Approaches To Defining Risk

CHAPTER 1:
APPROACHES TO DEFINING RISK

DEFINITION BY ORGANIZATIONS
• ISO Guide 73 ISO 31000
Effect of uncertainty on objectives. It may be positive, negative or
deviation from expected. Also, risk is also often described by an
event, a change in circumstances and consequence.
• Institute of Risk Management (IRM)
Risk is a combination of probability of an event and its
consequence. Consequence can range from positive to negative
.
• “Orange Book” from HM Treasury
Uncertainty of outcome, within a range of exposure, arising from a
combination of the impact and the probability of potential events
• Institute of Internal Auditors
The uncertainty of an event occurring that could have an impact on the
achievement of objectives. Risk is measured in terms of consequences and
likelihood.
• Alternative Definition by Author
Event with the ability to impact (inhibit, enhance or cause doubt about)
mission, strategy, projects, routine operations, objectives, core processes, key
dependencies and/or the delivery of stakeholder expectations
TYPES OF RISKS
• Compliance (or mandatory) risks;

• Hazard (or pure) risks;
• Control (or uncertainty) risks;
• Opportunity (or speculative) risks
RISK DESCRIPTION: NAME OR TITLE OF THE
RISK
• Statement of risk, including scope of the risk and details
of possible events and dependencies.
• Nature of risk, including details of the classification and
timescale of potential impact.
• Stakeholders in the risk, both internal and external.
• Risk appetite, attitude, tolerance or limits for the risk.
• Control standard required or target level risk.
RISK DESCRIPTION
• Incident or loss experience.
• Existing control mechanism and activities.
• Responsibility for developing risk strategy and policy.
• Potential for risk improvement and level of confidence in existing
controls.
• Risk improvement recommendations and deadlines for
implementation.
• Responsibility for implementing improvements
• Responsibility for auditing risk compliance
Example-
• Computer Viruses- In order to understand the distinction between
hazard, control and opportunity risks, the use of computers is
useful. Virus infection is an operational or hazard risk and there
will be no benefit to an organization suffering a virus attack on its
software programs.
• When an organization installs and upgrades a software package,
control risk will be associated with the upgrade projects.
• The selection of new software is also an opportunity risk,
where the intention is achieve better results by installing
the new software, but it will be possible that new
software will fail to deliver all the functionality that was
intended and the opportunity benefits will not be
delivered.
RISK CLASSIFICATION SYSTEMS
• Risks can be classified according to
1. the nature of the attributes of the risk, such as timescale for impact,
2. the nature of the impact and/or likely magnitude of the risk.
3. the timescale of impact after the event occurs.
4. the source or origin of the risk such as counterparty or credit risk.
5. the component or feature of the organization that will be
impacted. For example, risks can be classified according to
whether they will impact people, premises, processes or products.
• The risk matrix can be used to plot the nature of individual
risks, so that the organization can decide whether the risk is
acceptable and within the risk appetite and/or risk capacity of
the organization.
• The horizontal axis is used to represent likelihood. The term
likelihood is used rather than frequency, because the word
frequency implies that events will definitely occur and the risk
matrix is registering how often these events take place.
Likelihood is a broader word that includes frequency, but
also refers to the chances of an unlikely event happening.
• The vertical axis is used to indicate magnitude in Figure
1.1. The word magnitude is used rather than severity, so
that the same style of risk matrix can be used to
illustrate compliance, hazard, control and opportunity
risks. Severity implies that the event is undesirable and
is, therefore, related to compliance and hazard risks. The
• magnitude of the risk may be considered to be its gross
or inherent level before controls are applied.
• The more important consideration for risk managers is not the magnitude of
the event, but the impact of the event and the consequences that follow.
• The magnitude of an event may be considered to be the inherent level of the
event and the impact can be considered to be the risk-managed level.

Approaches To Defining Risk

Uploaded by

Copyright:

Available Formats

Approaches To Defining Risk

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Approaches To Defining Risk

Uploaded by

Copyright:

Available Formats

CHAPTER 1:

APPROACHES TO DEFINING RISK

• Compliance (or mandatory) risks;

You might also like