Risk management in an organization


This guide is written to advise on an approach to managing risk in terms of procedures to be followed in performing risk analyzes and treatment.

My organization’s background

I want to focus my attention on managing risks for my business in general. My company is involved in trade in steel products, mainly for construction purposes, as well as the sale and purchase of agricultural products such as beans, corn and rice. With regard to these products, credit letters (LCs) must be opened regularly for such products sold abroad. As part of the accounting and financing function, my responsibility lies not only in properly accounting for such transactions, but also as part of the team involved in a new trade financing project to ensure a smooth flow of these transactions from the opening of LCs, financing as well as the delivery of these products. Such a stream would involve collaboration between both the operations and the accounting and finance departments.

Purpose of risk management

Business risk relates to exposure to certain events that will adversely affect the company’s strategies and goals. Therefore, business risk is due to two factors: the likelihood of an event occurring, as well as the severity of the consequences (Bowden, Lane, and Martin, 2001). There are several risks that are more specific to my organization and appear as follows:

1. Strategic risk, such as poor marketing strategy and poor acquisition strategy, as a result of poor planning (Bowden et al., 2001). Poor marketing and acquisition of various grades of steel and agricultural products can prove the downfall of the organization.

2. Financial risk, such as lack of credit rating and poor receivables and inventory management, as a result of poor financial control (Bowden et al., 2001). Inadequate credit assessment of potential trade and other debtors as well as low debtor turnover may be a poor reflection of the company’s strategy and objectives.

3. Operational risk, such as bad practices and routine actions, as a result of bad human actions (Bowden et al., 2001). Failure to comply with the organization’s safe practices or even intentional actions by employees can create potential operational and financial losses for the company.

4. Technical risk, such as equipment and infrastructure degradation and fire destruction, due to physical asset failure (Bowden et al., 2001). Such risks may be prevalent in my organization if appropriate precautions are not taken to prevent these technical conditions. Unfortunately, many organizations tend to focus too much on the performance and cost dimensions of technical risk and manage them excessively (Smith and Reinertsen, years unknown).

5. Market risk, such as insufficient market research, which is the risk of not meeting market needs, provided that the specification is met (Smith and Reinertsen, year unknown). This risk may be more important compared to others, but it is less manageable due to the risk of being less objective and quantifiable compared to saying technical risk

As a result of such risks mentioned above, combined with technological advances and competitive pressures, risk management has taken a more important role in the existence of companies today (Bowden et al., 2001). Risk management relates to the logical and systematic way of establishing context, identifying risks, analyzing risks, evaluating risks, and ultimately addressing risks. This approach also involves communicating and consulting the results as well as monitoring and reviewing the treatment of risks. This approach to risk management is known as the AS 4360 method (Bowden et al., 2001).

risk management

Step 1: Definition of context

This relates to establishing context in terms of strategic, organizational and risk management (Bowden et al., 2001). The strategic context is about the relationship between the organization and its parameters in terms of economic, operational, competitive and social context (Bowden et al., 2001). For my organization, we are concerned about our financial goals (ie, US $ 20 million sales revenue with a profit margin of at least 12% annually), high quality products and good customer satisfaction as well as good market position (one of the largest suppliers of steel in the regional construction industry). The strategic context also requires the organization to identify stakeholders, which include owners, employees, customers, suppliers as well as the local community (Bowden et al., 2001). In addition, my organization must also be accountable to our shareholders and the media as we are a locally listed company.

The organizational context will deal with broader goals, objectives and strategies for the company as a whole (Bowden et al., 2001). In this context, we need to establish and implement adequate key performance indicators (KPIs) and critical success factors (CSFs) to suit the various aspects of the business. There are a few KPIs that are often used in my organization:

1. Objectives of revenue and profits: These are mentioned above.

2. Customer Satisfaction: Surveys are sent quarterly to our suppliers and customers to ensure at least 90% customer satisfaction.

3. Inventory updating and on-time delivery: Adequate inventory is maintained and retrieved from suppliers and on-time delivery to customers at least 98% of all sales orders.

