Risk management involves identifying, analyzing, and taking steps to reduce or eliminate the exposures to loss faced by an organization or individual. The practice utilizes many tools and techniques, including insurance, to manage a wide variety of risks. Every business encounters risks, some of which are predictable and under management's control; others are unpredictable and uncontrollable. Risk management is particularly vital for small businesses, since some common types of losses—such as theft, fire, flood, legal liability, injury, or disability—can destroy in a few minutes what may have taken an entrepreneur years to build. Such losses and liabilities can affect day-to-day operations, reduce profits, and cause financial hardship severe enough to cripple or bankrupt a small business. But while many large companies employ a full-time risk manager to identify risks and take the necessary steps to protect the firm against them, small companies rarely have that luxury. Instead, the responsibility for risk management is likely to fall on the small business owner.
The term is a relatively recent evolution of the term "insurance management." The concept of risk management encompasses a much broader scope of activities and responsibilities than does insurance management. Risk management is now a widely accepted description of a discipline within most large organizations. Basic risks such as fire, windstorm, employee injuries, and automobile accidents, as well as more sophisticated exposures such as product liability, environmental impairment, and employment practices, are the province of the risk management department in a typical corporation. Although risk management has usually pertained to property and casualty exposures to loss, it has recently been expanded to include financial risk management—such as interest rates, foreign exchange rates, and derivatives—as well as the unique threats to businesses engaged in E-commerce. As the role of risk management has increased, some large companies have begun implementing large-scale, organization-wide programs known as enterprise risk management.
Businesses have several alternatives for the management of risk, including avoiding, assuming, reducing, or transferring the risks. Avoiding risks, or loss prevention, involves taking steps to prevent a loss from occurring by such methods as employee safety training. As another example, a pharmaceutical company may decide not to market a drug because of the potential liability. Assuming risks simply means accepting the possibility that a loss may occur and being prepared to pay the consequences. Reducing risks, or loss reduction, involves taking steps to reduce the probability or the severity of a loss, for example by installing fire sprinklers.
Transferring risk refers to the practice of placing responsibility for a loss on another party by contract. The most common example of risk transference is insurance; it allows a company to pay a small monthly premium in exchange for protection against automobile accidents, theft or destruction of property, employee disability, or a variety of other risks. Because of its costs, the insurance option is usually chosen when the other options don't provide sufficient protection. Awareness of, and familiarity with, various types of insurance policies is a necessary part of the risk management process. A final risk management tool is self-retention of risks—sometimes referred to as "self-insurance." Companies that choose this option set up a special account or fund to be used in the event of a loss.
Any combination of these risk management tools may be applied in the last step of the process, implementation. This step, monitoring, involves a regular review of the company's risk management tools to determine if they have obtained the desired result or if they require modification. Tools in that process include maintaining a high quality of work; training employees well and maintaining equipment properly; installing strong locks, smoke detectors, and fire extinguishers; keeping the office clean and free of hazards; backing up computer data often; and storing records securely off-site.
RISK MANAGEMENT IN THE INTERNET AGE
Small businesses encounter a number of risks when they use the Internet. Increased reliance on Web-based operations demands that small business owners decide how much risk to accept and implement security systems to manage the risk associated with online business activities. Conducting business online exposes a company to liability due to infringement on copyrights, patents, or trademarks; charges of defamation due to statements made on a Web site or by e-mail; charges of invasion of privacy due to unauthorized use of personal information or excessive monitoring of employee communications; liability for harassment due to employee behavior online; and legal issues due to accidental noncompliance with foreign laws. In addition, businesses connected to the Internet also face a number of potential threats from computer hackers and viruses, including a loss of business and productivity due to computer system damage, and the theft of customer information or intellectual property. If the small business is publicly traded, the requirements of the Sarbanes-Oxley Act, specifically record retention, including the archiving of computer-based records, apply as well.
In the early 2000s new forms of insurance coverage emerged to cover risks businesses run in cyberspace, and this branch of protection is expected to develop along with new risks as they emerge. In the meanwhile attentive care to e-commerce implementation, the installation of firewalls, and effective disciplines inside the business can largely prevent serious problems. As pointed out elsewhere in this volume (see Computer Crimes ) the largest risks most business run these days are from actions of employees inside the company.
