Risk Management Within an Organisation


This manual is written to advise on an approach to managing risk, with regards to procedures to follow in conducting risk analyses and treatment.

Background of my Organisation

I will focus my attention on the management of risks for my company in general. My company is involved in the trading of steel products, mainly for construction purposes, as well as the sales and purchases of agricultural products such as beans, maize and rice. With regards to these products, letters of credit (LCs) have to be initiated regularly for such products to be sold overseas. As part of the accounting and finance function, my responsibilities are not only in the proper accounting treatment of such transactions, but also as part of the team involved in a new trade financing project to ensure the smooth flow of these transactions from the opening of LCs, the financing as well as the delivery of these products. Such a flow will involve the cooperation of both the operations and the accounting and finance departments.

Purpose of Risk Management

Business risk relates to exposure to certain events that will have a negative impact on the strategies and objectives of the company. Hence business risk is due to two factors: the probability of an event occurring as well as the seriousness of the consequences (Bowden, Lane and Martin, 2001). There are several risks that are more specific to my organization, and are shown as follows:

1. Strategic risk, such as poor marketing strategy and poor acquisition strategy, as a result of poor planning (Bowden et. al, 2001). Poor marketing and acquisition of different grades of steel and agricultural products can prove the downfall of the organization.

2. Financial risk, such as lack of credit assessment and poor receivables and inventory management, as a result of poor financial control (Bowden et. al, 2001). Inadequate credit assessment of potential trade and other debtors as well as low debtors’ turnover can be a poor reflection of the company’s strategy and objectives.

3. Operational risk, such as poor practices and routine actions, as a result of poor human actions (Bowden et. al, 2001). Non-conformity to the organization’s safe practices or even willful actions by employees can create potential operational and financial losses to the company.

4. Technical risk, such as equipment and infrastructure breakdown and fire destruction, as a result of failure of physical assets (Bowden et. al, 2001). Such risks can be prevalent in my organization if appropriate actions are not taken to prevent these technicalities. Unfortunately, many organizations tend to focus too much on the performance and cost dimensions of technical risk and manage them too heavily (Smith and Reinertsen, year unknown).

5. Market risk, such as inadequate market research, which is the risk of not meeting the needs of the market, assuming that the specification has been satisfied (Smith and Reinertsen, year unknown). This risk may be more important compared to others, however it is less manageable due to the risk being less objective and quantifiable compared to say technical risk

As a result of such risks mentioned above, coupled with the advancement in technology and competitive pressures, risk management has taken a more important role in the existence of businesses today (Bowden et. al, 2001). Risk management relates to the logical and systematic way of establishing context, identifying risks, analyzing risks, evaluating risks and lastly, treating risks. This approach also involves communicating and consulting the findings as well as monitoring and reviewing the treatment of risks. This approach to managing risks is known as the AS 4360 method (Bowden et. al, 2001).

Risk Management

Step 1: Definition of Context

This relates to the establishment of context in terms of strategic, organizational and risk management (Bowden et. al, 2001). The strategic context is concerned with the relationship between the organization and its parameters in terms of financial, operational, competitive and social context (Bowden et. al, 2001). In the case of my organization, we are concerned with our financial objectives (i.e. sales turnover of US$20 million with a profit margin of at least 12% annually), products with high quality and good customer satisfaction, as well as good market position (one of the top suppliers of steel in the regional construction industry). The strategic context also requires the organization to identify the stakeholders, which includes the owners, employees, customers, suppliers as well as the local community (Bowden et. al, 2001). In addition to that, my organization will have to be accountable to our shareholders and the media as well, since we are a local listed company.

The organizational context will be concerned with wider goals, objectives and strategies of the company as a whole (Bowden et. al, 2001). In this context, we have to establish and implement sufficient key performance indicators (KPIs) and critical success factors (CSFs) that are suitable to the different aspects of the business. There are a couple of KPIs that are commonly used in my organization:

1. Revenue and profit targets: These are mentioned above.
2. Customer satisfaction: Surveys are sent quarterly to our suppliers and customers to ensure at least 90% customer overall satisfaction.
3. Stocks update and on-time deliveries of goods: Sufficient stocks are maintained and retrieved from suppliers and deliveries have to be made on time to customers at least 98% of all sales orders.
4. Timely submission of monthly accounting and sales records to head office: The deadline of submission of such reports is usually the 5th of each month, which has to be strictly adhered to.

