Risk Risk Concerns The Deviation of One or More Results of One or More Future Events From Their Expected Value. Technically, The Value of
Risk Risk Concerns The Deviation of One or More Results of One or More Future Events From Their Expected Value. Technically, The Value of
Risk concerns the deviation of one or more results of one or more future events from their expected value. Technically, the value of
those results may be positive or negative. However, general usage tends to focus only on potential harm that may arise from a future
event, which may accrue either from incurring a cost ("downside risk") or by failing to attain some benefit ("upside risk").
Historical background
The term risk may be traced back to classical Greek rizikon (Greek ριζα, riza), meaning root, later used in Latin for "cliff". The term
is used in Homer's Rhapsody M of Odyssey "Sirens, Scylla, Charybdee and the bulls of Helios (Sun)" Odysseus tried to save
himself from Charybdee at the cliffs of Scylla, where his ship was destroyed by heavy seas generated by Zeus as a punishment for
his crew killing before the bulls of Helios (the god of the sun), by grapping the roots of a wild fig tree.
For the sociologist Niklas Luhmann the term 'risk' is a neologism that appeared with the transition from traditional to modern
society.[1]"In the Middle Ages the term risicum was used in highly specific contexts, above all sea trade and its ensuing legal
problems of loss and damage."[1][2] In the vernacular languages of the 16th century the words rischio and riezgo were used,[1] both
terms derived from the Arabic word ""رزق, "rizk", meaning 'to seek prosperity'. This was introduced to continental Europe, through
interaction with Middle Eastern and North African Arab traders. In the English language the term risk appeared only in the 17th
century, and "seems to be imported from continental Europe."[1] When the terminology of risk took ground, it replaced the older
notion that thought "in terms of good and bad fortune." Niklas Luhmann (1996) seeks to explain this transition: "Perhaps, this was
simply a loss of plausibility of the old rhetorics of Fortuna as an allegorical figure of religious content and of prudentia as a (noble)
virtue in the emerging commercial society."[3]
Scenario analysis matured during Cold War confrontations between major powers, notably the United States and the Soviet Union.
It became widespread in insurance circles in the 1970s when major oil tanker disasters forced a more comprehensive foresight.[citation
needed]
The scientific approach to risk entered finance in the 1960s with the advent of the capital asset pricing model and became
increasingly important in the 1980s when financial derivatives proliferated. It reached general professions in the 1990s when the
power of personal computing allowed for widespread data collection and numbers crunching.Governments are using it, for example,
to set standards for environmental regulation, e.g. "pathway analysis" as practiced by the United States Environmental Protection
Agency.
Definitions of risk
There are different definitions of risk for each of several applications. The widely inconsistent and ambiguous use of the word is one
of several current criticisms of the methods to manage risk.
In one definition, "risks" are simply future issues that can be avoided or mitigated, rather than present problems that must be
immediately addressed.In risk management, the term "hazard" is used to mean an event that could cause harm and the term "risk" is
used to mean simply the probability of something happening.
OHSAS (Occupational Health & Safety Advisory Services) defines risk as the product of the probability of a hazard resulting in an
adverse event, times the severity of the event. Mathematically, risk often simply defined as:
One of the first major uses of this concept was at the planning of the Delta Works in 1953, a flood protection program in the
Netherlands, with the aid of the mathematician David van Dantzig.[7] The kind of risk analysis pioneered here has become common
today in fields like nuclear power, aerospace and the chemical industry.There are many formal methods used to assess or to
"measure" risk, which many consider to be a critical factor in human decision making. Some of these quantitative definitions of risk
are well-grounded in sound statistics theory. However, these measurements of risk rely on failure occurrence data which may be
sparse. This makes risk assessment difficult in hazardous industries such as nuclear energy where the frequency of failures is rare
and harmful consequences of failure are astronomical. The dangerous harmful consequences often necessitate actions to reduce the
probability of failure to infinitesimally small values which are hard to measure and corroborate with empirical evidence. Often, the
probability of a negative event is estimated by using the frequency of past similar events or by event-tree methods, but probabilities
for rare failures may be difficult to estimate if an event tree cannot be formulated. Methods to calculate the cost of the loss of human
life vary depending on the purpose of the calculation. Specific methods include what people are willing to pay to insure against
death, and radiological release (e.g., GBq of radio-iodine).
