Risk management is an integral part of the activities of a successful, developing organization. Such management is designed to simplify the organization’s operating conditions in constantly changing external, unpredictable or poorly predictable conditions. At the same time, new possible problems are constantly being identified, as is monitoring the results of previously performed actions by risk managers.
A real assessment of economic, production and other organizational indicators helps the company’s risk management department to develop changed, new measures or adjust old ones to achieve the least risky state of the company. Entire risk areas or individual less likely events can be identified. It all depends on the specifics of the work and the size of the organization being analyzed.
The essence of risk management
Risk management is a set of activities that are aimed at identifying possible negative factors for a particular business and assessing the likelihood of their occurrence.
In the conditions of modern competition, which is observed in any area of business activity of a manufacturing enterprise or service organization, risk management is one of the priority areas of the company’s work.
The result of competent management should be the minimization or complete elimination of the negative impact that may be caused by the impact of emerging risk events on the profitability and integrity of the organization.
In other words, risk management works with those circumstances that arise as an obstacle to the functioning/development of the company.
To effectively deal with threats, a risk management system is organized. This work can also be called risk modeling. It involves identifying possible risks based on available data and developing specific measures to eliminate or minimize these threats.
Sometimes typical solutions help, but you also have to develop special ones. This takes into account factors such as budget, available resources, and the degree of likelihood of a particular event occurring.
Alexey Blagikh (blagih.ru)
Business TRIZ expert, entrepreneur. Founder and director since 2008 of the Bi-plan.ru service. Expert of the portal Financial Manager.If you enter the market with an unprepared business, do not have a strategy, a calculated business plan, or risk assessment, your chances of getting on the list of entrepreneurs who close in a year are 90%. You can find ready-made business plans with all calculations on our platform, download the business plan you need and adjust it to your business.
Concept and content of risk management systems
A risk management system is an established or constantly changing and supplemented set (plan) of measures to assess the likelihood of threats to an enterprise.
An effective risk management system includes:
- forecasts of the emergence of a particular threat;
- analysis of possible, hypothetical causes of each identified threat;
- development of a strategy (strategies) to eliminate negative consequences, stop or minimize the influence of risk factors;
- creating favorable conditions for the implementation of previously developed strategies;
- constant systematic monitoring of situations related to threats to the organization;
- analysis and intermediate monitoring of the results of implementing anti-risk strategies.
According to the above content of the risk management system (RMS), the first stage always involves identifying any possible risks, taking into account the specifics of the company’s activities. The degree of their influence on the organization and its work is also determined.
In this case, methods of quantitative and qualitative analysis are used. Depending on the danger or the degree of impact of the potential risk on the company and its profit, a plan to manage these threats is drawn up, agreed upon and put into effect.
When the RMS is implemented at the enterprise and begins its work, an analysis of the impact of this system on the financial performance of the company is compiled. The patterns identified in this way are very important indicators for the risk manager and company management. After the first results appear and are identified, a conclusion is made about the effectiveness of the measures taken.
In this way, the implemented risk management system will significantly reduce the negative, sometimes even destructive influence of uncertainty factors that are constantly present in any business.
Main section
As a result of the study, it was revealed that the key elements for building risk management systems are approaches, models and methodologies of risk management, while in the literature they are covered very fragmentarily and, as a rule, are reduced to a standard risk management methodology.
The key approaches that can be identified based on a review of sources are active, adaptive and conservative approaches.
When implementing an active approach to risk management, the company strives to preempt risk events and continuously monitor and control risks. Adaptive management, or adaptive approach, is based on adapting production and economic activities to the current situation. With this approach, the company can control only part of the risks and, as a rule, compensate for part of the losses. As a positive manifestation of the use of this approach, one can mention the relatively low costs of monitoring and risk control, compared to the active approach.
Finally, the conservative approach is based on the absorption by the company or its partners of already realized risks and their consequences. There are minimal costs for forecasting and risk management, but there can be very tangible consequences of damage.
Within the framework of the described approaches, risk management models can be distinguished: static and dynamic. While the definition of approaches to risk management does not cause discrepancies among different authors, the interpretation of static and dynamic risk management models is ambiguous.
Thus, according to some experts, static or dynamic in relation to risks can only be used to determine risk categories. Thus, static risks are caused by unforeseen changes in the external environment, and they cause irreparable damage to the company. Dynamic risks are associated with the implementation of management decisions and cyclical macroeconomic fluctuations, which leads to a decrease in the stability and capitalization of the company.
