4. risk treatment (risk mitigation)
• selecting and implementing response to risks
• in line with organizations risk approach and risk
appetite
• decisions as to whether particular risks should be
avoided, reduced, shared (transferred) or accepted
5. risk treatment common methods
• avoidance
• reduction – internal control
• sharing (transfer)
– insurance
– portfolio diversification
– hedging
– outsourcing
• acceptance
• other less common methods
6. risk avoidance
• hold back or exit risk related activities
• in terms of product, geographical region, customer
segment, etc.
• result of organization goals and strategy
• simple and commonly used method
7. risk reduction
• based on prioritization of risks by risk matrix
• activities to reduce:
– likelihood (probability) of a risk
– severity (consequences) of a risk
– both aspects
• costs and benefits taken into consideration
• implemented mostly by internal control
• could be performed by risk function (run by CRO),
internal audit or compliance activities
8. risk reduction – internal control
• system established to provide reasonable
assurance of effective and efficient operation
• internal controls:
– financial (e.g. financial ratios, budgets, variance analysis)
– non-financial quantitative (e.g. customer satisfaction,
wastage, personnel rotation)
– qualitative (e.g. plans, procedures, rules, access to
computers or buildings, project management, corporate
culture)
9. risk sharing – insurance
• protection against hazards by taking out an insurance
policy against an uncertain event
• involves payment of a premium to an insurer
• insurer will compensate the loss in case of event
occurrence
• used only for insurable risks
• internal approach: self-insurance
10. risk sharing – diversification
• using idea of ”don't put all your eggs in one basket”
• wider range of activities/investments lowers the risk
• holding a portfolio of assets/activities/customers
• need of low correlation between portfolio items
11. risk sharing – hedging
• in relation to ‘underlying’ factor (e.g. interest rate,
currency exchange, commodity, share or bond price)
• implemented by instruments with opposite-value
movements to the ‘underlying’ (i.e. negative
correlation)
• protection from unfavorable movement of an
‘underlying’ while still benefit from favorable
movement
12. risk sharing – outsourcing
• transfer activities or processes to third party
• release organization sources
• possible process improvement and expertise
13. risk acceptance
• precise definition what could be accepted
• no action taken in relation to the risk
• should be covered by day-to-day business activities
and its budget
14. risk treatment pro-active methods
• performance and quality management
• public relations
• lobbying
• strategic alliances
• mergers and acquisitions
• public aid utilization
15. RM process
Risk treatment
Ryanair case – create risk treatment ideas
16. risk list
company related
1. fuel costs and availability
2. rapid growth of the company
3. website or check-in systems breakdown
industry related
1. some of government air travel taxes
2. threat of terrorism
3. currency exchange fluctuations
17. risk monitoring
• continuous process based on risk framework
• undertaken by risk owners, management and the
board (or equivalent)
• many methods, commonly used: checklists, risk
register, information scanning, media monitoring
• risk register
– commonly used by organizations
– no standardized format
– most important items form risk register are subject of risk
reporting
18. risk register – examples of criteria
• risk number (an unique identifier)
• risk category
• description of risk
• date risk identified
• name of person who identified risk
• likelihood
• consequences
• a monetary value, if such can be allocated to the risk
• interdependencies with other risks
19. risk reporting
• based on monitoring process
• in line with financial reporting
• reporting for internal audience: management and the
board
• reporting for external audience:
– investor relations (quarterly and annual reporting)
– regulatory reporting (e.g. SOX or Basel II)
• reporting covers:
– identified risks and its treatment
– prioritized actions for decision makers
– process of risk management review