Financial risk is often defined as the unexpected variability or volatility of returns and thus includes both potential worse-than-
expected as well as better-than-expected returns. References to negative risk below should be read as applying to positive impacts or
opportunity (e.g., for "loss" read "loss or gain") unless the context precludes this interpretation.
In statistics, risk is often mapped to the probability of some event seen as undesirable. Usually, the probability of that event and
some assessment of its expected harm must be combined into a believable scenario (an outcome), which combines the set of risk,
regret and reward probabilities into an expected value for that outcome. (See also Expected utility.)
Thus, in statistical decision theory, the risk function of an estimator δ(x) for a parameter θ, calculated from some observables x, is
defined as the expectation value of the loss function L,In information security, a risk is written as an asset, the threats to the asset
and the vulnerability that can be exploited by the threats to impact the asset - an example being: Our desktop computers (asset) can
be compromised by malware (threat) entering the environment as an email attachment (vulnerability).
The two probabilities are sometimes combined and are also known as likelihood. If any of these variables approaches zero, the
overall risk approaches zero.
Risk versus uncertainty: Risk: Combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity
of injury or ill health that can be caused by the event or exposure(s)
In his seminal work Risk, Uncertainty, and Profit, Frank Knight (1921) established the distinction between risk and uncertainty.
“ ... Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been
properly separated. The term "risk," as loosely used in everyday speech and in economic discussion, really covers two
things which, functionally at least, in their causal relations to the phenomena of economic organization, are categorically
different. ... The essential fact is that "risk" means in some cases a quantity susceptible of measurement, while at other
times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of
the phenomenon depending on which of the two is really present and operating. ... It will appear that a measurable
uncertainty, or "risk" proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect
an uncertainty at all. We ... accordingly restrict the term "uncertainty" to cases of the non-quantitive type. ”
Thus, Knightian uncertainty is immeasurable, not possible to calculate, while in the Knightian sense risk is measureable.Another
distinction between risk and uncertainty is proposed in How to Measure Anything: Finding the Value of Intangibles in Business and
The Failure of Risk Management: Why It's Broken and How to Fix It by Doug Hubbard:
Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The "true"
outcome/state/result/value is not known.
Measurement of uncertainty: A set of probabilities assigned to a set of possibilities. Example: "There is a 60% chance this market
will double in five years"
Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome.
Measurement of risk: A set of possibilities each with quantified probabilities and quantified losses. Example: "There is a 40%
chance the proposed oil well will be dry with a loss of $12 million in exploratory drilling costs".
In this sense, Hubbard uses the terms so that one may have uncertainty without risk but not risk without uncertainty. We can be
uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk. If we bet money on the
outcome of the contest, then we have a risk. In both cases there are more than one outcome. The measure of uncertainty refers only
to the probabilities assigned to outcomes, while the measure of risk requires both probabilities for outcomes and losses quantified
for outcomes.
Hubbard also argues that that defining risk as the product of impact and probability presumes (probably incorrectly) that the
decision makers are risk neutral. Only for a risk neutral person is the "certain monetary equivalent" exactly equal to the probability
of the loss times the amount of the loss. For example, a risk neutral person would consider 20% chance of winning $1 million
exactly equal to $200,000 (or a 20% chance of losing $1 million to be exactly equal to losing $200,000). However, most decision
makers are not actually risk neutral and would not consider these equivalent choices. This gave rise to Prospect theory and
Cumulative prospect theory. Hubbard proposes instead that risk is a kind of "vector quantity" that does not collapse the probability
and magnitude of a risk by presuming anything about the risk tolerance of the decision maker. Risks are simply described as a set or
function of possible loss amounts each associated with specific probabilities. How this array is collapsed into a single value cannot
be done until the risk tolerance of the decision maker is quantified.
Risk can be both negative and positive, but it tends to be the negative side that people focus on. This is because some things can be
dangerous, such as putting their own or someone else’s life at risk. Risks concern people as they think that they will have a negative
effect on their future.
Insurance is a risk-reducing investment in which the buyer pays a small fixed amount to be protected from a potential large loss.
Gambling is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of
losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high
return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a
small gain and precludes other investments with possibly higher gain.
Risks in personal health may be reduced by primary prevention actions that decrease early causes of illness or by secondary
prevention actions after a person has clearly measured clinical signs or symptoms recognized as risk factors. Tertiary prevention
reduces the negative impact of an already established disease by restoring function and reducing disease-related complications.