In addition, it is believed that static risks arise only once during the life cycle of projects or the existence of a company, and their occurrence leads to the liquidation of the organization or the closure of projects. Dynamic risks may arise constantly and not be critical.
On the other hand, the possibility of using the real options method to reduce the negative impact of risks is currently being actively studied. Real options are opportunities included in the project or provided within the framework of production and economic details for management to make deferred management decisions at the right time, as a rule. In a finished future. These are, most often, key decisions: on liquidation of a company (project), on business expansion, diversification or downsizing. In this way, experts and developers of this methodology are trying, through dynamic processes, to revise the static elements of the enterprise management system and avoid critical risks.
This approach, in general, is justified, but its disadvantage is that events are linked not only to the probability of the event occurring, but also to fairly long periods of forecasting this event.
Finally, we can highlight a third option for defining static and dynamic risk management models.
In the static model (Figure 1), risks are considered completely predictable and are assessed before the start of project or production activities. Risk management in such models comes down to only two key elements: the creation of reserves and risk adjustments of about 10-15% of the budget and risk insurance. The costs of creating and maintaining such a system are approximately equal to the cost of insurance and are a constant value. The disadvantages of this approach include the high cost of risk insurance and the need to revise the list of risks, since their list and degree of influence on the project changes, and insurance companies, in the current business conditions in the Russian Federation, refuse to insure some types of risks. According to some data, the average cost of insurance for business risks is 6-8% of the contract value, property risks - 0.05-1%, liability risks - 0.1-0.5%.
Figure 1. Static risk management model [8]
However, the use of the static method is quite effective for relatively small volumes of losses, short periods and low periodicity (cyclicity) of economic processes.
Dynamic model. If a company or enterprise operates in conditions of high volatility of economic and production processes, is exposed to not only constant, but also variable dynamic risks, in most cases not amenable to strict systematization, then such an enterprise can organize a permanent structure - a kind of management headquarters that carries out coordination of activities taking into account the changing situation. The dynamic risk management program is based on an express analysis of the changing situation, ensures the identification and definition of new significant (it must be emphasized, “significant”) risks in the process of program implementation. Especially the following types of risks should be taken into account: operational - errors and miscalculations of personnel and management, reputational risks associated with the position of the enterprise and its management in business and society, environmental and social risks. Risks caused by globalization processes must be taken into account initially and constantly monitored, because such risks can be catastrophic.
Dynamic risk management models are built on the principles of immediate response to changes in control parameters, analysis of deviations that have occurred and development of elimination methods.
Figure 2. Dynamic risk management model [8]
One of the options for a dynamic control model can be considered the TPS (Toyota Production System) model or principle, developed and implemented at TOYOTA factories. Unlike the American assembly line model, where stopping production was equated to an emergency, at TOYOTA factories stopping the conveyor due to the detection or prevention of defects is not only encouraged, but is the basis of the corporate philosophy. The essence of this system is that the effective functioning of all divisions of the company lies not so much in preventing operational errors, but in analyzing their occurrence and developing measures to prevent their occurrence in the future.
Despite some vagueness in the theoretical formulations of dynamic, process risk management models, in practice this approach is used quite actively in closed corporate risk management programs. Including at Russian enterprises. For example, PJSC Gazprom Neft (Table 1) in the open data block reports that the company abandoned the global static risk management system in favor of localizing risk management for business processes. The program for introducing dynamic risk management models has been implemented since 2008, and ensures the gradual integration of risk management into basic first-level business processes: production, industrial safety, procurement, projects, as well as second-level business processes - refining and sales. This makes it possible to quickly correct current deviations in the contour of business processes without resorting to large-scale changes. In the event of large-scale changes, an integrated information system and a system of standards will allow for a faster restructuring of processes.