4. Timely submission of monthly accounting and sales records to head office: The deadline for submitting such reports is usually the 5th of each month, which must be strictly adhered to.

On a broader basis, such KPIs are also linked to CSFs in my organization, which include the following:

1. Maintaining a healthy position in our markets: This is mentioned above.

2. Supporting senior management open to marketing and financing ideas: The directors and senior management have a two-way meeting with lower management about possible ideas and brainstorming ideas and possible funding from banks on certain products.

3. Adequate funds and resources in place: Funds must be available for LCs to be converted into receipts to be settled within a specified period, combined with sufficient manpower and technologies for the organization to function properly.

With these KPIs and CSFs in mind, the different activities in the activities can be further divided into smaller teams and activities to provide a more logical flow for better analysis (Bowden et al., 2001). In my organization, the sales teams are divided into smaller groups responsible for different products for steel and agricultural aspects. This is also done for the finance department, which has smaller teams responsible for accounts receivable, debt and other administrative functions.

Step 2: Identifying risks

This process aims to identify all events that may affect the organization as a whole. In such a scenario, there is a need to identify all causes and potential situations (Bowden et al., 2001). Following this, we continue to link risks, both threats and opportunities, with key criteria that will have a direct impact on the organization (Bowden et al., 2001). There is also a requirement to approach these risks with proactive and reactive responses (Bowden et al., 2001). There are several tools that can help identify risks, namely brainstorming, checklists, and experience-based assessments.

In my organization, there are several tools used to identify risks. For the finance department, there is a quarterly checklist used for various risks involved, which may include the amount of taxes and tax credits agreed with the tax authorities, the amount of receivables and stock updates, and how effective their respective revenue is. Provisions for such items are also raised based on past experience. For the marketing and operations department, weekly meetings are held where brainstorming and system analysis is used to identify potential risks in terms of competition, changes in prices and customer tastes, and secure protection of warehouses in our premises. Furthermore, it is recommended that a product plan be established with a product manager, where the investments are prioritized by such risks, and inputs, processes and outputs must be investigated more closely (Bowden et al., 2001).

It is mentioned that a test market will be useful if there is a high degree of uncertainty about the possible sale of the new product as the launch date approaches (Cooper, year unknown). My organization is currently looking at any new liquor and diesel sales to its overseas markets. However, this potential sale is not considered new products in the existing markets. Since speed and the competitive environment are important facts, a test market may not be used in our scenario (Cooper, year unknown).

In addition to launching potential new products, there are several pitfalls in my organization’s considerations:

1. Lack of market orientation. These are potential risks given insufficient market analysis and not understanding customer needs and desires.

2. Poor quality of workmanship. As for my organization, the qualities or quality of the flammable new products may be fraught with shortcomings and thus not meet the needs of the customers.

3. Moves too fast. An over-hasty approach to launching these products may make too many errors in the process and compromise the quality and timing of promotional activities (Cooper, year unknown).

Step 3: Risk Analysis

This step involves estimating the probability and consequence of potential risk events. These are often evaluated using the current controls in place (Bowden et al., 2001). Such controls are necessary to ensure efficient operation, reliable reporting systems, and proper compliance with rules and regulations (Bowden et al., 2001). In my organization, controls that are in place will include past records, market analysis given by merchants from different countries, published literature in the form of accounting and marketing magazines and internal and external auditors’ reports.

There are several techniques used to determine probability and consistency, namely structured interviews, multidisciplinary expert groups, questionnaire assessments, and computer modeling (Bowden et al., 2001).

The decision tree technique can also be used where the expected net value (NPV) of cash flows associated with each individual result is displayed (Vlahos, 2001). This technique is useful for the following reasons:

1. It improves our understanding of each result and makes assumptions more future.

2. It is useful for documenting and communicating thoughts of uncertainty and also helps generate alternatives for better value enhancement.

3. Managers can monitor each stage of the project and make appropriate analysis regarding decisions made at each point

4. The outputs with respect to expected generated NPVs can be used as potential inputs for project selection (Vlahos, 2001).

