BMS PROCEDURE ABTS/BMSP/MGT/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

1.0 PURPOSE

The purpose of this document is to provide a documented information for effective

implementation, maintenance, monitor and review of risks and developmental opportunities
that may be encountered at ABTS

The procedure includes Risk and Opportunity Management principles, philosophies and tools for
risk identification, analysis, planning and opportunity management.

This procedure is prepared to

 Understand the risks applicable to ABTS and applicable means to reduce the impact.
 Identify the opportunities for improvements on any significant project
 Identify the potential impacts on business objectives
 Manage potential impacts to ensure the best outcome for the business and stake holder
and employee satisfaction
 Identify where the risk management is necessary for current and future business
functions
 Understand the need for a proactive approach on risk management
 Implementation of proactive Risk and Opportunity Management Programme

2.0 SCOPE

This procedure is applicable to all functions at ABTS.

3.0 RESPONISBILITY

Respective HOD’s are responsible for Risk & Opportunity Management.

Risk Management is not a stand-alone activity from the management system of the organization.
RM is part of the process - not an “additional‟ compliance task
A systematic, timely and structured approach to the management of risk contributes to efficiency
and to consistent, comparable and reliable results.

The more aligned – the more effective and efficient.

4.0 Procedure :

4.1 Risk management concepts & principles

For an efficient and improved business performance by satisfying the customer needs and meet
compliance requirements the following governance are observed.

 Good business conduct which includes management of customer relations, transparent

finances and staff managements.
 Quality outputs to ensure the provision of products and services of the highest quality and
standards
 Compliance to ensure that the business complies with all applicable legal and statutory
requirements, standards, legislations etc..
 Management of Risks – to protect the business from all possible negative occurrence as
well as recognizing the Opportunities and capitalizing as and when they arise.

Prepared: QA Approved: MSC

**Disclaimer : Internal / Confidential Document as per the documentation guidelines of the organization Page 1 / 8
 BMS PROCEDURE ABTS/BMS/BMSP/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

4.2 Risk Management Process:

The Risk Management Process should be

 An integral part of management
 Embedded in the culture and practice, and
 Tailored to the business processes of the organization

Risk Management Process as shown in the figure 1.

4.2.1. Communication and Consultation

Communication and consultation with external and internal stakeholders shall take place
during all stages of the Risk Management Process. Therefore, planning for
communication and consultation shall be developed at an early stage. These shall
address issue relating to the risk itself, its causes, its consequences(if known), and the
measures being taken to treat it.

Effective external and internal communication and consultation shall take place to ensure
that those accountable for implementation of the Risk Management Process and
stakeholders understand the basis on which decisions are made, and the reasons why
particular actions are required.

4.2.2. Establishing the Context of the Risk Management Process

The objectives, strategies, scope and parameters of the activities of the organization, of
those parts of the organization where the Risk Management Process is being applied,
shall be established. The management of risk should be undertaken with full
consideration of the need to justify the resources used in carrying out Risk Management.
The resources required, responsibilities and authorities, and the records to be kept shall
also be specified.

Figure 1. Risk Management Process

 BMS PROCEDURE ABTS/BMS/BMSP/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

4.3 Risk Assessment

Risk assessment is the overall process of Risk Identification, Risk Analysis and Risk
Evaluation.

4.3.1 Risk Identification

Risk Identification is the process of finding, recognizing and describing risks

Risk identification involves the identification of risk sources, events, their cases and their
potential consequences.
Risk Identification can involve historical data, theoretical analysis, informed and
expert opinions, and stakeholder’s needs
The aim of this step is to generate a comprehensive list of risks based on those events
that might create, enhance, prevent, degrade, accelerate or delay the achievement of
objectives.

For Risk Identification,

a) Internal and External Issues/Factors and
b) Needs and expectations of Interested Parties

 Needs and Expectations of Interested Parties – ABTS/BMS/MGT/NEIP:

Organization and its Context : The following things are considered –

1.External factors can include -cultural, social, political, legal, financial, technological,
economic, and competitive environment, at the international, national, regional or local
level. Key Drivers and trends having impact on the objectives of the Organization .
Relationships with and perceptions and values of External Stakeholders

 Risk & Opportunities Register(External) – ABTS/BMS/R&OR/02

2.Internal factors typically include the organization’s corporate culture, governance,

organizational structure, technologies, information systems, and decision-making
processes (both formal and informal), Resources and Knowledge, Standards, Guidelines
and models adopted by the Organization, and extent of contractual relationships.