Ethical medical practice requires careful discussion of risk factors with individual patients to obtain informed consent for secondary
and tertiary prevention efforts, whereas public health efforts in primary prevention require education of the entire population at risk.
In each case, careful communication about risk factors, likely outcomes and certainty must distinguish between causal events that
must be decreased and associated events that may be merely consequences rather than causes.
Economic risk
Economic risks can be manifested in lower incomes or higher expenditures than expected. The causes can be many, for instance, the
hike in the price for raw materials, the lapsing of deadlines for construction of a new operating facility, disruptions in a production
process, emergence of a serious competitor on the market, the loss of key personnel, the change of a political regime, or natural
disasters.[11] Reference class forecasting was developed to eliminate or reduce economic risk.[12]
In business
Means of assessing risk vary widely between professions. Indeed, they may define these professions; for example, a doctor manages
medical risk, while a civil engineer manages risk of structural failure. A professional code of ethics is usually focused on risk
assessment and mitigation (by the professional on behalf of client, public, society or life in general).
In the workplace, incidental and inherent risks exist. Incidental risks are those that occur naturally in the business but are not part of
the core of the business. Inherent risks have a negative effect on the operating profit of the business.
Risk-sensitive industries
Some industries manage risk in a highly quantified and enumerated way. These include the nuclear power and aircraft industries,
where the possible failure of a complex series of engineered systems could result in highly undesirable outcomes. The usual
measure of risk for a class of events is then:
In the nuclear industry, consequence is often measured in terms of off-site radiological release, and this is often banded into five or
six decade-wide bands.
The risks are evaluated using fault tree/event tree techniques (see safety engineering). Where these risks are low, they are normally
considered to be "Broadly Acceptable". A higher level of risk (typically up to 10 to 100 times what is considered Broadly
Acceptable) has to be justified against the costs of reducing it further and the possible benefits that make it tolerable—these risks are
described as "Tolerable if ALARP". Risks beyond this level are classified as "Intolerable".
The level of risk deemed Broadly Acceptable has been considered by regulatory bodies in various countries—an early attempt by
UK government regulator and academic F. R. Farmer used the example of hill-walking and similar activities, which have definable
risks that people appear to find acceptable. This resulted in the so-called Farmer Curve of acceptable probability of an event versus
its consequence.
The technique as a whole is usually referred to as Probabilistic Risk Assessment (PRA) (or Probabilistic Safety Assessment, PSA).
See WASH-1400 for an example of this approach.
In finance
Financial risk
In finance, risk is the probability that an investment's actual return will be different than expected. This includes the possibility of
losing some or all of the original investment. Some regard a calculation of the standard deviation of the historical returns or average
returns of a specific investment as providing some historical measure of risk; see modern portfolio theory. Financial risk may be
market-dependent, determined by numerous market factors, or operational, resulting from fraudulent behavior (e.g. Bernard
Madoff). Recent studies suggest that testosterone level plays a major role in risk taking during financial decisions.[13][14]
In finance, risk has no one definition, but some theorists, notably Ron Dembo, have defined quite general methods to assess risk as
an expected after-the-fact level of regret. Such methods have been uniquely successful in limiting interest rate risk in financial
markets. Financial markets are considered to be a proving ground for general methods of risk assessment. However, these methods
are also hard to understand. The mathematical difficulties interfere with other social goods such as disclosure, valuation and
transparency. In particular, it is not always obvious if such financial instruments are "hedging" (purchasing/selling a financial
instrument specifically to reduce or cancel out the risk in another investment) or "speculation" (increasing measurable risk and
exposing the investor to catastrophic loss in pursuit of very high windfalls that increase expected value).
As regret measures rarely reflect actual human risk-aversion, it is difficult to determine if the outcomes of such transactions will be
satisfactory. Risk seeking describes an individual whose utility function's second derivative is positive. Such an individual would
willingly (actually pay a premium to) assume all risk in the economy and is hence not likely to exist.
In financial markets, one may need to measure credit risk, information timing and source risk, probability model risk, and legal risk
if there are regulatory or civil actions taken as a result of some "investor's regret". Knowing one's risk appetite in conjunction with
one's financial well-being are most crucial.