ENTERPRISE RISK MANAGEMENT
In the 1990s, the field of risk management expanded to include managing financial risks as well as those associated with changing technology and Internet commerce. In the early 2000s, the role of risk management began to expand even further to protect entire companies during periods of change and growth. As businesses grow, they experience rapid changes in nearly every aspect of their operations, including production, marketing, distribution, and human resources. Such rapid change also exposes the business to increased risk. In response, risk management professionals created the concept of enterprise risk management, which was intended to implement risk awareness and prevention programs on a company-wide basis.
The main focus of enterprise risk management is to establish a culture of risk management throughout a company to handle the risks associated with growth and a rapidly changing business environment. Writing in Best's Review, Tim Tongson recommended that business owners take the following steps in implementing an enterprise-wide risk management program: 1) incorporate risk management into the core values of the company; 2) support those values with actions; 3) conduct a risk analysis; 4) implement specific strategies to reduce risk; 5) develop monitoring systems to provide early warnings about potential risks; and 6) perform periodic reviews of the program.
Finally, it is important that the small business owner and top managers show their support for employee efforts at managing risk. "To bring together the various disciplines and implement integrated risk management, ensuring the buy-in of top-level executives is vital," Luis Ramiro Hernandez wrote in Risk Management. "These executives can institute the processes that enable people and resources across the company to participate in identifying and assessing risks, and tracking the actions taken to mitigate or eliminate those risks."
see also Business Insurance; Computer Crimes
Anastasio, Susan. Small Business Insurance and Risk Management Guide. U.S. Small Business Administration. Available from http://www.sba.gov/library/pubs/mp-28.txt. Retrieved on 22 May 2006.
Hernandez, Luis Ramiro. "Integrated Risk Management in the Internet Age." Risk Management. June 2000.
Hommel, Ulrich, Michael Frenkel, and Markus Rudolf. Risk Management: Challenge and Opportunity. Springer, 2005.
Lam, James. Enterprise Risk Management: From Incentives to Controls." John Wiley & Sons, 2003.
O'Neill, David T. "Guard Against Cyber Exposures: New e-commerce risk insurance offers coverages beyond your standard policies." Risk Management. April 2003.
Sandgrove, Kit. The Complete Guide to Business Risk Management. Grower Publishing, 2005.
Tongson, Tim. "Turning Risk into Reward." Best's Review. December 2000.
Williams, Kathy. "How is Your Company Managing Risk?" Strategic Finance. September 2005.
Hillstrom, Northern Lights
updated by Magee, ECDI
Risk management is a systematic process of identifying and assessing company risks and taking actions to protect a company against them. The task of the risk manager is to predict and enact measures to control or prevent losses within a company. The risk-management process involves identifying exposures to potential losses, measuring these exposures, and deciding how to protect the company from harm given the nature of the risks and the company's goals and resources. Some risk managers define risk as the possibility that a future occurrence may cause harm or losses, while noting that risk also may provide possible opportunities. By taking risks, companies sometimes can achieve considerable gains. However, companies need risk management to analyze possible risks in order to balance potential gains against potential losses and avoid expensive mistakes.
THE EVOLUTION OF RISK MANAGEMENT
The field of risk management emerged in the mid-1970s, evolving from the older field of insurance management. The term risk management was adopted because the new field has a much wider focus than simply insurance management. Risk management includes activities and responsibilities outside of the general insurance domain, although insurance is an important part of it and insurance agents often serve as risk managers. Insurance management focused on protecting companies from natural disasters and basic kinds of exposures, such as fire, theft, and employee injuries, whereas risk management focuses on these kinds of risks as well as other kinds of costly losses, including those stemming from product liability, employment practices, environmental degradation, accounting compliance, offshore outsourcing, currency fluctuations, and electronic commerce.
In the 1980s and 1990s, risk management grew into a vital part of company planning and strategy and risk management became integrated with more and more company functions as the field evolved. New areas of risk management began to emerge in the 1990s, providing managers with more options to protect their companies against new kinds of exposures. According to the Risk and Insurance Management Society (RIMS), the main trade organization for the risk management profession, among the emerging areas for risk management were operations management, environmental risks, and ethics. As the role of risk management has increased to encompass large-scale, organization-wide programs, the field has become known as enterprise risk management (ERM).
