Risk Management Processes_The Case of Greek Companies

8/14/2019 Risk Management Processes_The Case of Greek Companies

1/20

- 1 -

Risk management processes. The case of Greek companies.

Iordanis Eleftheriadis

University of Macedonia

Department of Business Administration

156 N. Egnatia Str.

54006 Thessaloniki

Greece

Tel. 00302310-891-591

fax. 00302310-891519

Email:[email protected]

Abstract: Whatever business you are in, there will be an almost limitless number of risks that

you must face. To be able to manage these risks you must first identify them. The use of risk

categories helps to provide a framework within which to look for, and latterly, to manage risks.

Thus, in their day-to-day business and in the strategic management of their balance sheet and

capital, companies seek to limit the scope for adverse variations in their earnings and control

exposure to stress events. Excellence in risk management is fundamentally based upon a

management team that makes risk identification and control critical components of its processes

and plans. Failure to identify, manage or control risks, including business risks, may result not

only in financial loss but also in loss of reputation. Although measurement of risk is clearly

important, quantification does not always tell the whole story, because not all risks are

quantifiable. The purpose of this paper is to collect and study observations and experiences from

risk management activities in Greek companies. We are using the answers given to a structuredquestionnaire, in order to present some conclusions.

1. Introduction

Risk Management has been described as 'all the things you need to do to manage an uncertain future'.

In most cases risks are taken so as to achieve some advantage, and managing risks is associated with

making decisions. It is used in a wide range of areas including: engineering, business and finance,

health and safety, environmental management, healthcare, emergency management, business

continuity management, sport and recreation etc. In developing a risk management infrastructure, it is

important that companies follow a methodical process to determine the appropriate types of riskmeasures, processes, policies and controls for their particular company. The purpose of this paper is to

investigate the risk management activities in Greek companies.

2. The Risk Management Process

The risk management process is defined as "the systematic application of management policies,

procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating,

treating, monitoring and communicating risk.". Risk management is also defined as "the culture,


2/20

- 2 -

processes and structures, which are directed towards the effective management of potential

opportunities and adverse effects."1

The Risk Management process is outlined in this diagram below:

Figure 1: the risk Management Process

The approach to risk management adopted in this paper is consistent with the Australian and New

Zealand Standard on risk management, AS/NZS 4360 (Figure 1). This approach is consistent with

similar approaches adopted by the major risk management professional bodies and government

agencies that have issued risk guidelines. The steps in the process address important questions for the

risk manager (Table 1).

Risk management process step Management question

Establish the context What are we trying to achieve?Identify the risks What might happen?

Analyze the risks What might that mean for the

projects key criteria?

Evaluate the risks What are the most important

things?

Treat the risks What are we going to do about

them?

Monitor and review How do we keep them under

control?

Communicate and consult Who should be involved in theprocess?

Table 1: Questions for the risk manager

Establish context: Establishing the context is concerned with developing a structure for the risk

identification and assessment tasks to follow. This step:

establishes the company and project environment in which the risk assessment is taking place;

specifies the main objectives and outcomes required;

1 Standards New Zealand and Standards Australia risk management standard (AS/NZS 4360: 1999 Risk

Management).


3/20

- 3 -

identifies a set of success criteria against which the consequences of identified risks can be

measured; and

defines a set of key elements for structuring the risk identification and assessment process.

Context inputs include the execution strategy, the cost and schedule assumptions, scope definitions,

engineering designs and studies, economic analyses, and any other relevant documentation.

The output from this stage is a concise statement of the company objectives and specific criteria for

success, the objectives and scope for the risk assessment itself, and a set of key elements for

structuring the risk identification process in the next stage.

Identify Risks: Risk identification sets out to identify an companys exposure to uncertainty. Every

company faces different risks, based on its business, the economic, social and political factors, the

features of the industry it operates in like the degree of competition, the strengths and weaknesses of

its competitors, availability of raw material, factors internal to the company like the competence and

outlook of the management, state of industry relations, dependence on foreign markets for inputs,

sales, or finances, capabilities of its staff, and other innumerable factors. Each corporate needs to

identify the possible sources of risks and the kinds of risks faced by it. This requires an intimateknowledge of the company, the market in which it operates, the legal, social, political and cultural

environment in which it exists, as well as the development of a sound understanding of its strategic

and operational objectives, including factors critical to its success and the threats and opportunities

related to the achievement of these objectives.