Table 1. Implementation of an integrated management system at Gazprom Neft PJSC [6]
| 2008–2010 | 2011–2012 | 2013–2014 |
| — The Concept for Implementing IRMS was developed and approved by the Management Board, and the Risk Management Policy was put into effect. — The standard has been put into effect. — The IRMS perimeter has been expanded to 29 facilities (20 subsidiaries and dependent companies and 9 divisions of the Corporate Center). | — Expansion of the IRMS perimeter – subsidiaries and dependent companies, large projects. — Risk management procedures in managing large projects have been systematized. — Risk-based planning has been introduced in internal audit. — Beginning of integration of the risk management system into the business planning process, systematization of information about risks and activities taken into account in the business planning process. — The IRMS was analyzed for compliance with global practices (Ernst & Young). It was recognized that the development trends of IRMS in the Company are in accordance with advanced trends. A distinctive characteristic of the current stage of development is the integration of IRM processes into management decision-making processes. | Continued integration of the risk management system into the business planning process, including: — improving methods for quantitative risk assessment; — improving risk analysis methods as part of the development and revision of comprehensive field development plans; — integration of IRMS with management by objectives (justification of target performance indicators taking into account risk assessment). Continued integration of risk management procedures into operational management. Development of an information system that supports IRM processes. |
The third component is risk management algorithms and methodologies, which are developed within the framework of the described static and dynamic models.
The most well-known methodology is presented in Table 2; it is specific to static models, although, of course, methods of identification, quantitative, and qualitative risk assessment are also used in dynamic models.
Table 2. Typical risk management methodology [5]
| No. | Stage | Methods |
| 1. | Risk management planning | Decisions on the organization, staffing of project risk management procedures, selection of the preferred methodology, data sources for risk identification, time interval for situation analysis. |
| 2. | Risk identification | — Brainstorming (brainstorming method); — Delphi method; — Identification of root causes; — SWOT analysis — Monte Carlo method |
| 3. | Qualitative risk assessment | - expert method, - method of cost appropriateness analysis, - method of analogies. |
| 4. | — method of adjusting the discount rate; — method of reliable equivalents (reliability coefficients); — sensitivity analysis of efficiency criteria (net present value (NPV), internal rate of return (IRR), etc.); — scenario method; — analysis of probability distributions of payment flows; — decision trees; — Monte Carlo method (simulation modeling), etc. | |
| 5. | Risk response planning (risk elimination) | — risk avoidance; — limiting risk concentration; — hedging; — diversification; — creation of special reserve funds (self-insurance funds or risk fund); — insurance. |
| 6. | Monitoring and control | — expert methods; — modeling; — statistical methods. |
To work within the framework of dynamic models, companies can use various methodologies: the transition to integrated risk management systems (described in Table 1 using the example of Gazprom Neft), the introduction of a balanced scorecard system (BSC), and the use of logistics principles in managing certain types of risks.
Building an integrated risk management system (IRMS, mentioned in Table 1) is a fairly large-scale task, unique to various enterprises. In this case, the company itself decides how and how to integrate risk management systems into the overall management system. The use of such mechanisms makes it possible to achieve a high level of dynamism in risk management, but it is within the power of stable large companies for which investments in the development and implementation of such systems are justified.
The second currently relevant approach is the transition of companies to planning their activities based on a balanced scorecard (BSC). The classic BSC methodology is based on the formation of a system of key indicators arising from the company’s strategic goals, divided into four perspectives: Finance, Customers, Internal business processes, Training and growth. BSC provides targeted monitoring of the company’s activities, allows you to predict and anticipate the emergence of problems, organically combines management levels, and controls the most significant financial and non-financial indicators of the company’s activities.
Classical BSC does not imply separate consideration of the risk factor, however, in the process of evolution, risk management and BSC have a number of similar characteristics, which are presented in Table 3. Financial risk management is present in such a model, but indirectly.