On a wider basis, such KPIs are also linked to CSFs in my organization, which includes the following:

1. Maintaining a healthy position in our markets: This is mentioned above.
2. Supportive top management open to marketing and financing ideas: The directors and senior management have a fortnightly meeting with lower management on possible ideas and brainstorming on ideas and possible financing from banks on certain products.
3. Sufficient funds and resources in place: Funds have to be in place for LCs, which are converted to trust receipts, which have to be settled within certain tenure, coupled with adequate manpower and technologies for proper functioning of the organization.

With these KPIs and CSFs in mind, the various activities of the can be further segregated into smaller teams and activities to provide a more logical flow for better analysis (Bowden et. al, 2001). In my organization, the sales teams are broken up into smaller groups in charge of various products for steel and agricultural aspects. This is also done likewise for the finance department, which has smaller teams in charge of receivables, payables and other administrative functions.

Step 2: Identification of Risks

This process aims to identify all events, which might affect the organization as a whole. In such a scenario, there is a need to identify all causes and potential situations (Bowden et. al, 2001). After which, we will proceed to link the risks, both threats and opportunities, with key criteria that will have a direct impact on the organization (Bowden et. al, 2001). There is also a requirement to approach these risks with proactive and reactive responses (Bowden et. al, 2001). There are several tools that can help with identifying risks, namely brainstorming, checklists and judgements based on experience.

In my organization, there are several tools used to identify risks. For the finance department, there is a quarterly checklist used on different risks involved, which can include the amount of tax incurred and tax credits agreed with the tax authorities, the amount of receivables and stock updates and how efficient their respective turnovers are. Provisions for such items are also raised based on prior experience. For the marketing and operations department, weekly meetings are conducted whereby brainstorming and systems analysis are used to identify possible risks with regards to competition, changes in prices and tastes of customers as well as the safe-guarding of stocks at our premises. It is further recommended that a product plan with a product manager be put in place, with rankings are given to the priority of such risks and the inputs, processes and outputs should be investigated in greater depth (Bowden et. al, 2001).

It is mentioned that a test market will be useful if there is a high degree of uncertainty about the eventual sales of the new product as the launch date approaches (Cooper, year unknown). My organization is currently looking at possible new sales of liquor and diesel for its overseas markets. However, these possible sales are not considered new products in the existing markets. With speed and the competitive environment being important facts, a test market may not be applicable in our scenario (Cooper, year unknown).

In addition to the launch of possible new products, there are several pitfalls in considerations for my organization:

1. Lack of market orientation. These are possible risks considering insufficient market analysis and not understanding customer needs and wants.
2. Poor quality of execution. With regards to my organization, the grades or quality of the flammable new products might be filled with deficiencies, hence not meeting customers’ needs.
3. Moving too quickly. A too hasty approach to launch these products might render too many mistakes in the process and compromise the quality and timing of the promotional activities (Cooper, year unknown).

Step 3: Risk Analysis

This step involves the estimation of the likelihood and consequence of possible risk events. These are often evaluated using the current controls in place (Bowden et. al, 2001). Such controls are needed to ensure effective operations, reliable reporting systems and proper compliance with rules and regulations (Bowden et. al, 2001). In my organization, controls in place will include past records, market analysis given by traders from different countries, published literature in the form of accounting and marketing magazines and internal and external auditors’ reports.

There are several techniques that are used to establish likelihood and consequence, namely structured interviews, multi-disciplinary groups of experts, assessments using questionnaires and computer modelling (Bowden et. al, 2001).