This technique is highly recommended to my organization in two ways:

1. This can be used in decisions made by the marketing department as to which products should be available for potential markets.

2. The Finance Department also finds it helpful in terms of the various ways of financing (i.e. direct cash financing, using LCs or trust receipts) as consideration for the construction of the trade finance project.

There are two types of risk analysis, mainly qualitative and quantitative (Bowden et al., 2001).

Qualitative technology

A qualitative method makes use of words or descriptive scale and comes in the form of a ranking structure that is alternated between rare and almost certain. One such method is about raker probabilities and consequences (Bowden et al., 2001). As for construction projects that can be applied to my organization, the consequences can range from negligible (where there is no personal injury and minimal financial loss), moderate (damages with required medical assistance and moderate financial loss) to catastrophic (death with significant financial loss) . Such a qualitative table with different probabilities and risk levels matrix may be useful in the following scenarios:

1. First screening guide to identify potential risks for further analysis.

2. Where the level of risk does not justify the time and effort required for more analysis.

3. Inadequate numerical data, making a quantitative analysis useless.

For the qualitative analysis, the management and staff with regard to the risk events at different levels must work through the risk ranking matrix. Each likelihood and consistency criteria must be considered to place events in the appropriate category (Bowden et al., 2001).

However, there are several disadvantages associated with this technique:

1. This may not be too accurate, as events within the same category may have significantly different levels of risk.

2. There may not be a common basis for comparing risk, ie. on the basis of dollar or number of deaths.

3. There is no clear justification for the process of ‘weighing’ risks

4. There may be different interpretations as to the meaning of different consequences, viz. The word catastrophic can mean a lot to some people, while others might take it more easily.

5. It can be difficult to translate the findings of this technique to match the results of a quantitative method (Bowden et al., 2001).

With these pitfalls mentioned above in mind, I would think it would be better to consider the qualitative technique as more of an initial screening exercise that should be used at the same time as the quantitative technique.

Quantitative technology

This approach takes the product of probability and consistency with the consequence expressed as an actual variable (Bowden et al., 2001). Such a technique is more reliable as it relies on numerical values ​​where frequency estimates are made in terms of incident frequency (Bowden et al., 2001).

There are several drivers of risk, namely technology, people, systems, organizational factors, and external factors (Bowden et al., 2001). In my organization, some risk drivers may include how updated my computer versions of accounting and sales systems, employee competence and educational levels, the number of new management ideas accepted by higher management and possibly the amount of pollution our products can cause to the environment.

The quantitative analysis is further divided into probability and consistency criteria. For the likelihood criteria, it is expressed as a probability rather than frequency, ensuring that risks are compared on the same basis (Bowden et al., 2001). With similar small events that are likely to occur, the likelihood of them occurring can be considered an event. For my organization, examples of such similar events may include:

1. 20 deliveries that are not made on time (more than 30 minutes) to customers, resulting in $ 1,000 each for transportation costs

2.5 delivery of wrong grades of products to customers, resulting in $ 1500 loss on transportation and bank costs.

For the consequence criteria, it can be considered in the form of an event leading to possible death or serious loss, ie. financial loss or reputation. For the two examples of probability criteria listed above, the related consequence criteria are respectively:

1. Free shipping made for next trip.

2. Appropriate discounts are given for these lots of products sold.

The impact criteria can also be expressed quantitatively in terms of lack of performance or failure to achieve certain KPIs, reflecting on the organisation’s priorities in accepting different degrees of risk. In my organization’s case, the provided free deliveries and discounts could not only jeopardize revenue and profit goals, but also in terms of customer satisfaction (which are important KPIs). As such, the consistency criteria can be expressed as the mean or expected value (Bowden et al., 2001). This is consistent with the Monte Carlo method, which can be used to obtain the distribution of the project or product value associated with trading operations (Vlahos, 2001).