Table 3. Main general characteristics of risk management and BSC [7]
| Risk Management | BSC |
| Focus on strategic goals, mission and vision of the company | |
| Risk management focuses directly on the company's strategic goals and assists in achieving them. | BSC translates the mission and overall strategy into a system of clearly defined goals and objectives, as well as indicators that determine the degree to which these goals are achieved. |
| Proactive and forward-looking | |
| Risk management allows you to prevent enterprise risks that are currently not yet critical, but in the future may affect the stability of the company. In this way, risks are identified before they occur. | BSC identifies deviations in the activities of an enterprise before they affect its financial results. |
| A complex approach | |
| Risk management determines and manages the entire range of risks of the company. This process promotes a more effective response to various impacts and an integrated approach to the company's multiple risks. | Involvement in the management process of both financial and non-financial indicators that cannot be given a monetary value. Recognizing that traditional measurement of company performance, focused on financial indicators, is outdated and does not provide a complete picture of the economic health of the company. |
| Involvement of all company employees in the implementation of the program | |
| Risk management is part of the company’s corporate culture, that is, it is included in the responsibilities of every employee, and not just line managers, managers and risk management specialists. | BSC ensures that a company's employees work together smoothly and provides all levels of management with insights into how decision-making can be improved and goals can be achieved. By involving staff in the process of implementing strategic decisions, the company turns into a flexible structure where each employee has the same understanding of the goals set. |
| Presence of cause-and-effect relationships | |
| Risk can be either predictable (risk generated by problems) or random (force majeure, natural disasters, etc.). The implementation of both predictable and random risks inevitably leads to a problem. Thus, there are interdependent cause-and-effect relationships between risks and problems. | BSC is based on the vertical and horizontal cause-and-effect relationships of four perspectives that describe the company's vision and strategy and allow it to realize its mission throughout its existence. |
| Continuity throughout the entire period of the company's existence | |
| Risk management and BSC are not one-time projects. These systems are only effective if they are designed for use over a long period of time and are constantly improved taking into account accumulated experience and changing market conditions. | |
Finally, the third methodology that can be used to integrate risk management in a company into business processes is the use of logistics principles. In general, this approach is also used when building an integrated risk management system, but in this case, all the company’s activities are divided into business processes. This, as noted earlier, is not always affordable for medium and small companies. The use of logistics principles is possible to manage certain (key) types of risks, which include, for example, financial risks.
Risk management and financial stability of enterprises based on optimization of logistics flows is currently allocated to an independent direction - “financial logistics”. Financial logistics is a key process that accompanies all resource flows of the company, and its development is based on a combination of financial management tools (factoring, lending, receivables optimization) and logistics (supply chain modeling, inventory and warehousing optimization). This, taken together, makes it possible to prevent the occurrence of risks, increase the financial stability of enterprises, and accelerate the turnover of current assets. Considering the fact that the key function of finance is supporting (ensuring the circulation of fixed and working capital, resource flows), and logistics flows directly form added value (according to M. Porter), the emergence of such a combination is quite natural [4].
The use of financial logistics mechanisms for continuous and dynamic management of financial risks opens up good opportunities for small and medium-sized companies, enterprises in the non-manufacturing sector/light industry/trade, where business processes are generally universal and standard. In this segment, optimization of logistics flow leads to optimization of financial flows, which generally increases the sustainability and competitiveness of the company.
Specifics of risk management standardization
Risk management methods in an enterprise can be different, but there are two main directions: static and dynamic.
Traditional method
The traditional or static method of risk management involves making decisions to mitigate identified threats to the viability or profitability of the business, which are strictly adhered to and cannot be changed.
In eighty percent of cases, this standard method of managing investment and other risks is typical for opportunistic companies and is most often used as a reaction to the occurrence of a particular event.
The static method of risk management is mainly used in small enterprises (legal entities), in companies with simple structure and activities and small initial capital.
The advantage of a static strategy is the absence of abrupt changes and the presence of stability.
The negative impact of the traditional model of managing production or other risks is the possibility of stagnation, that is, stagnation, which is undesirable for most organizations in any field of activity.
Dynamic method
Risk management or risk management of an investment or production project when choosing the second of these strategies (dynamic) is designed to answer the following questions:
- How professionally does our enterprise use available resources to protect against potential threats?
- Does the chosen strategy help strengthen the organization’s position in the market?
- Is it possible to take risks now in order to obtain greater profits in the near future?
and so on.
It turns out that dynamic management of organizational operational risks involves assuming a much higher probability of adverse events occurring than a static model, and threats cannot be underestimated.
Based on this, a competent combination of these two different approaches becomes rational.