TYPES OF RISK
Risk managers need to be aware of the types of risks they face. Common types of risks include automobile accidents, employee injuries, fire, flood, and tornadoes, although more complicated types such as liability and environmental degradation also exist. Furthermore, companies face a number of risks that stem primarily from the nature of doing business. In Beyond Value at Risk (1998) Kevin Dowd sums up these different types of risks companies face by placing them in five general categories:
- Business risks or those associated with an organization's particular market or industry
- Market risks or those associated with changes in market conditions, such as fluctuations in prices, interest rates, and exchange rates
- Credit risks or those associated with the potential for not receiving payments owed by debtors
- Operational risks or those associated with internal system failures because of mechanical problems (e.g., machines malfunctioning) or human errors (e.g., poor allocation of resources)
- Legal risks or those associated with the possibility of other parties not meeting their contractual obligations
Environmental risks constitute a significant and growing area of risk management, since reports indicate the number and intensity of natural disasters are increasing. For example, the periodical Risk Management reported that there were about five times as many natural disasters in the 1990s as in the 1960s, and the 2000s seemed to continue this trend. In 2004, three major hurricanes hit the state of Florida, and a tsunami caused death and incalculable devastation in the Pacific Rim. Hurricane Katrina, which hit the Gulf Coast in 2005, was the costliest hurricane in U.S. history. Analysts expect that the twenty-first century will be just as bad as or worse than the past. Some observers blame the rising number of natural disasters on global warming, which they believe will cause greater floods, droughts, and storms in the future. Whatever the cause, it is clear that natural disasters are wreaking expensive havoc.
Any given risk can lead to a variety of losses in different areas. For example, if a fire occurs, a company could lose its physical property such as buildings, equipment, and materials. In this situation, a company also could lose
revenues, in that it could no longer produce goods or provide services. Furthermore, a company could lose human resources in such a disaster. Even if employees are not killed or injured, a company would still suffer losses because employers must cover benefits employees draw when they miss work.
ASSESSING RISKS ASSOCIATED WITH DOING BUSINESS
One way managers can assess the risks of doing business is by using the risk calculator developed by Robert Simons, a professor at the Harvard Business School. Although the risk calculator is not a precise tool, it does indicate areas where risks and potential losses exist, such as the rate of expansion and the level of internal competition. Using the risk calculator, managers can determine if their company has a safe or dangerous amount of risk. The risk calculator measures three kinds of internal pressures: risk stemming from growth, corporate culture, and information management. Rapid growth, for example, could be a risk and lead to losses, because if a company grows too quickly, it may not have enough time to train new employees adequately. Hence, unchecked growth could lead to lost sales and diminished quality.
Managers can assess the increased risk associated with growth by determining if sales goals are set by top management without input from employees. If a company sets sales goals in this manner, then it has a high level of risk in that the goals may be too difficult for employees to meet. In cases where employees feel extreme pressure in trying to achieve goals, they may take unnecessary risks. Similarly, companies that rely heavily on performance-based pay also tend to have higher levels of risk.
To assess risk arising from corporate culture, managers should determine what percentage of sales comes from new products or services developed by risk-taking employees. If the percentage is high, then the amount of risk is also high, because such a company depends significantly on new products and the related risks. In addition, a corporate culture that allows or encourages employees to work independently to develop new products increases company risk, as does a high rate of new product or service failures.
Finally, managers can determine business risks resulting from information management by determining if they and their subordinates spend a lot of time gathering information that should already be available. Another way of assessing these risks is by managers considering whether they look at performance data frequently and whether they notice if reports are missing or late.
RISK MANAGEMENT METHODS
Company managers have three general options when it comes to choosing a risk manager:
- Insurance agents provide risk assessment services and insurance advice and solutions to their clients.
- Salaried employees manage risk for their company (often chief financial officers or treasurers).
- Independent consultants provide risk-management services for a fee.
Because risk management has become a significant part of insurance brokering, many insurance agents work for fees instead of for commissions. To choose the best type of risk manager for their companies, managers should consider the company's goals, size, and resources.
Risk managers rely on a variety of methods to help companies avoid and mitigate risks in an effort to position them for gains. The four primary methods include exposure or risk avoidance, loss prevention, loss reduction, and risk financing. A simple method of risk management is exposure avoidance, which refers to avoiding products, services, or business activities with the potential for losses, such as manufacturing cigarettes. Loss prevention attempts to root out the potential for losses by implementing such things as employee training and safety programs designed to eradicate risks. Loss reduction seeks to minimize the effects of risks through response systems that neutralize the effects of a disaster or mishap.