A fundamental idea in finance is the relationship between risk and return (see modern portfolio theory). The greater the potential
return one might seek, the greater the risk that one generally assumes. A free market reflects this principle in the pricing of an
instrument: strong demand for a safer instrument drives its price higher (and its return proportionately lower), while weak demand
for a riskier instrument drives its price lower (and its potential return thereby higher).
"For example, a US Treasury bond is considered to be one of the safest investments and, when compared to a corporate bond,
provides a lower rate of return. The reason for this is that a corporation is much more likely to go bankrupt than the U.S.
government. Because the risk of investing in a corporate bond is higher, investors are offered a higher rate of return."
The most popular and also the most vilified lately risk measurement is Value-at-Risk (VaR). There are different types of VaR -
Long Term VaR, Marginal VaR, Factor VaR and Shock VaR, The latter is used in measuring risk during the extreme market stress
conditions.
In public works
In a peer reviewed study of risk in public works projects located in twenty nations on five continents, Flyvbjerg, Holm, and Buhl
(2002, 2005) documented high risks for such ventures for both costs[16] and demand. Actual costs of projects were typically higher
than estimated costs; cost overruns of 50% were common, overruns above 100% not uncommon. Actual demand was often lower
than estimated; demand shortfalls of 25% were common, of 50% not uncommon. Due to such cost and demand risks, cost-benefit
analyses of public works projects have proved to be highly uncertain. The main causes of cost and demand risks were found to be
optimism bias and strategic misrepresentation. Measures identified to mitigate this type of risk are better governance through
incentive alignment and the use of reference class forecasting.
In human services
Huge ethical and political issues arise when human beings themselves are seen or treated as 'risks', or when the risk decision making
of people who use human services might have an impact on that service. The experience of many people who rely on human
services for support is that 'risk' is often used as a reason to prevent them from gaining further independence or fully accessing the
community, and that these services are often unnecessarily risk averse.
Risk in psychology
Regret
In decision theory, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk aversion
(preferring the status quo in case one becomes worse off).
Framing
Framing is a fundamental problem with all forms of risk assessment. In particular, because of bounded rationality (our brains get
overloaded, so we take mental shortcuts), the risk of extreme events is discounted because the probability is too low to evaluate
intuitively. As an example, one of the leading causes of death is road accidents caused by drunk driving—partly because any given
driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident.
For instance, an extremely disturbing event (an attack by hijacking, or moral hazards) may be ignored in analysis despite the fact it
has occurred and has a nonzero probability. Or, an event that everyone agrees is inevitable may be ruled out of analysis due to greed
or an unwillingness to admit that it is believed to be inevitable. These human tendencies for error and wishful thinking often affect
even the most rigorous applications of the scientific method and are a major concern of the philosophy of science.
All decision-making under uncertainty must consider cognitive bias, cultural bias, and notational bias: No group of people assessing
risk is immune to "groupthink": acceptance of obviously wrong answers simply because it is socially painful to disagree, where
there are conflicts of interest. One effective way to solve framing problems in risk assessment or measurement (although some argue
that risk cannot be measured, only assessed) is to raise others' fears or personal ideals by way of completeness.
Neurobiology of Framing
Framing involves other information that affects the outcome of a risky decision. The right prefrontal cortex has been shown to take a
more global perspective while greater left prefrontal activity relates to local or focal processing
From the Theory of Leaky Modules McElroy and Seta proposed that they could predictably alter the framing effect by the selective
manipulation of regional prefrontal activity with finger tapping or monaural listening. The result was as expected. Rightward
tapping or listening had the effect of narrowing attention such that the frame was ignored. This is a practical way of manipulating
regional cortical activation to affect risky decisions, especially because directed tapping or listening is easily done.
For the time being, people rely on their fear and hesitation to keep them out of the most profoundly unknown circumstances.
In The Gift of Fear, Gavin de Becker argues that "True fear is a gift. It is a survival signal that sounds only in the presence of
danger. Yet unwarranted fear has assumed a power over us that it holds over no other creature on Earth. It need not be this way."
Risk could be said to be the way we collectively measure and share this "true fear"—a fusion of rational doubt, irrational fear, and a
set of unquantified biases from our own experience.
The field of behavioral finance focuses on human risk-aversion, asymmetric regret, and other ways that human financial behavior
varies from what analysts call "rational". Risk in that case is the degree of uncertainty associated with a return on an asset.