The decision tree technique can also be used whereby the expected net present value (NPV) of cash flows associated with each individual outcome is shown (Vlahos, 2001). This technique is useful for the following reasons:

1. It improves our understanding of each outcome and makes assumptions more forthcoming.
2. It is useful for documenting and communicating thoughts on uncertainty and also helps generate alternatives for better value enhancement.
3. Managers can monitor each stage of the project and make appropriate analysis with regards to decisions made at each point
4. The outputs in terms of expected NPVs generated can be used as potential inputs for projects selection (Vlahos, 2001).

This technique is highly recommended for my organization in two ways:

1. This can be used in decisions made by the marketing department in terms of which products to obtain for potential markets.
2. The finance department will also find it useful in terms of the different ways of financing (i.e. direct cash financing, using LCs or trust receipts) in consideration for the building of the trade finance project.

There are two types of risk analysis, mainly qualitative and quantitative (Bowden et. al, 2001).

Qualitative Technique

A qualitative method makes use of words or descriptive scale and comes in the form of a ranking structure, alternating between Rare and Almost Certain. Such a method is concerned with raking likelihoods and consequences (Bowden et. al, 2001). With regards to construction projects, which can be applicable to my organization, the consequences can range from insignificant (whereby there is no injuries and minimum financial loss), moderate (injuries with medical help required and moderate financial loss) to catastrophic (death with significant financial loss). Such a qualitative table with various likelihood and risk levels matrix can be useful in the following scenarios:

1. Initial screening guide to identify possible risks for further analysis.
2. Where the level of risk does not justify the time and effort required for more analysis.
3. Insufficient numerical data, which renders a quantitative analysis useless.

For the qualitative analysis, the management and staff with regards to the risk events at different levels must work through the risk-ranking matrix. Each likelihood and consequence criteria should be considered in order to put events in the appropriate category (Bowden et. al, 2001).

However, there are several disadvantages associated with this technique:

1. It may not be too accurate as events within the same category may have substantially different levels of risk.
2. There may not be a common basis for comparison of risk i.e. on dollar basis or number of deaths.
3. There is no clear justification with regards to the process of ‘weighing’ risks
4. There could be different interpretations with regards to the meaning of different consequences i.e. the word catastrophic can mean a great deal to some people, while others might take it more lightly.
5. It can be difficult to translate the findings from this technique to match that of a quantitative method (Bowden et. al, 2001).

With these pitfalls mentioned above in mind, I would think that it will be better to consider the qualitative technique as more of an initial screening exercise which should be used concurrently with the quantitative technique.

Quantitative Technique

This approach takes the product of likelihood and consequence, with the consequence expressed as an actual variable (Bowden et. al, 2001). Such a technique is more reliable as it relies on numerical values, with estimates of frequency being made in terms of event frequency (Bowden et. al, 2001).

There are several drivers of risks, namely, technology, people, systems, organizational factors and external factors (Bowden et. al, 2001). In my organization, some drivers of risk might include how updated my computer versions of accounting and sales systems, the competency and educational levels of the employees, the number of new ideas by lower management accepted by higher management and possibly the amount of pollution our products might cause to the environment.

The quantitative analysis is further broken down into likelihood and consequence criteria. For the likelihood criteria, it is expressed as a probability instead of frequency, thus ensuring that risks are compared on a similar basis (Bowden et. al, 2001). With similar small events likely to occur, the likelihood of them occurring can be considered as one event. With regards to my organization, examples of such similar events might include:

1. 20 deliveries which are not made on time (more than 30 minutes) to customers resulting in losses of $1,000 each for transportation costs
2. 5 deliveries of wrong grades of products to customers resulting in losses of $1,500 for transportation and bank charges.

For the consequence criteria, it can be considered in terms of an event leading to possible death or severe losses i.e. financial or reputation losses. In the case of the two examples for likelihood criteria given above, the related consequence criteria are as follows respectively:

1. Free deliveries made for the next trip.
2. Appropriate discounts given for these batches of products sold.

The consequence criteria can also be expressed quantitatively in terms of non-performance or failure to achieve certain KPIs, reflecting on the organisation’s priorities in accepting varying degrees of risks. In my organisation’s case, the free deliveries and discounts given could jeopardize not only the revenue and profit targets, but also in terms of customer satisfaction (which are important KPIs). As such the consequence criteria can be expressed as the mean or expected value (Bowden et. al, 2001). This is consistent with the Monte Carlo method, which can be used to obtain the distribution of the project or product value associated with trading operations (Vlahos, 2001).

