awareness of best practices. Since audits can result in negative findings and recommendations for changes, it is critical that management supports the audit process and commits to implementing recommendations
duty of care (as HR responsibility)
means that organizations should take all steps that are reasonably possible to ensure the health, safety, and well-being of employees and protect them from foreseeable injury.
key risk indicators (KRI)
metrics that "provide an early signal of increasing risk exposures in the various areas of an enterprise." These signals could call for a change in the way risks are prioritized for management or in the management actions themselves.
upside tactics
optimize, share, enhance, ignore
quality assurance (QA/ risk mgmt)
refers to the actions an organization takes to be sure that it is performing work according to the standards it has set and is using specified processes correctly and completely. As it pertains to risk management, it considers an organization's proactive, preventive, predictive, and preemptive actions to ensure confidence that evolving risks are controlled.
unknown unknowns (ISO's category of risk)
risks that we don't know exist. They are the events that "blindside" an organization (or individuals or entire cultures)
risk register
serves as a repository for all information about an identified risk/ documentation What's typically included: Risk category—e.g., strategic, operational, compliance, financial Risk event Risk classification—e.g., highly likely and high impact KRIs Risk management controls—e.g., training, screening before selection for assignment, criteria for assignment to an area Risk owner(s)—individual(s) responsible for documenting the risk and ensuring that the risk management process is fully implemented reporting requirements
residual risk
the amount of uncertainty that remains after all risk management efforts have been exhausted.
risk appetite/ tolerance
the amount of uncertainty the organization is willing to pursue or to accept to attain its risk management goals.
risk position
the organization's desired gain or loss in value.
whistleblowing
the reporting of the organization's violations of policies and processes by employees, applies very directly to risk management. Employee reports can point to risks that have not been identified or adequately managed
PAPA model
tool used to evaluate/ prioritize risk. This model uses two axes: The vertical axis considers the speed of change and the horizontal access the degree of likelihood. The matrix can be used for both threats and opportunities. The quadrants represent recommended organizational actions 1. Prepare- events (seasonal storm) are not likely to happen but will materialize quickly if they do occur. That means contingency plans must be in place and early indicators defined 2. Act- events (workplace accident in mining) are both highly probable and fast-moving. These threats and opportunities require immediate responses in terms of enhancing the chances for opportunities and decreasing the chances of a threat occurring or creating significant damage. 3. Park- events (workplace bullying) are slow-moving and unlikely. They merit monitoring for changes in their characteristics but not investment in mitigation or contingencies 4. Adapt- events (hiring more employees w/ disabilities) are actually slowly materializing trends that may affect the organization significantly