Step 4: Risk Assessment

Risk assessment is about identifying which risks need to be addressed and can be calculated using the product with probability and consequence (Bowden et al., 2001). The risk can be compared with previously established criteria. Various software such as the Monte Carlo method, sensitivity analysis and probability distribution can be used to show the effects of greater risks of evaluation (Bowden et al., 2001).

Step 5: Treatment of risks

There are several methods for managing risks, namely avoiding, accepting, reducing and transferring risks (Bowden et al., 2001).

1. Avoid risks. In my organization, avoiding such risks might not import highly flammable products such as liquor or diesel (which is part of the consideration for new products) as part of sales and speculation in currency fluctuations.

2. Acceptance of risks. Certain risks may be unavoidable. In my organization’s case, we have huge sales transactions in Myanmar that have just experienced a major military and state coup. That’s why going out in Myanmar can be fleeting. These are potential risks that are already included in our business considerations.

3. Reducing risks. Currency fluctuations are imminent when I trade with overseas colleagues for my organization. Therefore, LCs and hedging are often undertaken to mitigate such risks for products purchased and sold to other countries.

4. Transfer risks. For my organization, this is done in terms of insurance coverage for stocks located on our premises.

Some other popular treatment of risks include audit compliance programs, contractual obligations and conditions, preventive maintenance, quality assurance and contingency planning (Bowden et al., 2001). Such risk management is also maintained in my organization.

The different options for risk management need to be evaluated and risk management plans must be planned and drawn up (Bowden et al., 2001). Such a plan should consider detailed basic implementations, risk assessment in terms of threats and opportunities in terms of priorities, and recommended proactive and reactive contingency plans. (Bowden et al., 2001).

The risk management plan and action plan shall include the following:

1. The various tasks and responsibilities for implementing the plan. The plan should preferably involve a project manager and various members responsible for one aspect of the project reporting to the manager.

2. The resources to be utilized.

3. Work allocation structure for the activities

4. Budget allocation

5. Plan for implementation

6. Details of the mechanism and frequency of proper adherence to the treatment plan (Bowden et al., 2001).

Step 6: Communication and counseling

In this step, stakeholders must have a common understanding of the project or product situation. Consultation of stakeholders as well as experts is required for better statements with communication necessary for better coordination (Bowden et al., 2001).

Such an approach is required for several reasons:

1. To prove that the process is carried out in a systematic way.

2. To provide records of risks and correct organizational records.

3. To provide relevant decision makers with a proper risk management and action plan for approval and implementation.

4. To provide accountability.

5. To facilitate further monitoring and review.

6. To provide audit trails.

7. Sharing information (Bowden et al., 2001).

This report should include the following:

1. Summary of summary

2. Scope of the project

3. Methodology for the study

4. Project contextual issues including constraints

5. selected success factors

6. KPIs for each success factor selected

7. Goals and tolerance

8. Any assumptions

9. Top ten risks across all CSFs for the project or product plan

10. Vulnerabilities in project phases

11. Responsibility for managing risks in phases

12. Primary and secondary drivers that trigger each risk

13. Existing controls

14. Tables and figures (Bowden et al., 2001)

Step 7: Monitoring and Review

In the final step, there is a need to develop and apply mechanisms to ensure ongoing risk assessment, ie. project managers need to provide a regular update on current situations (Bowden et al., 2001). The effectiveness of the risk management process needs to be monitored and reviewed consistently (Bowden et al., 2001).


Risk must be actively managed. Risk management involves identifying areas of high risk ahead of time, being interpreted to the greatest extent possible, with the best technical or marketing talent assigned to the problem, getting problems resolved as quickly as possible and getting a contingency plan in place if something cannot be solved (Smith and Reinertsen, year unknown).

Reference list

Bowden, A., Lane, M., and Martin, J. (2001) Triple Bottom Line Risk Management. Wiley.

Cooper. (unknown year). New products: Problems and pitfalls. Pp. 22-49.

Cooper. (unknown year). To test or not to test. Pp. 123-129.

Smith, P. and Reinertsen, D. (unknown year). Risk management. Pp. 207-21.

Vlahos, K. (2001). Adaptation to risky decisions. Pages 47-52.