 Risk & Opportunities Register (DEPT) – ABTS/BMS/R&OR/01

3. Needs and Expectations of the relevant interested parties

The organization determines the interested parties that are relevant to

the Business management system and the requirements of those interested parties.

 Customers and End users

 Vendors
 Management
 Employees
 Financial Institutions
 BMS PROCEDURE ABTS/BMS/BMSP/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

Based on the above, the Risks are identified and listed in the Format of Risk
Register and further addressed.

o . Needs and Expectation of Interested Parties: ABTS/BMS/NEIP

4.3.2 Risk Analysis

Risk Analysis is the process to comprehend the nature of risk and to determine the level
of risk.
Risk Analysis provides the basis for risk evolution and decisions about Risk Treatment.
Risk Analysis includes risk estimation.
Risk Analysis involves developing an understanding of the risk. It provides an
input to risk evaluation and to decisions on whether risks need to be treated, and on the
most appropriate risk treatment strategies and methods.

Risk is analyzed by determining consequences and their likelihood, and other attributes
of the risk.
Risk Analysis can be undertaken with varying degrees of detail, depending on the risk,
the purpose of the analysis, and the information, data and resources available. Analysis
can be qualitative, semi-quantitative or quantitative or a combination of these, depending
on the circumstances.

Table 1 (A) - Impact

The following table gives the ways to quantify the various levels of impact.

Impact Ratings Possible impact definitions

1 Low Insignificant Minimal Inconvenience but no significant business impact

Operational difficulty requiring significant time and /

2 Medium Moderate Unsustainable
or resources to manage
High visibility, significant and / or sustained business
3 Significant High Major
issues
Threat to viability or several of the business unit of
4 Severe Catastrophic
business
 BMS PROCEDURE ABTS/BMS/BMSP/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

Table 2 (B) – Likelihood

The following table gives the ways to quantify the various levels of likelihood.

Likelihood Ratings Possible likelihood definitions

Not expected to occur within or has not occurred in the past 5
1 Low Unlikely years. Almost inconceivable, but cannot be ruled out entirely
Single figure percentage probability
Expected to occur within or has not occurred in the past 3 years
2 Medium Moderate
Conceivable, but more likely not to happen than to happen
Possible
Less than 50:50 chance of occurring
Expected to occur or has occurred several times in the past 3
3. High Likely Probable year More likely to happen than not to happen Greater than 50:50
chance of occurring
4 All most certain
Expected to occur or has occurred at least once a year difficult
inevitable
to conceive of it not happening high (80+) percentage probability

Table 3
Risk analysis using 4 X 4 matrix is shown below with sample numbering system of 1 to 4 for the
likelihood and Impact axes.

4 (Severe) 4 (Y) 8 (R) 12 (R) 16 (R)

Likelihood

3 (high) 3 (Y) 6 (Y) 9 (R) 12 (R)

2 (Medium) 2 (Y) 4 (Y) 6 (Y) 8 (R)

1 (Low) 1 (G) 2 (G) 3 (Y) 4 (Y)

1 2 3 4
(Low) (Medium) (high) (Severe)

Impact

Using the Risk Matrix ( by simply multiplying the likelihood and Impact values), we can assign
the Risk Rating for each of identified risks.

Risk Rating = Likelihood X Impact

Ex:- Likelihood rating = 3

Impact rating = 2
Then Risk rating = 3X2 = 6
 BMS PROCEDURE ABTS/BMS/BMSP/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

4.3.3 Risk Evaluation

Risk Evaluation is the process of comparing the results of Risk Analysis with risk criteria to
determine whether the risk and/or its magnitude is acceptable or tolerable. Risk Evaluation
assists in the decision about risk treatment. Decisions shall be taken in the account of the wider
context of the risk and include consideration of the tolerance of the risks borne by parties other
than the organization that benefits from the risk. Decisions shall be made in accordance with
legal, regulatory and other requirements. In some circumstances, the risk evaluation can lead to
a decision to undertake further analysis.