The final option risk managers have is to finance risks, paying for them either by retaining or transferring their costs. Companies work with risk managers insofar as possible to avoid risk retention. However, if no other method is available to manage a particular risk, a company must be prepared to cover the losses; that is, to retain the losses. The deductible of an insurance policy is an example of a retained loss. Companies also may retain losses by creating special funds to cover any losses.
Risk transferring takes place when a company shares its risk with another party, such as an insurance provider, by getting insurance policies that cover various kinds of risk that can be insured. In fact, insurance constitutes the leading method of risk management. Insurance policies usually cover (a) property risks such as fire and natural disasters, (b) liability risks such as employer's liability and workers' compensation, and (c) transportation risks covering air, land, and sea travel as well as transported goods and transportation liability. Managers of large corporations may decide to manage their risks by acquiring an insurance company to cover part or all of their risks, as many have done. Such insurance companies are called captive insurers.
Risk managers also distinguish between preloss and postloss risk financing. Preloss risk financing includes financing obtained in preparation for potential losses, such as insurance policies. With insurance policies, companies pay premiums before incurring losses. On the other hand, postloss financing refers to obtaining funds
after losses are incurred (i.e., when companies obtain financing in response to losses). Obtaining a loan and issuing stocks are methods of postloss financing.
During the implementation phase, company managers work with risk managers to determine the company goals and the best methods for risk management. Generally, companies implement a combination of methods to control and prevent risks effectively, since these methods are not mutually exclusive, but complementary. After risk management methods have been implemented, risk managers must examine the risk management program to ensure that it continues to be adequate and effective.
EMERGING AREAS OF RISK MANAGEMENT
Beginning in the 1990s and continuing into the twenty-first century, risk managers have started focusing on new types of risks and have begun using new methods of risk analysis. As the authors of Making Enterprise Risk Management Pay Off (2002) noted at the beginning of the 2000s, “As businesses worldwide enter the twenty-first century, they face an assortment of risks almost unimaginable just 10 years ago.”
Risk managers of corporations have started focusing more on verifying their companies' compliance with federal environmental regulations. According to Risk Management, risk managers began to assess environmental risk such as those arising from pollution, waste management, and environmental liability to help make their companies more profitable and competitive. Furthermore, tighter environmental regulations also goaded businesses to have risk managers check their compliance with environmental policies to prevent possible penalties for noncompliance.
Companies also have the option of obtaining new kinds of insurance policies to control risks, which managers and risk managers can take into consideration when determining the best methods for covering potential risks. These nontraditional insurance policies provide coverage of financial risks associated with corporate profits and currency fluctuation. Hence, these policies in effect guarantee a minimum level of profits, even when a company experiences unforeseen loss from circumstances it cannot control (e.g., natural disasters or economic downturns). Moreover, these nontraditional policies ensure profits for companies doing business in international markets, and hence they help prevent losses from fluctuations in a currency's value.
Risk managers can also help alleviate losses resulting from mergers. Stemming from the wave of mergers in the 1990s and 2000s, risk managers became a more integral part of company merger and acquisition teams. Both parties in these transactions rely on risk management services to determine and control or prevent risks. On the buying side, risk managers examine a selling company's expenditures, loss history, insurance policies, and other areas that indicate a company's potential risks. Risk managers also suggest methods for preventing or controlling the risks they find.
Finally, risk managers have been called upon to help businesses manage the risks associated with increased reliance on the Internet. The importance of online business activities in maintaining relationships with customers and suppliers, communicating with employees, and advertising products and services has offered companies many advantages, but it has also exposed them to new security risks and liability issues. Business managers need to be aware of the various risks involved in electronic communication and commerce and include Internet security among their risk management activities.
ENTERPRISE RISK MANAGEMENT (ERM)
As the field of risk management expanded to include managing financial, environmental, and technological risks, the role of risk managers grew to encompass the organization-wide risk embodied in ERM. This approach seeks to implement risk awareness and prevention programs throughout a company, thus creating a corporate culture able to handle the risks associated with a rapidly changing business environment. Practitioners of ERM incorporate risk management into the basic goals and values of the company and support those values with action. They conduct risk analyses, devise specific strategies to reduce risk, develop monitoring systems to warn about potential risks, and perform regular reviews of the program.