The risk identification process must be comprehensive, as risks that have not been identified cannot be

assessed, and their emergence at a later time may threaten the success of the company and cause

unpleasant surprises. Risk identification should be approached in a methodical way to ensure that all

significant activities within the company have been identified and all the risks flowing from these

activities defined. A number of techniques can be used for risk identification, but brainstorming is a

preferred method because of its flexibility and capability, when appropriately structured, of generatinga wide and diverse range of risks.

Information used in the risk identification process may include historical data, theoretical analysis,

empirical data and analysis, informed opinions, and the concerns of stakeholders.

The output is a comprehensive list of possible risks, usually in the form of a risk register, with

management responsibilities allocated to them. A list of the most important categories of risks is the

following2:

Business risk, is the risk of failing to achieve business targets due to inappropriate strategies,

inadequate resources or changes in the economic or competitive environment.

Credit risk, is the risk that a counterparty may not pay amounts owed when they fall due.

Sovereign risk the credit risk associated with lending to the government itself or a partyguaranteed by the government.

Market risk, is the risk of loss due to changes in market prices. This includes

interest rate risk

foreign exchange risk

commodity price risk

share price risk

Liquidity risk the risk that amounts due for payment cannot be paid due to a lack of available

funds.

2Carl Olsson, Risk Management in Emerging Markets. How to survive and prosper.


4/20

- 4 -

Operational risk the risk of loss due to actions on or by people, processes, infrastructure or

technology or similar, which have an operational impact including fraudulent activities.

Accounting risk the risk that financial records do not accurately reflect the financial position

of an company.

Country risk, is the risk that a foreign currency will not be available to allow payments due to

be paid, because of a lack of foreign currency or the government rationing what is available.

Political risk is the risk that there will be a change in the political framework of the country.

Industry risk is the risk associated with operating in a particular industry.

Environmental risk, the risk that an company may suffer loss as a result of environmental

damage caused by themselves or others which impacts on their business.

Legal/regulatory risk is the risk of non-compliance with legal or regulatory requirements.

Systemic risk is the risk that a small event will produce unexpected consequences in local,

regional or global systems not obviously connected with the source of the disturbance.

Reputational risk is the risk that the reputation of an company will be adversely affected.

Analyze Risks: During the Risk Analysis step the company transforms risk data into decision making

information. The company has to evaluate impact, probability and timeframe. This means that they

have to classify and prioritize risks. Risk analysis is the systematic use of available information to

determine how often specified events may occur and the magnitude of their consequences. The

analysis stage assigns each risk a priority rating, taking into account existing activities, processes or

plans that operate to reduce or control the risk.

The significance of a risk can be expressed as a combination of its consequences or impacts on the

companys objectives, and the likelihood of those consequences arising. This can be accomplished

with qualitative consequence and likelihood scales and a matrix defining the significance of various

combinations of these. Table 2 shows the structure of a five-by-five matrix.

A matrix, like Table 2, can be structured according to the kinds of risks involved in the companys

objectives, criteria and attitudes to risk. For example, the specific Table 2 is not symmetric, indicating

that the company is concerned about most catastrophic events, even if they are rare. This might be

appropriate where human safety is threatened and the company needs to ensure the associated risks are

being managed whatever the likelihood of their occurrence. Where the impacts of potential risks are

purely economic, and particularly where there may be limit to the potential exposure, catastrophic but

rare events may be viewed as moderate risks and not treated in such detail.

To implement a structure like this, it is important that clear and consistent definitions of the

consequence and likelihood scales are used.3

Consequences

Likelihood Insignificant Minor Moderate Major Catastrophic

Almost certain Medium Medium High High High

Likely Low Medium Medium High High

Possible Low Medium Medium Medium High

Unlikely Low Low Medium Medium High

Rare Low Low Low Medium Medium

1. 3 Steinberg M. Richard, Everson E.A. Miles, Martens J. Frank, Nottingham E. Lucy, Enterprise Risk

Management - Integrated Framework. Executive Summary, Committee of Sponsoring Companys of the

Treadway Commission (COSO) , September 2004


5/20

- 5 -

Table 2: Priority setting matrix

Scales like these often generate considerable discussion amongst senior managers and risk managers.

The numerical limits in a financial impacts scale are often linked to the size of the company

undertaking it, or the amount it can afford to lose. There is often a trade-off between risk and

opportunity, the resolution to which must usually take place at managerial levels. Generally, we

should review carefully the consequence scales we intend to use, to ensure they reflect the companys

objectives and criteria for success. If they are not agreed and accepted by senior management the

outcomes from the risk assessment may not be accepted readily.

A consequence scale like Table 3 might be appropriate. It is important to remember that scales are to

be used for assessing priorities, so comparability and consistency are often more important than

absolute numbers.