Recognizing and respecting the irrational influences on human decision making may do much to reduce disasters caused by naive
risk assessments that pretend to rationality but in fact merely fuse many shared biases together.
Because planned actions are subject to large cost and benefit risks, proper risk assessment and risk management for such actions are
crucial to making them successful.
Since Risk assessment and management is essential in security management, both are tightly related. Security assessment
methodologies like CRAMM contain risk assessment modules as an important part of the first steps of the methodology. On the
other hand, Risk Assessment methodologies, like Mehari evolved to become Security Assessment methodologies. A ISO standard
on risk management (Principles and guidelines on implementation) is currently being draft under code ISO 31000. Target
publication date 30 May 2009.
Risk in auditing
The audit risk model expresses the risk of an auditor providing an inappropriate opinion of a commercial entity's financial
statements. It can be analytically expressed as:
AR = IR x CR x DR
Where AR is audit risk, IR is inherent risk, CR is control risk and DR is detection risk.
Risk Management: Risk Management is increasingly recognized as being concerned with both positive and negative aspects of
risk. Therefore this standard considers risk from both perspectives. In the safety field, it is generally recognized that consequences
are only negative and therefore the management of safety risk is focused on prevention and mitigation of harm
The Risk Management Process
Risk management is a central part of any organization’s strategic management. It is the process whereby organizations methodically
address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio
of all activities. The focus of good risk management is the identification and treatment of these risks. Its objective is to add
maximum sustainable value to all the activities of the organisation. It marshals the understanding of the potential upside and
downside of all those factors which can affect the organisation. It increases the probability of success, and reduces both the
probability of failure and the uncertainty of achieving the organisation’s overall objectives. Risk management should be a
continuous and developing process which runs throughout the organisation’s strategy and the implementation of that strategy. It
should address methodically all the risks surrounding the organisation’s activities past, present and in particular, future. It must be
integrated into the culture of the organisation with an effective policy and a programme led by the most senior management. It must
translate the strategy into tactical and operational objectives, assigning responsibility throughout the organisation with each manager
and employee responsible for the management of risk as part of their job description. It supports accountability, performance
measurement and reward, thus promoting operational efficiency at all levels.
The Organization’s
Strategic Objectives
Risk Analysis
Risk
RiskAssessment
Identification
Risk Description
Risk Estimation
Risk Evaluation
Risk Reporting
Threats and
Opportunities
Decision
Risk Treatment
Residual Risk
Risk management protects and adds eporting
value to the organisation and its stakeholders through supporting the organisation’s objectives
by:providing a framework for an organisation that enables future activity to take place in a consistent and controlled manner
• improving decision making, planning and prioritisation by comprehensive and structured understanding of business activity,
Monitoring
volatility and project opportunity/threat
• contributing to more efficient use/allocation of capital and resources within the organisation
• reducing volatility in the non essential areas of the business
• protecting and enhancing assets and company image
• developing and supporting people and the organisation’s knowledge base
• optimising operational efficiency
Risk Assessment
Risk Assessment is defined by the ISO/ IEC Guide 73 as the overall process of risk analysis and risk evaluation.
Risk Analysis
4.1 Risk IdentificationRisk identification sets out to identify an organisation’s exposure to uncertainty.This requires an intimate
knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it
exists, as well as the development of a sound understanding of its mstrategic and operational objectives, including factors critical to
its success and the threats and opportunities related to the achievement of these objectives.
Risk identification should be approached in a methodical way to ensure that all significant activities within the organization have
been identified and all the risks flowing from these activities defined. All associated volatility related to these activities should be
identified and categorised. Business activities and decisions can be classified in a range of ways, examples of which include:
• Strategic - These concern the long-term strategic objectives of the organisation.They can be affected by such areas as capital
availability, sovereign and political risks, legal and regulatory changes, reputation and changes in the physical environment.
• Operational - These concern the day-today issues that the organisation is confronted with as it strives to deliver its strategic
objectives.
• Financial - These concern the effective management and control of the finances of the organisation and the effects of external
factors such as availability of credit, foreign exchange rates, interest rate movement and nother market exposures.
• Knowledge management - These concern the effective management and control of the knowledge resources, the production,
protection and communication thereof. External factors might include the unauthorised use or abuse of intellectual property, area
power failures, and competitive technology. Internal factors might be system malfunction or loss of key staff.
