Enterprise Risk Management (Preview)

4 Part 1 – Concepts and Methods THE NATURE OF RISK Every organization faces risks. Organizations adopt goals, implement strategies and operate to achieve results, but events may occur or conditions may change that can affect performance and results dramatically. Such events or changes in conditions create uncertainty. Whether organizations aim for growth and profitability, the effective delivery of government programs and services, or the improvement of society and communities through charitable activities, every organization has a purpose and faces uncertain events or conditions. These uncertainties need to be managed. The simple decision to establish an organization requires the acceptance of risk. Resources must be accumulated, invested and deployed, with no assurance of success. Decisions regarding markets, organizational strategies, sources of financing, production facilities, marketing and distribution channels, are all examples where uncertainties need to be managed. These uncertainties may affect the ability of an organization to perform, meet stakeholder expectations and maintain a good reputation. Such realities apply indiscri- minately to every type of organization, including publicly-traded or privately-held companies, government entities and not-for-profit organizations. Risks are uncertainties that can affect organizational performance and results, including the achievement of goals, strategies and objectives. It is important to remember that risks involve opportunities and threats that can have positive or negative effects. Most people think of risk as something that is undesirable and that should be eliminated to the best extent possible. However, it is also understood that value is created by taking risks, and managing risks effectively to take advantage of opportunities. For instance, conducting research, developing new products, entering new markets, transforming processes, designing marketing campaigns, and making changes to distribution channels are all examples of opportunities where desirable risks are taken. Organizations that avoid taking risks cannot innovate, make strategic investments, upgrade their operational practices, adapt to change and remain competitive. Over time, they become obsolete, ineffective and costly to operate. They draw criticism from stakeholders, develop a negative reputation, and eventually fail or cease to operate. An adequate balance of risk taking and risk avoidance or reduction must be implemented. Excessive risk taking is reckless, but a disproportionate amount of risk avoidance or reduction can be equally damaging. In both cases, too much of a good thing is bad. The Concept of Risk Management Risk management involves a process to identify, analyze and prioritize risks, develop responses, and monitor and review results. It applies equally to risk-taking and risk- reduction activities. Risk management helps organizations understand, anticipate and manage uncertainties and their effects. These uncertainties and effects may be desirable or undesirable. They can result in positive or negative outcomes, reflecting the potential upside or downside of risk. Organizations exploit risks to achieve results and create value for their stakeholders (risk-reward relationship). They also mitigate risks whenever the benefits of doing so are greater than the costs (cost-benefit equation). Risk management includes methods and techniques for controlling the risks assumed. Risks can also be funded, insured or transferred using contractual means.