Rating Consequence description

A Catastrophic Extreme event, potential for large financial costs or delays, or

damage to the companys reputation

B Major Critical event, potential for major costs or delays, or

inappropriate products

C Moderate Large impact, but can be managed with effort using standard

procedures

D Minor Impact minor with routine management procedures

E Insignificant Impact may be safely ignored

Table 3: Consequence scale for a repetitive procurement

Likelihoods are rated in terms of annual occurrence on a five-point descriptive scale, showing the

likelihoods of specific risks arising and leading to the assessed levels of consequences. Table 4 shows

an example of a scale suitable for a major asset procurement, where the time span of the scale is linked

loosely to the 40-year nominal life of the asset.4

Rating Likelihood description

The potential for problems to occur and lead to the assessed consequences

AAlmost

certain

Very high, may

occur at least several

times per year

Probability over

0.8

A similar outcome has

arisen several times per

year in the same location,

operation or activity

B Likely High, may arise

about once per year

Probability 0.5

0.8


arisen several times per

year in this company

C Possible Possible, may arise

at least once in a 1

10-year period

Probability 0.1

0.5


arisen at some time

previously in this

company

D Unlikely Not impossible, Probability 0.02 1 A similar outcome has

4 Dale F. Cooper, Stephen Grey, Geoffrey Raymond and Phil Walker, Project Risk Management Guidelines:

Managing Risk in Large Projects and Complex Procurements, John Wiley & Sons Ltd, 2005.


6/20

- 6 -

likely to occur

during the next 10 to

40 years

0.1 arisen at some time

previously in a similar

company

E Rare

Very low, very

unlikely during thenext 40 years

Probability less

than 0.02


arisen in the world-wide

industry, but not in this

company

Table 4: Likelihood ratings

Evaluate Risk Priorities: Risk evaluation is the process of comparing the estimated risk against given

risk criteria to determine the significance of the risk. When the risk analysis process has been

completed, it is necessary to compare the estimated risks against risk criteria which the company has

established. The risk criteria may include associated costs and benefits, legal requirements, socio-

economic and environmental factors, concerns of stakeholders, etc. Any risks that have been accorded

too high or too low a rating are adjusted, with a record of the adjustment being retained for tracking

purposes. The outcome is a list of risks with agreed priority ratings. Adjustments to the initialpriorities may be made for several reasons.

Risks may be moved down. Typically these will be routine, well-anticipated risks that are

highly likely to occur, but with few adverse consequences, and for which standard responses

exist.

Risks may be moved up. Typically there will be two categories of risks like this: those risks

that are more important than the initial classification indicates; and those risks that are similar

to other high-priority risks and hence should be considered jointly with them.

Some risks may be moved up to provide additional visibility if the project team feels they

should be dealt with explicitly.

Risk evaluation therefore, is used to make decisions about the significance of risks to the company andwhether each specific risk should be accepted or treated. For the purpose of risk management, risks

need to be classified as primary risks and secondary risks. Primary risks are those that are an essential

part of the business undertaken. Secondary risks are those that arise out of the business activities, but

are not integrally related to them. For example, the risks arising out of the industry structure are

primary in nature, foreign currency exposure arising due to exports are secondary in nature. To a large

extent, primary risks have to be borne in order to generate cash flows. They can be covered only

partly. Unlike primary risks, secondary risks can be covered to a large extent, and only a part of them

are unavoidable. This distinction becomes very important while deciding on the risks to be covered.

Further, it is generally observed that when a firm faces a high degree of primary risk, it can bear less

of secondary risk. A firm having a low degree of primary risk may be able to bear higher secondaryrisk, depending on the managements risk bearing capacity

Treat Risks: The purpose of risk treatment is to determine what will be done in response to the risks

that have been identified, in order to reduce the overall risk exposure. Unless action is taken, the risk

identification and assessment process has been wasted. Risk treatment converts the earlier analyses

into substantive actions to reduce risks. Any controls and plans in place before the risk management

process began are augmented with risk action plans to deal with risks before they arise and

contingency plans with which to recover if a risk comes to pass. At the end of successful risk

treatment planning, detailed ideas will have been developed and documented about the best ways of

dealing with each major risk, and risk action plans will have been formulated for putting the responses

into effect.


7/20

- 7 -

Risk treatment might also include alteration of the base plans of the business. Occasionally the best

way to treat a risk might be to adopt an alternative strategy, to avoid a risk or make the company less

vulnerable to its consequences.