The development of ERM was spurred by sudden and dramatic changes in the business environment. As the authors of the 2008 New Frontiers in Enterprise Risk Management note, the development of ERM was “encouraged by traumatic recent events such as 9/11 and business scandals to include Enron and WorldCom.” Passage of the Sarbanes-Oxley Act of 2002 provided the concrete impetus for a number of large firms to implement enterprise risk management. Passed in the wake of scandals involving accounting compliance and corporate governance, the act required public companies to enact a host of new financial controls. In addition, it placed new, personal responsibility on boards of directors to certify that they are aware of current and future risks and have effective programs in place to mitigate them. “Fueled by new exchange rules, regulatory initiatives around the globe, and a bevy or reports that link good corporate governance with effective risk management, attention is turning to ERM,” Lawrence Richter Quinn noted in Financial Executive. “[Some executives believe that it] will
save companies from any number of current and future ills while providing significant competitive advantages along the way.”
In late 2004 the London-based Treadway Commission's Committee of Sponsoring Organizations (COSO) issued Enterprise Risk Management-Integrated Framework, which provided a set of “best practice” standards for companies to use in implementing ERM programs. The COSO framework expanded on the work companies were required to do under Sarbanes-Oxley and provided guidelines for creating an organization-wide focus on risk management. According to Financial Executive, between one-third and one-half of Fortune 500 companies had launched or were considering launching ERM initiatives by the end of 2004.
While companies face a host of different risks, some are more important than others. Risk managers determine their importance and ability to be affected while identifying and measuring exposures. For example, the risk of flooding in Arizona would have low priority relative to other risks a company located there might face. Risk managers consider different methods for controlling or preventing risks and then select the best method given the company's goals and resources. After the method is selected and implemented, the method must be monitored to ensure that it produces the intended results.
Risk management is best used as a preventive measure rather than as a reactive measure. Companies benefit most from considering their risks when they are performing well and when markets are growing in order to sustain growth and profitability.
SEE ALSO Strategic Planning Tools Succession Planning
Barton, Thomas L., William G Shenkir, and Paul L. Walker. Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management. Upper Saddle River, NJ: Prentice Hall, 2002.
Crouhy, Michel, Dan Galai, and Robert Mark. The Essentials of Risk Management. New York: McGraw-Hill, 2006.
D'Arcangelo, James R. “Beyond Sarbanes-Oxley: Section 404 Exercises Can Provide the Starting Point for a Comprehensive ERM Program.” Internal Auditor (October 2004).
Dowd, Kevin. Beyond Value at Risk. New York: Wiley, 1998.
Lam, James. Enterprise Risk Management: From Incentives to Controls. Hoboken, NJ: John Wiley, 2003.
Mills, Evan. “The Coming Storm: Global Warming and Risk Management.” Risk Management (May 1998): 20.
Moeller, Robert. COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework. Hoboken, NJ: Wiley, 2007.
Quinn, Lawrence Richter. “ERM: Embracing a Total Risk Model.” Financial Executive (January-February 2005).
Olson, David L., and Desheng Wu, eds. New Frontiers in Enterprise Risk Management. Berlin: Springer-Verlag, 2008.
Simons, Robert. “How Risky Is Your Company?” Harvard Business Review (May 1999): 85.
Telegro, Dean Jeffery. “A Growing Role: Environmental Risk Management in 1998.” Risk Management (March 1998): 19.
White, Larry. “Management Accountants and Enterprise Risk Management.” Strategic Finance (November 2004).
Many decisions involve an intuitive assessment of risk; this subjective risk assessment is usually called risk perception. Risk assessment is also a formalized approach to evaluating risk, often defined as a function of the probability and magnitude of loss or harm from an event. Risk assessment is often thought of as ethically obligatory, but since it can be done in more than one way, it is itself subject to ethical assessment.
Risks are routinely assessed formally for a wide variety of human endeavors, from drinking tap water to operating nuclear power plants; for natural hazards such as earthquakes, hurricanes, and floods; and for the human use of and exposure to chemicals and other substances such as arsenic or phthalates. Risks may also be defined and assessed in terms of specific harms or losses to people, for example a person's lifetime risk of dying of heart disease, or aquatic ecosystem risks from anthropogenic eutrophication (that is, being overburdened with nutrients as a result of human action). While failing to assess risk can lead to Faustian bargains with the future, risk assessments for public policy can be risky in themselves, as illustrated by the effects of transnational debates about risk assessments of genetically modified organisms, vaccines, and terrorism.