Clickable:
Risk register (simplified form):
| Hazardous event ID | Name and description of the dangerous event | Responsible Risk Manager | Consequences of a hazardous event | Probability of a hazardous event | Risk assessment | Risk treatment measures | Timeframe for completing risk treatment measures | Notes |
Scale for assessing the consequences of a hazardous event:
| Consequence (I), points | Description of consequences | Objects affected by a hazardous event |
| 5 | Catastrophic consequences | People, environment, economy, state and municipal authorities, social environment, infrastructure |
| 4 | Significant Consequences | People, economy, infrastructure, environment, social environment |
| 3 | Moderate Consequences | People, economy, infrastructure |
| 2 | Small consequences | Economy, infrastructure |
| 1 | Minor Consequences | Social environment |
Scale for assessing the likelihood of a dangerous event occurring:
| Probability estimate, % | Qualitative probability assessment, points |
| Very high – 81–100 | Very high - 5 |
| High – 61–80 | High – 4 |
| Average - 21–60 | Average - 3 |
| Low - 1–20 | Low - 2 |
| Very low - less than 1 | Very low - 1 |
Risk matrix, ranks:
| Qualitative assessment of the probability of a dangerous event | Consequences | ||||
| Minor (1) | Small (2) | Moderate (3) | Significant (4) | Catastrophic (5) | |
| Very low (1) | 1 | 2 | 3 | 4 | 5 |
| Low (2) | 2 | 4 | 6 | 8 | 10 |
| Medium (3) | 3 | 6 | 9 | 12 | 15 |
| High (4) | 4 | 8 | 12 | 16 | 20 |
| Very high (5) | 5 | 10 | 15 | 20 | 25 |
What risks are there in business?
Each business has its own range of risks, so it is better to open a business in an area in which you understand. This makes it easier to identify the range of potential threats. But usually there are 6 types of risks.
Domestic
These threats arise from the actions of management or employees. For example, the company provided targeted advertising on social networks. Clients began asking questions in private messages, but the manager answered in monosyllables, did not initiate a dialogue, and did not ask questions. As a result, the advertisement brought potential buyers, but due to the fault of the employee, sales did not take place.
Production
In production, defects occur due to the human factor or low-quality raw materials. Or the plant shut down due to an accident at a substation, and the equipment failed.
Financial
It's all about money. For example, the company sent products to retail stores, but they did not pay on time. Or an entrepreneur spent money from suppliers to buy a car, but he had no funds left to pay off his obligations.
Insurance
There are cases that can be foreseen and insured in advance: fire or theft of equipment. The business bears the cost of insurance, but if risks occur, entrepreneurs will receive compensation.
Commercial
These threats affect the sale of goods or services. For example, a clothing store is faced with the fact that customers prefer to buy online. Or the web studio doesn’t find clients because competitors make websites cheaper.
External
An entrepreneur cannot influence these conditions: changes in legislation, a pandemic or innovations in the tax system. It’s worth dwelling on the latter in a little more detail. In 2021, entrepreneurs were faced with the fact that the state abolished the UTII regime and offered an amended patent in return. But, as a rule, a patent in the regions is more expensive than imputation. And this despite the fact that the authorities allowed the cost to be reduced by the amount of insurance premiums.
The Federal Tax Service began to strictly monitor entrepreneurs and the validity of transactions. Starting from 2021, tax authorities have changed their 6-NDFL verification algorithms to see entrepreneurs who pay less than the industry average salary. That is, if employees receive a small official salary, the Federal Tax Service may send a request asking them to indicate the reasons.
The founder of the “School of Professional Business Owner” Oksana Dazhun believes that entrepreneurs should pay close attention to tax risks:
“It is important to monitor the results and plans of the Federal Tax Service in tax control. Learn how companies choose for a scheduled audit, how to optimize taxes, how the courts work, and what businesses can expect from tax administration. To do this, it is useful to attend trainings and seminars at least once a year, where they will talk about innovations and judicial practice.
Algorithm for the formation of PPS
Based on the results of the SWOT analysis, make a list of risks, threats, opportunities and strengths of the business:
- State the problem - something that can be effective.
- State the risk—what could happen if you do nothing.
- Formulate a goal - to what state we want and can reduce the risk.
- Formulate risk management measures - what we will do.
- Assign someone responsible for each risk.
- Set deadlines and control dates for impacting the risk.
- Collegially determine the probability of risk occurrence on a 10-point scale.
- Collegially determine the depth of the consequences of the risk on a 10-point scale.
- Determine the degree of risk and response category.
- Include events in the overall strategic plan of events, individual SMART tasks"
Denis Zagrebil believes that the risks of every business are different, but some are more common:
“Risks depend on the stage of development of a business or company. But I consider the main ones to be poor quality services, unscrupulous suppliers and employees, and overestimation of market opportunities. In general, in my opinion, management decisions are often made without a thorough analysis of business risks, situationally or based on experience."