During the response identification and assessment process, it is often helpful to think about responses

in terms of broad risk management strategies. The following are the different approaches5:

Risk Avoidance: An extreme way of managing risk is to avoid it altogether. This can be done

by not undertaking the activity that entails risk. Though this approach is relevant under certain

circumstances, it is more of an exception rather than a rule. It is neither prudent, nor possible

to use it for managing all kinds of risks. The use of risk avoidance for managing all risks

would result in no activity taking place, as all activities involve risk, while the level may vary.

Loss Control: Loss control refers to the attempt to reduce either the possibility of a loss or the

quantum of loss. This is done by making adjustments in the day-to-day business activities.

Combination: Combination refers to the technique of combining more than one business

activities in order to reduce the overall risk of the firm. It is also referred to as aggregation or

diversification. It entails entering into more than one business, with the different businesses

having the least possible correlation with each other.

Separation: Separation is the technique of reducing risk through separating parts of businesses

or assets or liabilities. A firm having two highly risky businesses with a positive correlation

may spin-off one of them as a separate entity in order to reduce its exposure to risk.

Risk Transfer: Risk is transferred when the firm originally exposed to a risk transfers it to

another party which is willing to bear the risk. This may be done in three ways. The first is to

transfer the asset itself. There is a subtle difference between risk avoidance and risk transfer

through transfer of the title of the asset. The former is about not making the investment in the

first place, while the latter is about disinvesting an existing investment. The second way is to

transfer the risk without transferring the title of the asset or liability. This may be done by

hedging through various derivative instruments like forwards, futures, swaps and options. Thethird way is through arranging for a third party to pay for losses if they occur, without

transferring the risk itself. This is referred to as risk financing. This may be achieved by

buying insurance. A firm may insure itself against certain risks like risk of loss due to fire or

earthquake, risk of loss due to theft, etc.

Risk Retention: Risk is retained when nothing is done to avoid, reduce, or transfer it. Risk

may be retained consciously because the other techniques of managing risk are too costly or

because it is not possible to employ other techniques. Risk may even be retained

unconsciously when the presence of risk is not recognized. It is very important to distinguish

between the risks that a firm is ready to retain and the ones it wants to offload using risk

management techniques. This decision is essentially dependent upon the firms capacity tobear the loss.

Risk Sharing: This technique is a combination of risk retention and risk transfer. Under this

technique, a particular risk is managed by retaining a part of it and transferring the rest to a

party willing to bear it.

Risk Monitor and Review : Effective risk management requires a reporting and review structure to

ensure that risks are effectively identified and assessed and that appropriate controls and responses are

5

Project Management Institute; A Guide to the Project Management Body of Knowledge (PMBoK Guide);2000 Edition; Algonquin College Bookstore; (Approved by ANSI as American National Standard ANSI-PMI

99-001-2000), 2000


8/20

- 8 -

in place. Regular audits of policy and standards compliance should be carried out and standards

performance reviewed to identify opportunities for improvement. It should be remembered that

companies are dynamic and operate in dynamic environments. Changes in the company and the

environment in which it operates must be identified and appropriate modifications made to systems.

Continuous monitoring and review of risks ensures new risks are detected and managed, and that

action plans are implemented and progressed effectively. The monitoring process should provide

assurance that there are appropriate controls in place for the companys activities and that the

procedures are understood and followed. Any monitoring and review process should also determine

whether:

the measures adopted resulted in what was intended

the procedures adopted and information gathered for undertaking the assessment were

appropriate

improved knowledge would have helped to reach better decisions and identify what lessons

could be learned for future assessments and management of risks

Review processes are often implemented as part of the regular management meeting cycle,

supplemented by major reviews at significant project phases and milestones. Monitoring and reviewactivities link risk management to other management processes. They also facilitate better risk

management and continuous improvement.

The main input to this step is the risk watch list of the major risks that have been identified for risk

treatment action. The outcomes are in the form of revisions to the risk register, and a list of new action

items for risk treatment. Risk monitor and review involves:

Choosing alternative response strategies

Implementing a contingency plan

Taking corrective actions

Re-planning

The risk manager reports periodically to the senior managers on the effectiveness of the plan, anyunanticipated effects, and any correction that the company must take to mitigate the risk.

Communication and consultation: Communication and consultation may be a critical factor in

undertaking good risk management and achieving outcomes that are broadly accepted. They help

owners, clients and end users understand the risks and trade-offs that must be made. This ensures all

parties are fully informed, and thus avoids unpleasant surprises. Within the risk management team,

they help maintain the consistency and reasonableness of risk assessments and their underlying

assumptions.

In practice, regular reporting is an important component of communication. Managers report on the

current status of risks and risk management as required by sponsors and company policy. Senior

managers need to understand the risks they face, and risk reports provide a complement to other

management reports in developing this understanding.