• Compliance - These concern such issues as health & safety, environmental, trade descriptions, consumer protection, data
nprotection, employment practices and regulatory issues.
Whilst risk identification can be carried out by outside consultants, an in-house approach with well communicated, consistent and
co-ordinated processes and tools (see Appendix, page 14) is likely to be more effective. In-house ‘ownership’ of the risk
management process is essential.
4.2 Risk Description
The objective of risk description is to display the identified risks in a structured format, for example, by using a table. The risk
description table overleaf can be used to facilitate the description and assessment of risks. The use of a well designed structure is
necessary to ensure a comprehensive risk identification, description and assessment process. By considering the consequence and
probability of each of the risks set out in the table, it should be possible to prioritize the key risks that need to be analyzed in more
detail. Identification of the risks associated with business activities and decision making may be categorised as strategic, project/
tactical, operational. It is important to incorporate risk management at the conceptual stage of projects as well as throughout the life
of a specific project.
4.3 Risk Estimation
Risk estimation can be quantitative, semiquantitative or qualitative in terms of the probability of occurrence and the possible
consequence. For example, consequences both in terms of threat (downside risks) and opportunities (upside risks) may be high,
medium or low (see table 4.3.1). Probability may be high, medium or low but requires different definitions in respect of threats and
opportunities (see tables 4.3.2 and 4.3.3). of risks.The use of a well designed structure is necessary to ensure a comprehensive risk
identification, description and assessment process. By considering the consequence and probability of each of the risks set out in the
table, it should be possible to prioritise the key risks that need to be analysed in more detail. Identification of the risks associated
with business activities and decision making nmay be categorised as strategic, project/ tactical, operational. It is important to
incorporate risk management at the conceptual stage of projects as well as throughout the life of a specific project. Examples are
given in the tables overleaf. Different organisations will find that different measures of consequence and probability will suit their
needs best. For example many organisations find that assessing consequence and probability as high, medium or low is quite
adequate for their needs and can be presented as a 3 x 3 matrix. Other organisations find that assessing consequence and probability
using a 5 x 5 matrix gives them a better evaluation.
4.4 Risk Analysis methods and techniques
A range of techniques can be used to analyse risks.These can be specific to upside or downside risk or be capable of dealing with
both. (See Appendix, page 14, mfor examples).
Risk Evaluation
When the risk analysis process has been completed, it is necessary to compare the estimated risks against risk criteria which the
organisation has established.The risk criteria may include associated costs and benefits, legal requirements, socioeconomic and
environmental factors, concerns of stakeholders, etc. Risk evaluation therefore, is used to make decisions about the significance of
risks to the organisation and whether each specific risk should be accepted or treated.
Risk Treatment
Risk treatment is the process of selecting and implementing measures to modify the risk. Risk treatment includes as its major
element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc.
NOTE: In this standard, risk financing refers to the mechanisms (eg insurance programmes) for funding the financial
consequences of risk. Risk financing is not generally considered to be the provision of funds to meet the cost of implementing
risk treatment
Any system of risk treatment should provide as a minimum:
• effective and efficient operation of the organisation
• effective internal controls
• compliance with laws and regulations.
The risk analysis process assists the effective and efficient operation of the organization by identifying those risks which require
attention by management. They will need to prioritise risk control actions in terms of their potential to benefit the organisation.
Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control
measures. Cost effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction
benefits expected. The proposed controls need to be measured in terms of potential economic effect if no action is taken versus the
cost of the proposed action(s) and invariably require more detailed information and assumptions than are immediately available.
Firstly, the cost of implementation has to be established. This has to be calculated with some accuracy since it quickly becomes the
baseline against which cost effectiveness is measured. The loss to be expected if no action is taken must also be estimated and by
comparing the results, management can decide whether or not to implement the risk control measures.
Compliance with laws and regulations is not an option. An organisation must understand the applicable laws and must implement a
system of controls to achieve compliance.There is only occasionally some flexibility where the cost of reducing a risk may be
totally disproportionate to that risk. One method of obtaining financial protection against the impact of risks is through risk
financing which includes insurance. However, it should be recognised that some losses or elements of a loss will be uninsurable eg
the uninsured costs associated with work-related health, safety or environmental incidents, which may include damage to employee
morale
and the organisation’s reputation.
http://www.ratedesi.com/video/v/kXMTe4QdpZU/tollywood-actress-bollywood-hot-scene