Step 4: Risk Evaluation

Risk evaluation is concerned with identifying which risks must be treated and can be calculated using the product of likelihood and consequence (Bowden et. al, 2001). The risks can be compared with previously established criteria. Different softwares such as the Monte Carlo approach, the sensitivity analysis and the probability distribution can be used to show the effects of major risks for evaluation (Bowden et. al, 2001).

Step 5: Treating Risks

There are several methods of treating risks, namely avoidance, accepting, reduction and transfer of risks (Bowden et. al, 2001).

1. Avoiding risks. In my organization, avoiding such risks would involve possibly not importing highly flammable products such as liquor or diesel (which are part of the consideration for new products) as part of sales and speculating in foreign exchange fluctuations.
2. Accepting risks. Certain risks may be unavoidable. In my organisation’s case, we have huge sales transactions in Myanmar, which has just experience a major military and governmental coup. Hence sales in Myanmar may be volatile. These are potential risks, which are already factored in our business considerations.
3. Reducing risks. Currency fluctuations are imminent when trading with overseas counterparts for my organization. Hence LCs and hedging are done frequently in order to mitigate such risks for products purchased and sold to other countries.
4. Transfer risks. For my organization, this is done in terms of insurance coverage for stocks, which are housed in our premises.

Some other popular treatment of risks will include audit compliance programs, contractual obligations and conditions, preventive maintenance, quality assurance and contingency planning (Bowden et. al, 2001). Such treatments of risk are also maintained within my organization.

The different options for treatment of risks should be evaluated and risk treatment plans should be planned and prepared (Bowden et. al, 2001). Such a plan should consider detailed base implementations, risk assessment in terms of threats and opportunities in terms of priorities and recommended proactive and reactive contingency plans. (Bowden et. al, 2001).

The risk treatment schedule and action plan should include the following:

1. The different duties and responsibilities for implementation of plan. Preferably, the plan should involve a project leader and different members in charge of one aspect of the project reporting to the leader.
2. The resources to be utilized.
3. Work breakdown structure for the activities
4. Budget allocation
5. Schedule for implementation
6. Details of the mechanism and frequency for proper compliance to the treatment schedule (Bowden et. al, 2001).

Step 6: Communicating and Consulting

For this stage, stakeholders need to have a common understanding of the project or product situation. Consultation from stakeholders as well as experts is required for better opinions, with communication needed for better coordination (Bowden et. al, 2001).

Such an approach is required for several reasons:

1. To prove that the process is conducted in a systematic manner.
2. To provide records of risks and proper organizational records.
3. To provide relevant decision makers with a proper risk management and action plan for approval and implementation.
4. To provide accountability.
5. To facilitate further monitoring and review.
6. To provide audit trail.
7. To share information (Bowden et. al, 2001).

This report should include the following:

1. Executive summary
2. Scope of project
3. Methodology of study
4. Contextual issues of the project including the restraints
5. Success factors chosen
6. KPIs for each success factor chosen
7. Target and tolerance
8. Any assumptions
9. Top ten risks across all CSFs for the project or product plan
10. Vulnerabilities in phases of the project
11. Responsibilities for managing risks in phases
12. Primary and secondary drivers triggering each risk
13. Existing controls
14. Tables and figures (Bowden et. al, 2001)

Step 7: Monitoring and Reviewing

For the final step, there is a need to develop and apply mechanisms to ensure ongoing review of risks i.e. project leaders should provide a consistent update of the current situations (Bowden et. al, 2001). The effectiveness of the risk management process should be consistently monitored and reviewed (Bowden et. al, 2001).


Risk should be managed on an active basis. Risk management will involve identification of areas of high risks ahead of time, interpreted to the greatest degree possible, with the best technical or marketing talent allocated to the problem, have the problems solved as quickly as possible, and be provided with a contingency plan in case something cannot be resolved (Smith and Reinertsen, year unknown).

Posted in Uncategorized | Comments Off