The risk register and the supporting action plans provide the basis for most risk reporting. Reports

provide a summary of risks, the status of treatment actions and an indication of trends in the incidence

of risks. They are usually submitted on a regular basis or as required, as part of standard management

reporting.

3. Methodology

We carried out the survey between October and December 2005. The purpose of the survey was to

provide an overview of the extent and practice of risk management across Greek companies. The

survey asked them about their understanding of risk management and its importance to their


9/20

- 9 -

performance, how they identify and assess risks, and the action they take to deal with them. The

survey used a written questionnaire and was directed to the appropriate manager in each company. The

questionnaire was, therefore, designed to identify the extent to which companies identify, assess,

manage and report on risk across the whole company, covering all aspects of risk linked to the

achievement of the companys objectives.

In order to carry out our survey we used a sample of Greek companies from the commercial,

manufacturing construction and services sectors. Recipients were followed up with a telephone chase

for completion and return of the questionnaire. A number of questionnaire responders were

interviewed. The interviews gathered qualitative information which gave a more in-depth

understanding of the risk management activities undertaken in these companies. We sent the

questionnaire to 80 companies. No distinction has been made between the types of company or their

size. In the future this survey needs to be done in a way that reflects the nature and size of the

company. A total of 50 responses were received (a 62,5 per cent response). The size of the sample is

not efficient to perform pure quantitative analysis. However we performed qualitative analysis which

guided to very important conclusions.

The questionnaire is based predominantly on the requirements of Risk Management Standard AS/NZS4360.1999 issued by Standards Australia. Generally questions are of three types:

Questions containing a statement.

Multiple response questions.

Text response questions.

4. Findings

We carried out this survey in order to determine how well risk management is understood and

implemented. The purpose of the survey was to provide an overview of the extent and practice of risk

management across Greek companies. Risk management involves a series of well defined steps thatsupport better decision-making contributing to a greater insight into risks and their likely impacts. We

focused our examination on the following steps:

STEP 1: Clarity of objectives. This means that their objectives are clearly expressed and

communicated throughout the company. If objectives are unclear then the risks of under-performance

or failing to meet objectives will be unclear also.

Seventy-eight percent of companies responding to our survey agree or strongly agree that they have

set out the priority of the companys business and policy objectives. Only ten percent give a negative

answer in this question.(Figure 2)

Eighty-four per cent of companies responding to our survey agree or strongly agree that effective riskmanagement is important in the achievement of the companys objectives (Figure 3).

We asked companies whether they have clear management statements on the importance of risk

management and guidance on how to implement it. Sixteen percent of companies responding to our

survey say that their risk management objectives have been clearly set out. On the other hand sixty

four per cent say they have not (Figure 4).


10/20

- 10 -

Figure 2:

The relative

priority of the

companys

business and

policy

objectives are

set out

Figure 3:

Effective risk

management is

important in

the

achievement of

the companys

objectives

Figure 4:

The companys

risk

management

objectives have

been clearlyset out

Thirty two percent say they use a common definition of risk management throughout the company.

However, forty four percent disagree or strongly disagree with this statement. (Figure 5).

The relative priority of the companys business and policy objectives are set out

Strongly Disagree4%

Disagree6%

Neutral12%

Agree62%

Strongly Agree16%

Effective risk management is important in the achievement of the companys objectives

Strongly Disagree0%

Disagree4%

Neutral12%

Agree60%

Strongly Agree24%

The companys risk management objectives have been clearly set out

Strongly Disagree12%

Disagree52%

Neutral20%

Agree16%

Strongly Agree0%


11/20

- 11 -

Figure 5:

There is a

common

understanding

of risk

management

across the

organization

Twenty percent of companies say that there are clear management statements on risk management in

the company. However, sixty percent disagree with this statement. (Figure 6)

Figure 6:

There are

clear

management

statements on

risk

management

in the

company

Only twenty percent say that the linking of risks to objectives is effective with forty four percent

saying that the link is ineffective and 10 percent saying that the link is not in place. That means that

not enough attention is paid by managers to identifying the main factors that could put the

achievement of key objectives at risk.

There are clear management statements on risk management in the company


Disagree46%

Neutral20%

Agree20%

Strongly Agree0%

There is a common understanding of risk management across the organization


Disagree34%

Neutral24%

Agree

30%

Strongly Agree2%


12/20

- 12 -

STEP 2: Identification of risk. This means recognizing and identifying the key risks for which they areresponsible and those risks which are most likely to impact on their performance. Ensuring that risks

are identified and managed requires that responsibility for risk management activities is clearly

allocated to appropriate staff; the frequency with which risk is assessed is determined; the types of

risks most likely to impact on a companys performance are identified; and appropriate techniques are

used to assess risk. Our survey covered these aspects of risk management.