As described in Risk Assessment in the Federal Government (known as the "Red Book," 1983), risk assessment consists of four steps: hazard identification, dose-response assessment, exposure assessment, and risk characterization. More broadly, risk assessment entails identifying and characterizing an underlying hazard—including its sources, pathways, effects for given exposures, and mitigating factors, and estimating the associated contingent probabilities. In effect, formal risk assessment requirements are intended to insure that human and even ecological health is considered in decisions with other primary objectives.
For example, product risk assessment may be required by law, as in the case of new pharmaceuticals in the United States. In the United States, the Food and Drug Administration (FDA) assesses the adequacy of new drug risk assessments, including how they are conducted. The FDA also determines what constitutes permissible risk for a licensed product. As risk assessments are generally conducted in the service of specific risk management objectives, the two are mutually dependent (Committee on Risk Assessment of Hazardous Air Pollutants 1994). In some venues separation of risk assessment and risk management is considered critical to protect the science of risk assessment from contamination by management or political pressures. However, many formal risk assessment processes now include participation by multiple stakeholders to deliberate about risk management objectives and values, in addition to experts' technical analyses (Stern and Fineburg 1996).
Human health risk assessments are of necessity carried out at a population or group level—that is, for a statistical person rather than an identified individual. They are based on extrapolations from animal studies; on experimental tests of human product use, which usually involve relatively small samples; or on epidemiological studies, which rely on statistical controls. Recent developments in risk assessment have included the ability to tailor risk assessment results interactively for subpopulations, as is illustrated by online risk calculators that determine an individual's risk based on a few personal characteristics. But individual differences can make the population health risk assessments applied in policy decisions more or less applicable, for which reason minority populations may be poorly served by general risk assessments. An example in point is airbags in cars, which when designed to optimally protect average adults may harm or kill children.
Environmental risk assessment, as required for example in environmental impact statements, has focused largely on risks to human health and the economy, but increasingly addresses ecological endpoints. Because selection of assessment endpoints can determine the structure and outcome of decisions, it is inherently controversial. Assessing risks from ozone only in terms of economic loss from damage to automobile tires paints a very different picture of the size of the risks than if the assessment also takes into account acute respiratory or cardiovascular events triggered by exposure to ozone, or possible ecological effects of ozone, such as reduced growth rates and plant deformation.
By focusing on probabilistic loss, risk assessment frames management choices in terms of threat reduction and loss avoidance. Common criticisms of risk assessments have included that they are based on an overly narrow conceptualization of benefits, or that the dimensions of harm included are insufficient or inappropriate. It is difficult to incorporate into a risk assessment even proxy measures for intangibles—such as quality of life—or other poorly defined or understood endpoints. In part to take into account uncertainties, risk assessments are sometimes designed to produce estimates of risk that err on the high side, for example by using upper bounds of estimated risks, rather than averages. Those risk assessment procedures that have been codified by government entities incorporate scientific procedures, including requirements for representative empirical data, statistical analyses, and quality control in the form of peer review. Some also include ethical requirements, such as human subjects review, or the participation of parties who may have a substantive interest in the value at risk.
Four issues are key to risk assessment as currently practiced. The first is what is valued, how and by whom it is valued, and the distributive implications thereof. The selection of assessment endpoints can have far-from-obvious implications, as the airbag example illustrates. Assessing values remains a methodological and ethical challenge (Fischhoff 1991, Slovic 1995).
The second is the treatment and interpretation of uncertainty—both uncertainty stemming from limits to what is known, and uncertainty stemming from inherent variability (see Morgan and Henrion 1990). Especially in the case of extremely rare and catastrophic events, the selection of a distribution function or simulation procedure with which to analyze uncertainties can influence the outcome of the assessment considerably. Similarly, choosing how to represent the results of the risk assessment and the uncertainty therein can influence how recipients interpret and use the assessment.
The third key issue is the substitutability implied or assumed by risk assessment, as it often requires comparative values. As has been illustrated in discussions of protected values and irreversible effects, in reality trade-offs are sometimes impossible or unethical.
Fourth is that technically competent risk assessment requires significant resources, is both analytically and data-intensive, and can be difficult to interpret. Risk assessments that are carried out for new drugs, for example, require expertise in toxicology and epidemiology and investments in large studies, which still may not be large enough to discover devastating rare or long-term adverse effects.