The Table 3 shows, the risk rating 3 to 6 is moderate and the risk rating over by 8 or more
are falling in red square cannot be ignored and must be dealt with in some way.

4.3.4 Risk Treatment, preparing and implementation of the risk treatment plans

Risk Treatment is the process to modify risk. Risk Treatment options can include :
 avoiding the risk by deciding not to start or continue with the activity that gives rise to
the risk
 taking of increasing risk in order to pursue an activity
 removing the risk source
 changing the likelihood
 changing the consequences
 sharing the risk with another party or parties ( including contracts and risk financing;
and
 retaining the risk by informed decision

Selection of most appropriate Risk Treatment option involves balancing the costs and efforts of
implementation against the benefits derived, with regard to legal, regulatory, and other
requirements. Decisions should also take account risks which can warrant Risk Treatment that is
not justifiable on economic grounds.

Eg: Severe (high negative consequence) but rare (low likelihood) risks.

The purpose of the Risk Treatment plans is to document how the chosen treatment options will
be implemented. Treatment Plans shall clearly identify the priority in which individual risk
treatments should be implemented. Treatment Plans shall be integrated with the management
processes of the organization and discussed with appropriate stakeholders. Risk Treatments
that deal with negative consequence are sometimes referred to as “ Risk mitigation” or “Risk
Reduction”.

Residual Risk:
It is impossible to totally eliminate risk and there will almost always be some level of risk
remaining after we have implemented the risk treatment. This is often referred as residual risk.
As discussed previously, the aim is to end up with a level of residual risk that we are willing to
accept. The residual risk should be documented and subjected to monitoring, review and
where appropriate, further treatment.

4.4. Monitoring and Review

Both monitoring and review shall be planned part of the Risk Management Processes and
involve regular checking or surveillance. It can be periodic or ad hoc. Responsibilities for
 BMS PROCEDURE ABTS/BMS/BMSP/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

monitoring and review shall be clearly defined. The monitoring and review processes should
encompass all aspects of the Risk
Management Process for the purpose of:

 ensuring the controls are effective and efficient in both design and operation
 obtaining future information to improve risk assessment
 analyzing and learning lessons from events (including near- misses),changes, trends,
successes and failures
 identifying emerging risks

The results of monitoring and review should be recorded and externally and
internally reported as appropriate.

4.5 Recording the Risk Management Process

Risk Management activities should be traceable. In the Risk Management Process,

records shall be provided for improvement in methods and tools, as well as in the
overall process.

Records:

1) Risk Register - ABTS/R&OM/RAR

2) Risk Monitoring & review plan – ABTS/R&OM/RM&RP
3) Risk Monitoring and Review Report :ABTS/R&OM/RM&RR

4.6 Tools for Risk Management

Following tools can be used for Risk Management

 SWOT Analysis
 PESTEL Analysis

4.7 Opportunities
All the processes shall seek out opportunities which could enhance its Business Process
& profitability. Opportunities can lead to:
 adoption of new practices
 launching new products
 opening new markets
 addressing new customers
 building partnerships
 Using new technology and other desirable and viable possibilities to address the
organization’s or its customers’ needs
 obtaining new contracts
 obtaining access to new markets
 streamlining existing processes to improve efficiency and reduce costs
4.8 Opportunities are also identified as part of the “Context of the Organization
Exercise”
4.9 Discussing and analyzing opportunities shall be done by top management during
the management review activities, these shall be recorded.
4.10 If an opportunity requires a risk assessment, this shall be done as defined
above.
4.11 Analysis of any opportunity will generally result in one of the following possible
determinations:
 BMS PROCEDURE ABTS/BMS/BMSP/R&OM:A

Risk & Opportunities Management Effective Date: 01-10-2021

 Pursue the opportunity

 Explore the opportunity in greater detail before proceeding
 Accept the opportunity, but under limited and controlled conditions
 Decline the opportunity, typically based on a high expected risk

Refer :

BUSINESS MANAGEMENT SYSTEM MANUAL: ABTS/BMS/MANUAL