Companies say that they face a range of risks (Figure 8). The most common risk that was referred

from companies (100 per cent) is market risk. Eighty-eight percent of companies refer to business

risk, eighty percent to credit risk and seventy four percent to liquidity risk. Very significant reference

was also made to reputational (72 percent) , environmental (70 percent), and operational risk (68percent).

Figure 8:

What Kind of

risks are

identified

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Business risk

Credit risk

Sovereign risk

Market risk

Liquidity risk

Operational risk

Accounting risk

Country risk

Political risk

Industry risk

Legal/regulatory risk

Systemic risk

Reputational risk

Environmental risk

What Kind of risks are identified

Forty two percent of companies told us that responsibility for the identification of risk rests with the

Director of Finance, twenty two percent with the Production Manager, sixteen percent with the Chief

Executive and eight percent say it is the responsibility of the Board or senior management team

(Figure 9). Ten percent of companies say that a mechanical engineer has responsibility for identifying

risks. Only one company (2 percent) indicated the existence of a dedicated risk manager with

responsibility for identifying risk.

Figure 7:

Your company

carries out a

comprehensive

and systematicidentification

of its risks

relating to

each of its

declared aims

and objectives

Your company carries out a comprehensive and systematic identification of its risks relating to

each of its declared aims and objectives

Strongly Disagree

10%

Disagree

44%Neutral

26%

Agree

20%

Strongly Agree

0%


13/20

- 13 -

Figure 9:

Who has

responsibility

for Risk

Identification

We asked the companies about the terms that they use to identify risks. The answers show that most of

them use a combination of terms. Seventy four percent say that they identify the source of risk, fifty

eight percent try to answer the question what can happen or why and how risk arises. Only eighteen

percent investigates the area of impact. (Figure 10)

Figure 10:

Does your

company

identify risks

in terms of:

Another important issue that we covered in our survey concerns the tools and techniques that

companies use for risk identification. Seventy percent of companies referred to past company

experience, fifty six percent referred to judgment, forty four percent to brainstorming, thirty percent to

physical inspection and only four percent to surveys. It is important to mention that there is no

reference in the use of a scientific method, such as process analysis, operational modeling or SWOT

analysis.

0% 10% 20% 30% 40% 50% 60% 70% 80%

what can happen?

how and why risks arise?

area of impact?

the source of the risk?

Does your company identify risks in terms of:

Who has responsibility for Risk Identification

Chief

Executive/Director

16%Board / Management

Team

8%

Director of Finance

42%Internal Audit

0%

Risk manager

2%

Production managers

22%

All staff

0%

Other (please specify)

10%


14/20

- 14 -

Figure 11:

What tools and

techniques are

used by your

company for

identifying

risks:

STEP 3: Assessment of risk. Risk assessment involves an analysis and evaluation of risks to provide

the potential impact of identified risks, and the timescale over which the risks need to be managed.

Analysis should determine the likelihood maturing and the consequences of risk. Consequence and

likelihood may be combined to produce estimated level of risks, quantified wherever possible, or

qualified in a range of low to high. Evaluation then enables identified risks to be ranked.

Forty percent of companies told us that responsibility for risk assessment rests with the Director of

Finance, twenty four percent with the Chief Executive, twenty percent with the Board or senior

management and ten percent say it is the responsibility of the Production Manager team (Figure 12).

Only one company (2 percent) had a dedicated risk manager who is responsible for risk assessment.

Figure 12:

Who has

responsibility

for Risk

Assessment

Over half of companies say that they do not find it difficult to assess the likelihood of risks occurring

(52 per cent). However 30 percent of them face difficulties when they try to assess likelihood of risk.

Similar are the results concerning the prioritization of main risks. Forty six percent of companies find

no difficulties to assess the relative priority which they should give to risks. However, thirty eight

percent of companies find difficulties in risk prioritization. On the other hand forty percent that they

do not find it difficult to assess the potential impact of risks and forty two percent do find it difficult.

(Figure 13); 16-18 percent neither agree nor disagree with these statements.

0% 10% 20% 30% 40% 50% 60% 70%audits or physical inspection?

brainstorming?

examination of local/overseas experience?