Risk assessments may produce risk characterizations that are not readily used to compare or prioritize risks. For example, ecological risk assessments may conclude simply that a specific species is at some risk of extinction, while a human health risk assessment may produce an estimated probability of a specific health endpoint within a given timeframe, for example a five percent probability of being diagnosed with breast cancer within five years. Comparing the two is difficult.
For this reason it is desirable that risk assessment outcomes be translatable to a common measure, such as an abstract measure of utility, or monetary value. Summary endpoints like the probability of human mortality or morbidity, or economic loss, can be presented in a common metric that facilitates at least some comparisons, such as disability adjusted life years, or monetary value. But choice of a common metric itself can be problematic, both because individuals may not agree on the equivalence of different forms of bodily injury or harm and because not all endpoints can be equally well represented by all measures. In addition, some measures, such as dollars, carry their own meaning, which may or may not facilitate the risk assessment depending on how that meaning is construed.
However, no single metric or endpoint necessarily constrains environmental, technological, or human health risk assessments. Although many risk assessors with economic training might prefer to use dollars as a summary endpoint, doing so is not a requirement of risk assessment, but a methodological choice with ethical implications. The identification and definition of possible endpoints to consider, the valuation of these, and the estimation of their contingent probabilities all entail some degree of judgment and choice.
Committee on the Institutional Means for the Assessment of Risks to Public Health, Commission on Life Sciences, National Research Council. (1983). Risk Assessment in the Federal Government: Managing the Process. Washington, DC: National Academy Press. Known as the "Red Book," this is probably the most cited publication on risk assessment.
Committee on Risk Assessment of Hazardous Air Pollutants, Board on Environmental Studies and Toxicology, Commission on Life Sciences, National Research Council. (1994). Science and Judgment in Risk Assessment. Washington DC: National Academy Press. An update on the "Red Book."
Fischhoff, B. (1991). "Value Elicitation: Is There Anything in There?" American Psychologist 46(8): 835–847. Summarizes the literature on value elicitation succinctly and with eloquence.
Morgan, M. Granger, and Max Henrion, with Mitchell Small. (1990). Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis. Cambridge, UK: Cambridge University Press. A key publication on uncertainty.
Slovic, P. (1995). "The Construction of Preference." American Psychologist 50(5): 364–371. A must-read for anyone interested in values or preferences.
Stern, Paul C., and Harvey V. Fineberg, eds. (1996). Understanding Risk: Informing Decisions in a Democratic Society. Washington, DC: National Academy Press. Articulates the importance of deliberation as well as analysis in risk assessment.
UK Royal Society. (1992). Risk Analysis, Perception, and Management: Report of a Royal Society Study Group. London: The Royal Society. An important summary of EU perspectives on risk assessment and related issues.
Risk management is a term that pervades a number of different areas of human interest. At the ultimate level of risk management, political leaders and government officials must assess the risk of natural disasters, terrorist attacks, and nuclear war—events that threaten human existence. For public health officials and hospital administrators, risk management entails the reduction of mortality due to disease and infection. For transportation safety engineers, risk management focuses on preventing or reducing deaths and injuries caused by accidents. Insurance companies and their customers view risk management as entailing the assessment and mitigation of various types of risks, often with the goal of reducing the costs of insuring against such risks.
For bankers and lenders, risk management involves credit analysis and techniques such as currency hedging and interest rate swaps that reduce credit and lending risks. For the business manager, risk management necessitates the assessment of future market fluctuations both on the sales and supply sides of an enterprise and creating plans to mitigate the effects of these fluctuations. In sum, risk management addresses the possibility that future events may cause adverse effects and entails an attempt to mitigate the impact of these effects.
Risk management draws upon knowledge and skills derived from various disciplines, including statistics, economics, psychology, sociology, epidemiology, biology, engineering, toxicology, systems analysis, operations research, decision theory, and international relations. Because of the wide diversity of risk management topics, this entry addresses only a small portion of the total, concentrating on risk management from the perspective of higher levels of a business enterprise. The specific risk management techniques will not be addressed, but the focus will instead be on components of risk management that are important to business enterprises. Ultimately, risk management can provide assurance to shareholders, creditors, employees, customers, and other interested parties that a business is being well managed, and it can provide important evidence about compliance with relevant laws and government regulations.
An important contribution to the field of risk management for business enterprises has been provided by the Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting (Treadway Commission). The Treadway Commission was created in 1987 in the wake of several major financial frauds. The sponsoring organizations include the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors.