Types of risk management methods
Methods for managing business or other risks have already been formulated and studied.
Here they are:
- refusal;
- reduction (decrease);
- division (differentiation);
- evasion;
- Adoption;
- transfer (transfer) of risk or sharing;
- gain;
- retention;
- reduction of losses.
Refusal
The method of managing risks by refusing them consists in completely abandoning a too risky area of activity or project. This decision is made by risk managers and business executives when a risk variable greatly threatens the further existence of the company.
Decline
Reducing the impact of a threat or reducing it is making the necessary decisions that minimize the possibility of an undesirable risk situation occurring.
For example, you can create reserves, introduce restrictions, or take other measures that will reduce the likelihood of the occurrence of an event that is considered a possible risk for the enterprise or project in question.
Separation
Separation of threats or their differentiation involves cutting off, “nullifying” the possibility of the occurrence of one of several possible threats.
This may be duplication of important documents or segments on the production line, or process elements. In this case, the loss of documents or failure of one section (one line) of production will not have a loss-making effect on the enterprise.
Thus, the differentiation of threats for an insurance company consists in filling the insurance portfolio competently and evenly: concluding more contracts with small risks and fewer contracts with high risk probabilities.
Evasion
Threat evasion involves changing the enterprise's operating plan so that the target threat cannot occur at all.
This strategy is not often used, because it is not easy to implement.
For example, if a building has already been built in an inappropriate location and there is a risk of flooding, it is already too late to change the location of the house, since this should have been taken into account at the stage of creating a plan for the future structure.
Adoption
The acceptance strategy is carried out by a fearless leader who does not shy away from the threat in any way, but accepts the fact of the possibility of its occurrence. When this method works, a so-called “Plan B” is created in case the risk in question does occur.
This strategy is also identified as the use of a threat if the likelihood of its occurrence is included in the overall plan for the development and functioning of the organization.
Broadcast
The transfer, transfer or sharing of a threat consists of insurance against certain risk events. If the company's main fear is fire, since it does not have many warehouses with flammable products, it is worth taking out fire insurance.
Another example: an organization with a large fleet will most likely insure it, especially since it is cheaper than single insurance. You can also transfer the risk to the counterparty by concluding an appropriate agreement.
Gain or hold
Financial risk management methods also include such an effective method as increasing the threat. This method involves increasing the likelihood of a favorable outcome occurring.
To do this, sources of positive rather than negative threats are identified. The retention system as financial risk management involves taking part or all of the risk upon yourself.
This strategy is similar to the transfer or transfer of risk, only such transfer is carried out not to third parties, but to the capabilities of the company itself. An example of threat containment is the creation of additional resource reserves in case of their depletion or damage.
Loss reduction
Risk management in an organization or project can follow a loss reduction strategy. Usually, when other anti-risk methods fail, the time comes to apply this one.
It consists of minimizing losses that are certain to occur or have occurred. However, measures to reduce monetary losses can also be preventive, that is, those that were taken in advance.
Evasion: advantages and disadvantages of the method
From the name it is clear that the evasion method involves avoiding dangerous situations:
- do not enter into transactions with partners with a dubious reputation;
- refuse to cooperate with unverified organizations;
- do not implement innovative projects if there is even the slightest possibility of failure.
This strategy may avoid many unforeseen dangers, but it will hinder the company's development and cause many profitable investment decisions to be missed.
Insurance is one of the popular methods of evasion, when the responsibility for compensating losses is transferred to the insurance company. It allows you to resolve the issue of uncertainty and financial stability of the company. But this defense mechanism has its drawbacks:
- it is impossible to insure against all threats;
- insurance payments are made even if a dangerous situation never occurs;
- The influence of insurance companies is limited, so they cannot provide complete protection against all threats.
Application of methods
The use of one or another method (pure, alternative or combined) should take into account the specifics of the enterprise and the scope of its activities. The initial indicators and their correctness also influence the chosen method. Threat management is constantly aligned with dynamically changing metrics that the risk manager monitors to keep the job moving.
When the threat level decreases, then attention should be paid to other threats that are identified as minor. In practice, managers working on organizational risks also take into account the urgency of responding to a particular threat or the possibility of its occurrence. If you have more time, you can conduct a more detailed, thoughtful analysis by the entire team in order to develop the most appropriate strategy for carrying out anti-risk measures.