SWOT analysis?

interview/focus group discussion?

udgemental?

surveys/questionnaires?

scenario analysis?

operational modelling?

past companyal experience?

process analysis?

other? (please specify below)

What tools and techniques are used by your company for identifying risks:

Who has responsibility for Risk Assessment

Chief Executive/Director

24%

Board / Management

Team

20%Director of Finance

40%

Internal Audit

0%

Risk manager

2%

Production managers

10%

All staff

0%

Other (please specify)

4%


15/20

- 15 -

Figure 13:

Risk

Prioritization -

Assessment of

Likelihood -

Impact

Sixty four percent also say that the level of risk which they face has increased in the last five years.

Only ten percent of the companies, say that they believe that the risk they face have decreased in the

last five years (Figure 14).

Figure 14:

In the last five

years the level

of risk faced

by the

company has

....

STEP 4: Response to risk. This means determining the level and type of risk that is acceptable,

determining resources needed to manage identified risks, and prioritizing and allocating responsibility

for them.

In order to determine what do the companies believe that will be done to the risks that they have

identified, in order to reduce the overall risk exposure, we asked them to what extent does your

company use the risk treatment option of:

transferring the risk

accepting/ retaining the risk

reducing the risk

avoiding the risk

Forty four percent say that they prefer risk transfer, thirty eight percent say that they prefer to avoid

the risk, fourteen percent accept/ retain the risk, and only four percent try to reduce the risk

StronglyDisagree

Disagree Neutral Agree StronglyAgree

0%

5%

10%

15%

20%

25%

30%

35%

40%

Risk Prioritization - Assessment of Likelihood - Impact

The company finds it difficult to prioritize its main risks

The company finds it difficult to assess the likelihood of risks occurringThe company finds it difficult to assess the potential impacts of risks materializing

In the last five years the level of risk faced by the company has ....

Increased

64%

Decreased

10%

Not changed

12%

Not sure

14%


16/20

- 16 -

Figure 15:

To what extent

does your

company use

the risk

treatment

option of:

To what extent does your organisation use the risk treatment option of:

accepting/retaining

the risk?14%

avoiding the risk egnot proceeding with

activity?38%

reducing the risk eg

controlling the risk?4%

transferring the risk eginsurance?

44%

The companys response to risk is the prioritization of risks that they need active management. Sixty

percent of the companies agree with this statement. On the other hand, twenty two percent of thecompanies say that response to risk includes an evaluation of the effectiveness of the existing controls

and risk management responses. Only twenty six percent of the companies say that response to risk

includes action plans for implementing decisions about identified risks. Finally only twenty six percent

of the companies say that response to risk includes an assessment of the costs and benefits of

addressing risks.

Figure 16:

The companys

response to

risk includes ..

STEP 5: Monitoring and review. Risk management is a continuous process which should include

monitoring and reviewing identified risks, and being open to new or changed risks and opportunities

resulting from evolving circumstances.

We asked the companies how regularly they review their insurance coverage. Sixty six percent of the

companies say that they review their insurance coverage annually. Fourteen percent of the companies

say that they review their insurance coverage quarterly and four percent of the companies say that they

review their insurance coverage monthly. Only sixteen percent of the companies say that they review

their insurance coverage less frequently than annually.

0%

10%

20%

30%

40%

50%

60%

Strongly Disagree Disagree Neutral Agree Strongly Agree

The companys response to risk includes ..

An evaluation of the effectiveness of the existing controls and risk management responsesAction plans for implementing decisions about identified risks

An assessment of the costs and benefits of addressing risks

Prioritizing of risks that need active management

Other


17/20

- 17 -

Figure 17:

How regularly

does the

company

review its

insurance

coverage

We asked the companies if they believe that their management procedures have improved, worsened

or did not change at all, in the last five years. Most of them (62 percent) believe that nothing have

changed. Twenty four percent say that their management procedures have improved. It is impressive

that no one says that his management procedures have worsened.

Figure 18:

In the last five

years the

companys risk

management

procedures

have

In the last part of the questionnaire we examined the companies culture about risk. The questions tent

to relate the culture of the company and the degree to which policies and procedures support risk and

risk management.

Although in practice companies can be major risk takers they tend to regard themselves as more risk

averse than risk taking. We asked those in our survey to rate their department on a scale of 1 to 5 with

1 representing a more risk taking approach and 5 suggesting a risk averse culture. Forty six percent of

companies told us that they tend to be more risk averse than risk taking, whereas twenty six percent

regarded themselves as more risk taking than risk averse (Figure 19).

How regularly does the company review its insurance coverage:

monthly?

4%quarterly?

14%

annually?

66%

less frequently than

annually (please

specify below) ?

16%

In the last five years the companys risk management procedures have .