In 1992 COSO issued the report Internal Control—Integrated Framework, which has become the most widely recognized framework for internal control in the United States. Section 404 of the federal Sarbanes-Oxley Act of 2002 requires the management of public companies to issue annual internal control reports which include a statement that management is responsible for establishing and maintaining an adequate internal control structure, as well as procedures for financial reporting, and is to make an assessment of the effectiveness of the internal control structure and the procedures for financial reporting.
Section 404 also requires the company's independent auditor to issue a report on management's assessment of internal control. Public Companies Accounting Oversight Board (PCAOB) Standard No. 2 specifically recognizes the COSO Internal Control—Integrated Framework as establishing the criteria for effective internal control over financial reporting.
ENTERPRISE RISK MANAGEMENT
Because the Sarbanes-Oxley Act and the COSO Internal Control—Integrated Framework are directed primarily toward internal control and transparency in financial reporting, COSO became concerned that there was a need for a broader framework to identify, assess, and manage enterprise risks. Consequently, in 2004 COSO issued Enterprise Risk Management: Integrated Framework. This document is not intended to replace the COSO internal control framework. Rather it incorporates the internal control framework and recommends that companies use the enterprise risk management framework to both satisfy their internal control needs and to develop a more complete risk management process.
According to COSO, the underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. Because all entities face uncertainty, the challenge for management is to determine how much risk to accept. COSO defines enterprise risk management as:
a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO, 2004)
Several aspects of this definition are underlined, namely that risk management is an ongoing process undertaken by people at various levels of an organization. Furthermore, risk management is a strategic process that looks at the risks facing an entity from a portfolio perspective. Finally, risk management is geared toward providing reasonable assurance to entity management and directors that risks will be managed, and that any risks assumed are related to the objectives of the entity.
COSO believes that enterprise risk management should focus on achieving an entity's strategic, operating, reporting, and compliance objectives. Strategic objectives are defined as high-level goals related to the mission of the entity. Operating objectives focus on effective and efficient use of resources. Reporting objectives deal with reliability of reporting, and compliance objectives involve compliance with laws and regulations. The COSO framework sets forth eight interrelated components for enterprise risk management:
- Internal environment —The tone of an organization and how risk is viewed by the people in the organization
- Objective setting —Objectives must exist before management can identify risks that may affect those objectives
- Event identification —Internal and external events that may pose risks must be identified
- Risk assessment —Risks are analyzed from both the perspective of likelihood and impact
- Risk response —A decision to avoid, accept, reduce, or share the risk
- Control activities —Establishing policies and procedures so that chosen risk response is carried out
- Information and communication —Information about risks and procedures is communicated throughout the organization
- Monitoring —Enterprise risk management is monitored and changes are made as needed
The enterprise risk management framework envisions the objectives of the enterprise and the components of risk management as being arranged in a matrix, so that there is an intersection between each objective and each component. For example, in the area of operations, there is an intersection with internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication and monitoring. This matrix is then extended to encompass entitylevel, division-level, and business-unit-level risk management objectives and components.
The extent to which the COSO framework will become seen as an exemplar of risk management for business enterprises is still unclear. Nevertheless, the authority of COSO and its sponsoring organizations makes it important for business managers to be aware of the provisions of the framework if they are to be fully conversant with enterprise risk management.
see also Insurance ; Investments
Beasley, Mark S., and Elder, Randal J. (2005). The Sarbanes-Oxley Act of 2002: Impacting the accounting profession. Upper Saddle River, NJ: Pearson Prentice-Hall.
COSO. (1992). Internal control—Integrated framework. New York: Committee of Sponsoring Organizations of the Treadway Commission.
COSO. (2004). Enterprise risk management: Integrated framework. New York: Committee of Sponsoring Organizations of the Treadway Commission.
National Commission on Fraudulent Financial Reporting. (1987). Report of the National Commission on Fraudulent Financial Reporting. Washington, DC: Author.
Rowe, William D. (1988). An anatomy of risk. Malabar, FL: Robert E. Krieger.
C. Richard Baker
1. A systematic and disciplined approach to assessing the significance in terms of safety of the complete set of risks that may occur with a system.
2. An assessment in quantitative or qualitative terms of the damage that would be sustained if a computer system were exposed to postulated threats. A quantitative risk analysis may ascribe a probable financial loss if each specified threat successfully exploited each possible vulnerability of the system.