Dalai Lama XIV
“Be aware that great love and great success come with great risk.”
Algorithm for constructing an RMS in a company
To build a working RMS in a company, it is necessary to adhere to the following algorithm of actions: identification, analysis, planning, monitoring (control).
Revealing
Risk management of any organization is impossible without passing the first stage of the above algorithm for constructing a RMS.
We are talking about identifying or identifying, finding threats. First of all, it is worth noting that the number of threats around an enterprise or an individual project is innumerable.
This means that there is no point in trying to find all of them; we are limited to identifying a few dozen.
It is important to remember that the first stage is a responsible one, because the more information is collected during this step, the better it will be possible to protect against the occurrence of risks by taking countermeasures: even from an unpredictable risk it is possible to eliminate.
In the case when a serious threat remains unattended, that is, not identified at the first stage, its occurrence puts the entire organization or risky project at risk.
Analysis
The analysis stage allows you to determine how dangerous and possible the identified threats are.
When carrying out risk analysis activities, it is necessary to create as detailed a description of possible threats as possible in order to obtain a clear picture of the potential danger. The main goal of this stage is to identify the most dangerous risks for the company.
This is necessary to direct the main forces (resources) to eliminate or reduce the impact of the most complex threats. For convenience, it is worth assessing the probability of occurrence and the magnitude of possible consequences for each threat.
Thus, gradually, responsible employees must determine the importance of each of the identified risks of the organization.
Planning
The third stage, called planning, is to create a risk management plan. It is compiled for all threats that, based on the results of the first two stages, were considered critical or most likely or unprofitable.
It is during planning that a further strategy is chosen to manage each of the risks.
Control
Stage four (monitoring and control) is needed to identify the effectiveness of risk management. It is necessary to constantly monitor how exactly the measures taken affect the likelihood of threats occurring.
Expert rules
Such rules for identifying risks are compiled by subject matter experts.
They are guided by their work experience or generalize the opinions of colleagues who deal with violators every day. The result is simple judgments of the form “if...then...”. The probability of risk occurrence and potential damage from the threat in this case is determined “by eye” or by rough calculations.
The advantage of expert rules is that they are easy to compile and interpret by humans. The disadvantage is that a large number of persons, both violators and respectable economic entities, may be subject to the rule at the same time. Therefore, the effectiveness of control will be low. At the same time, some of the violators will pass by, for which the expert could not detect and take into account the patterns.
For example, an expert rule for customs control tells us that all shipments of apples with a value below a certain threshold are classified as risky shipments:
When we carry out control, we will find both goods with violations (red) and completely normal deliveries (green), the low cost of which is explained by individual discounts, the sender’s struggle with overstocking, or the economic model of the enterprises.
Anything above this conditional cost threshold (red line) will be out of control (gray circles). But if we check them too, we will find both truly legal supplies and deliveries whose real value is even higher than what was stated in the declaration (gray circles with a red dotted outline) and for which customs duties have not been paid in full.
Therefore, the use of expert rules usually leads to excessive coverage of control objects and low effectiveness (remember our squares from the first article?):
You shouldn’t blame the experts: human consciousness is limited in the objects it can operate with (an interesting article was once published on Habré, the author of which suggested that their number is limited to seven). Hence the large strokes instead of precise details: for example, the risk of fire is determined only by the year the building was built, the area where it is located and the category of residents. All these characteristics once “played out”: a fire broke out in an old house, and a room in a disadvantaged area caught fire. Therefore, experts expect threats from objects of this type in the future.
But not all of these “dangerous” buildings are actually going to burn down, even if they fall under the expert rule: many old and wooden houses stand as if nothing had happened. Some dysfunctional houses stand for years without a single fire. The expert simply could not take into account some subtle individual characteristics of dangerous objects.
This is where machine learning comes in and helps create statistical risk profiles.
. They are formed when we apply data analysis technologies to the history of violations and information about controlled objects.
Principles for implementing the RMS
Every effective and efficient RMS should be implemented based on the following principles:
- complexity;
- integration;
- continuity.
Complexity
The principle of complexity presupposes the mandatory participation of all departments of the enterprise in dealing with risks, that is, it is impossible to take into account financial risk and at the same time forget about production risk.