Improved24%

Worsened

0%

Not changed

62%

Not sure

14%


18/20

- 18 -

Figure 19:

The company

regards itself

as having a

risk taking or

risk averse

culture? from

1: risk taking

to 5: risk

averse

0

2

4

6

8

10

12

14

1 2 3 4 5

The organization regard itself as having a risk taking or risk averse culture? from 1: risk taking to 5: risk

averse

Thirty six percent of the companies say that they know how much risk they may take in order to

achieve their objectives. However thirty two percent of the companies say that they do not know howmuch risk they may take in order to achieve their objectives.

Figure 20:

The company

knows how

much risk it

may take in the

achievement of

its objectives

In responding to our survey companies identify the lack of appropriate training in risk management.

Thirty four percent of companies say that they covered training about risk management strategies.

Twenty percent of companies say that they covered training about risk management processes. Only

two percent (one company) of companies say that they covered training about risk taking

The company knows how much risk it may take in the achievement of its objectives

StronglyDisagree10

%

Disagree

22%

Neutral 32%

Agree

32%

StronglyAgree4%


19/20

- 19 -

Figure 21:

Management

have received

training in ...

5. Conclusions

Risk management is part of any companys strategic management. It is the process whereby

companies methodically address the risks attaching to their activities with the goal of achieving

sustained benefit within each activity and across the portfolio of all activities. The focus of good risk

management is the identification and treatment of these risks. Its objective is to add maximum

sustainable value to all the activities of the company.

Our survey asked companies about:

their understanding of risk management and its importance to their performance;

how they identify and assess risks; and

the action which they take to manage risks.

While our survey found growing recognition of the importance of risk management, companies were

less sure as to how it should be implemented in practice.

The results of the survey indicate that:

Determination of objectives is the first step in the risk management function. The objective of

risk management needs to be decided upon by the management, so that the company may

fulfill its responsibilities in accordance with the set objectives.

The impact of risk management was seen as too low. With systematic risk management,

however, this impact can be improved.

The number of identified but not analyzed risks is quite large. A relatively small proportion of

identified risks were considered during risk analysis.

A few companies apply systematic, documented risk management methods, most managers

rely on intuition and luck instead of managing risks systematically and consistently.

Companies need effective training on risk and risk management.

There is some inconsistency in companies' approach to risk management in that while many recognize

that it is important to the achievement of their objectives they are less clear on how risks should be

managed and few provide training on how to do so. Risk management will only become standard

practice in companies if there is better understanding of what it involves and the benefits which it can

help to secure in terms of improved service delivery and achieving key objectives.

The findings suggest that a significant amount of work still needs to be done by companies to achieve

best practice.

0% 5% 10% 15% 20% 25% 30% 35%

Risk management strategy

Risk management processes

Risk taking

Management have received training in ...


20/20

This was the first in a series of such surveys, to be produced regularly to provide comparisons over

time, and updates on this rapidly changing business environment.

6. References

1. AIRMIC, A Risk Management Standard, The association of Insurance and Risk Management.,

2002

2. Carl Olsson, Risk Management in Emerging Markets. How to survive and prosper., Prentice

Hall, Pearson Education, 2002.

3. Cooper Dale, Grey Stephen, Geoffrey Raymond, Walker Phil, Project Risk Management

Guidelines, John Wiley & Sons, Ltd, 2005.

4. Dan Paterson, Improving Project Decision Making and Reduction Exposure Through Risk

Management, A Welcome White Paper, 2004

5. Ian Hawkins, Risk Analysis Techniques, www.EuclidResearch.com, 1998.6. Project Management Institute; A Guide to the Project Management Body of Knowledge (PMBoK

Guide); 2000 Edition; Algonquin College Bookstore; (Approved by ANSI as American National

Standard ANSI-PMI 99-001-2000), 2000.

7. Steinberg M. Richard, Everson E.A. Miles, Martens J. Frank, Nottingham E. Lucy, Enterprise

Risk Management - Integrated Framework. Executive Summary, Committee of Sponsoring

Companys of the Treadway Commission (COSO) , September 2004

8. Kontio Jyrki, Getto Gerhard and Landes Dieter, Experiences in improving risk management

processes using the concepts of the Riskit method, Proceedings of the Sixth International

Symposium on the Foundation of Software Engineering, SIGSOFT 98, Florida USA, November

1998.9. Freimut Bernd, Hartkopf Susanne, Kontio Jyrki, Kobitzsch Werner, An Industrial Case Study of

Implementing Software Risk Management, ESEC/FSE, Vienna, Austria, 2001.

10.Swiss Bank Corporation, Goldman Sachs & Co, The Practice of Risk Management,

EUROMONEY BOOKS, London, 1998.

Risk Management Processes_The Case of Greek Companies

Documents