The specialist responsible for his cluster of organizational activities must report the likelihood of threats based on his experience and specialization in the project or organization in question.
Integration
The principle of integration, unlike the previous one, speaks of the need to consider risks and work with them in conjunction.
This means that the concept of an integral threat is being formed, which takes into account all possible factors at once.
Such a global, comprehensive risk will include, in percentage or share terms, the impact of all possible threats on the activities of the enterprise as a whole.
Continuity
The principle of continuity is responsible for constant and continuous monitoring of the state of risk in constantly changing operating conditions, including economic and other external, as well as internal conditions in which the company operates or the project is carried out.
At the same time, they identify and identify new threats if they appear, and carry out the same work with them.
Localization: under what conditions is it used?
The containment method is used only for threats that are easy to predict and can be isolated to some extent. Individual highly dangerous stages and areas of work are transferred to departments, where strict control is established over them. In practice, the following mechanisms are used:
- A small subsidiary is created that takes over the development and implementation of innovative projects. Dangerous projects are isolated from the company's core activities.
- To implement a risky project, a deal is concluded between several companies. Its development is carried out by a specially formed separate team of specialists.
Assessing the company for risk management
Planning for managing selected risks in an enterprise, as well as subsequent activities to deal with threats, must be accompanied by an assessment of the correctness of the actions taken.
To do this, check that the following conditions are met:
- problems are solved only within the framework of the existing authorized capital of the legal entity or the budget included in the project;
- when creating a plan for dealing with risks, one should take into account, among other things, indicators related to the specific field of activity in which the organization operates;
- check whether a thorough, detailed analysis of the situation has been carried out;
- risk management takes into account the established corporate strategy of the organization;
- when planning risk management, only economically feasible options are taken into account: they must be based solely on reliable, verified information that does not have a negative effect on the final performance indicators responsible for the economic activities of the organization;
- If there is a lot at stake in the fight against possible threats, but future gains are doubtful, it is not worth taking such costly measures.
In order for the risk plan to be correctly drawn up and work, it is necessary to clearly understand the goals facing the manager and leader even at the stage of searching for problems. Only on the basis of this information, processed in the correct way, is it necessary to draw primary conclusions about the presence and importance of certain risks.
In this way, a progressive, continuous system is gradually formed, in which previous data is used to move to the next stage only after analysis and evaluation.
Do you like to take risks?
No
0%
Yes
100%
Voted: 2
Search for the unknown
There are several ways to experience the unknown.
The first is random sampling.
. We take an arbitrary object (within the limits of our powers) - a product, an enterprise, a building or a citizen - and carefully examine it. The approach is quite impartial, but not very effective - a respectable subject can equally well fall under the “debriefing”. The efforts of the government agency and budget money will be wasted.
The second is anomaly detection.
. In this case, an object whose parameters stand out from the rest is taken for verification. When we analyze anomalous events, rather than just randomly “poking” at a bunch of objects, the likelihood of finding a violation is higher.
For example, during an environmental inspection it turns out that a plant consumes an unexpectedly large amount of electricity:
Perhaps it is worth taking a closer look at it and checking whether the plant discharges more than permissible into the water or air.
Or the goods at customs have an unusual weight-to-packaging ratio:
After the inspection, it may turn out that the importer “played” with the weight in order to cover up some violations: he underestimated the cost and thus wanted to tighten one of the test values, or he issues some goods under the guise of others. “Natural” weight characteristics, if you dig deep, differ from fictitious ones.
However, these are the simplest examples that even a person can see. In reality, the search for anomalies occurs in a multidimensional attribute space—there can be hundreds of them. The algorithm does what a human cannot do - it finds objects that are significantly different from the rest of the same ones at the same time in a large number of characteristics, and identifies the so-called multidimensional outliers (in the screenshot of SAS Visual Statistics):
Also beyond human perception is the variety of legal relationships between different companies, which are visualized using a graph (in the screenshot of SAS Social Network Analysis):
* names of organizations are fictitious, similarities with real companies are coincidental.
Unusual characteristics do not necessarily indicate a problem. The check may not show anything: yes, the indicators are strange, but there is no violation.
An anomaly is not a risk, it is simply “something unusual.” Anomaly profiles are needed to provide new “raw material” for the construction of expert or statistical profiles, since the result of an anomaly check is included in the history of observations of control objects.
