A person who coordinates and integrates participants in a network is referred to as a(n) ______.
Show
Submitted: November 30th, 2011 Published: September 12th, 2012 DOI: 10.5772/47883
*Address all correspondence to: „Life it self is a risk” 1. IntroductionThe management of any organization, whether working in the public sector, whether working in the private sector, aims in order to achieve its objectives to monitor and reduce risks. Risk control is achieved by managing them effectively, namely by implementing an adequate risk management system. Risk management is an important concept related to safety and financial integrity of an organization, and risk assessment is an important part of its strategic development. The strategy of an organization on risk management should be that all the risks it faces must be identified, assessed, monitored and managed so that they are maintained in a certain limit, accepted by the entity’s management. Advertisement 2. Risk management – Defining function within the organizationRisk management is the process of identifying, analyzing and responding to the risks the organization faces and is exposed to. The costs of implementing this system depend on the methods used to manage unexpected events. Risk management process is an ongoing one and the results are embodied in the decisions taken on accepting, reducing or eliminating risks that affect the achievement of objectives. The aim is to optimize the organization’s exposure to risk in order to prevent losses, avoid threats and exploit opportunities. 2.1. Conceptual approaches for riskIn general terms, risk is part of any human effort. Once we leave to go back home, we are exposed to risks of different levels and degrees. It is significant that some new risks are completely voluntary, and some are created by us through the nature of activities. The word “risk”derives from the Italian word „risicare”, which means “to dare”. In this sense,the risk is a choice, not fate1.From this definition it follows that the risk is not an option, but we are permanently exposed to risk in everyday life, what is really important is that each time, to gain control over it. Nowadays there is no unanimously accepted definition of the concept of risk by all specialists in the field. Among the most commonly used definitions, we present the following: “Risk is the possibility of obtaining favorable or unfavorable results in a future action expressed in terms of probabilities.” or “Risk is a possible future event whose production could cause some losses.” or "Risk is the threat that an event or action to affect in a negatve manner the capacity of an organization to achieve its planned goals.2" The analysis of these definitions of risk gives rise to the following conclusions:
In conclusion, the risk can be defined as a problem (situation, event etc.) which has not yet occurred, but can occur in the future, threatening the achievement of agreed outcomes. Viewed in this context, risk is the uncertainty in obtaining expected results and should be treated as a combination of probability and impact. The probability of risk occurrence is the possibility that the risk materializes and it can be appreciated or determined by measurement, when the nature of risk and available information permit such evaluation. The risk impact is a consequence of the results (objectives) when risk materializes. If the risk represents a threat, the consequence upon the results is negative and if the risk represents an opportunity, the consequence is positive. The probability of risk occurrence and its impact on the results contribute to establish the risk value. Based on concepts presented above, in our opinion, the risk is a permanent reality, an inherent phenomenon that accompanies all activities and actions of an organization and that occurs or not, depending on the conditions created for it. This could cause negative effects by deteriorating the quality of management decisions, reducing profit volume and affecting the organization’s functionality, with consequences even in blocking the implementation of activities. In the literature, but also in practice, besides the concept of risk other concepts are used, respectively: Inherent riskis the risk that exists naturally in any activity and is defined as “the riskexistingbeforethe implementationofinternal controlmeasuresto reduce it”or “allrisks that threatthe entity/organizationand maybeinternalor externalrisks, measurable orimmeasurable”. Residual riskis the risk remaining after implementation of internal control measures. Applying these measures should have as effect the limitation of inherent risk to a level accepted by the organization. The residual risk should be monitored in order to maintain it at accepted levels. Risk appetiteis the level of exposure that the organization is prepared to accept, namely the risk tolerated by the organization. Practitioners recommend to organizations’ management to bear in mind that risks can not be avoided and under these conditions to be concerned by their evaluation to keep them “under control” at levels considered acceptable, tolerated by the organization, and not to seek the total elimination of them, as this can lead to other unexpected and uncontrolled risks. 2.2. Risk – Threat and opportunityInternal and external environment in which the organization operates generate risks. In these circumstances the organization should identify its weaknesses and threats it faces, in order to manage and minimize them. Also, strengths must capitalize and exploit opportunities. In this respect, designing and implementing a risk management process at corporate level, is appropriate and necessary due to uncertainties of threats in achieving organizational goals. The implementation of this concept leads to certain changes within the organization, whose effects should be materialized through a better use of available funds and obtaining levels of profitability planned, namely:
Risk management is characterized by the establishment and implementation of concrete activities and actions of identification and risk assessment leading to determine the risk level and by this act to implement adequate internal control devices to limit the probability of the risk occurring or the consequences if the risk materializes. The process must be coherent, integrated to the objectives, activities and operations carried out within the organization. The staff within the organization, regardless of the current hierarchical level, should be aware of the importance of risk management to achieve planned results and to form necessary skills in order to perform monitoring and control based on principles of efficiency and effectiveness. The functional structures responsibles within the organization have the task to identify and analyze regularly the risks related to their activities, to propose and substantiate appropriate measures in order to limit the possible consequences of risks and ensure approval by decision makers within the organization. Practice3 recommends that any organization needs to manage its risks, because in many cases the occurrence of risks can have serious consequences upon the activities, sometimes these consequences jeopardizing the very existence of the organization4. The complexity of risks and their increase has led organizations’ management to understand that it is better to manage a risk than to cover a loss. Based on this requirement, many organizations have proceeded to implement risk management, developing specific strategies that have defined the organization’s behavior towards risk and risk management arrangements. 2.3. The importance of risk management organizationRisk management is a preventive attitude on the elimination or limitation of damages, if any possibility of a risk materializing, namely a process of identifying, analyzing and responding to potential risks of an organization. In these conditions, the role of risk management is to help understand the risks the organization is exposed to, so that they can be managed. This role varies depending on when the analysis is done, as follows:
The advantage of implementing the risk management system within the organization is to ensure economic efficiency. To achieve this requirement, the organization’s management has the responsibility to make known the risks they face and manage them properly, in order to avoid consequences for their materialization. 2.4. Responsibility for risc managementRisk management is the responsibility of the organization’s management, and the central objective of this process aims the risks management so that resources to be used efficiently and effectively in order to maximize profit and minimize threats, while safeguarding the interests of employees and customers. In this respect, the entity’s management must act in the following directions:
To ensure an efficient risk management is necessary to create certain organizational structures appropriate for the policies and strategies of the organization. In this respect, the organization should adopt appropriate policies regarding the organization plan, in order to effectively monitor each risk or category of risk and in an integrated manner, the whole risks system accompanying activities. Policies and strategies that may be adopted regarding the organization plan are related to:
Given that risk can be identified, evaluated and limited, but never completely eliminated, the organization must develop both general policies and specific policies to limit exposure. 2.5. Effectiveness of risk managementThe activity of an organization is characterized by all processes, procedures, inputs, outputs, resources (financial, material, human and informational) and technical means for recording, processing, transmitting and storing data and information on activities and environment where the system is operating. By internal/management control programs prepared each functional structure should identify the risks they face, and by using procedures and risk management policies to ensure their maintenance at acceptable levels. Risk management is an ongoing, structured process, that allows identifying and assessing risks and reporting on opportunities and threats affecting the achievement of its objectives. The benefits of implementing the risk management process include:
The organization’s management and staff perform risk management activities in order to identify, assess, manage and control all types of events or situations that may affect its activities. In the world today has become increasingly more imperative for corporate managers to monitor and manage risk5 in all aspects. A good risk management means avoiding or minimizing loss, and also treating opportunities in a favorable manner. Risk management is necessary because organizations face uncertainty and the biggest challenge of the leadership is to determine what level of risk it is prepared to accept to achieve its mission, in order to add value to activities and to achieve planned goals. Risk management is an essential component of the organization’s success and must become an intrinsic part of its functioning. It must be closely related to corporate governance and internal control, but also connected with performance management6. Advertisement 3. Integrated approach to riskIntegrated risk management process is designed and set by the management and implemented by the whole staff within the organization. This process is not linear, a risk management may have impact also on other risks, and control devices identified as being effective in limiting a risk and keeping it within acceptable limits, may prove beneficial in controlling other risks. Risk management currently knows an appreciation and recognition increasingly large, both in theory and practice, which means, on the one hand the increase of number of specialists in the field, and on the other hand the interest of managers within organizations to design and implement effective risk management systems to meet the objectives. Mastering risk determines organizational development, performance growth, both generally, of the whole organization and also of individual activities. 3.1. COSO and integrated risk managementReferring to risk management, COSO presented an initial framework methodology for implementing internal controls, built-in policies, rules, procedures and regulations that have been used by various organizations to secure control over how to run the plan and meet objectives. Later, after the appearance of great scandals of fraud and the need to improve corporate governance processes, large corporations talked about and set up risk management departments to help implement procedures regarding the identification, assessment and risk control. Following the emergence of these needs, Treadway Commission, COSO model promoter, initiated a program in order to develop a general methodology that can be used by organizations’ management to improve risk management. Risk management within the organizations was created on the concept of internal controls, but the focus was particularly on risk management. This was not intended to replace internal controls, but incorporating basic concepts of internal control in this process. Thus, between risk management and internal control was preserved a strong connection interrelated with common concepts and elements. 3.1.1. Risk management and internal controlThe main objectives of internal control/management system are to ensure the efficiency and effectiveness of activities, the reality of reporting and regulations compliance in the field.The internal control/management system is developed and monitored in order to implement by the organization’s management, which is responsible for designing adequate internal control devices in order to ensure limitation of significant risks and keeping them within acceptable limits, aiming to give the security that the organization’s objectives will be met. Risk management system was structured on components of internal control/management, structured according to COSO model, namely on five elements, whose implementation ensures that the tools/internal control devices exist and function as intended. These components were defined as:
3.1.2. Objective of risk management systemCOSO defines integrated risk management as “the process conductedby the Board, managementand others, appliedinsettingstrategy andacross the organization, designedtoidentifypotentialeventsthat may affect theentityand to manageriskwithinthe riskappetitetoprovide a reasonable assuranceregarding the achievement oforganizational objectives”7. From the content of this definition it follows some essential elements, characteristic to the integrated risk management, as follows:
The general objective of integrated risk management is to effectively manage uncertainties, risks and opportunities.The need for risk management stems from the fact that uncertainty is a reality and the reaction to uncertainty is a constant concern. Risk management involves establishing actions to respond to risk and to implement adequate internal control devices, with which to limit the possibility of occurrence or consequences of risk, if it would materialize. In order to ensure efficiency in achieving objectives, the process must be coherent and convergent, integrated to objectives, activities and operations carried out within the organization. Also, regardless of the staff’s hierarchical level, it should be aware of the importance of risk management has in achieving its own objectives and thus to form the necessary skills to perform monitoring and control based on principles of efficiency and effectiveness. In order to ensure the success of this approach and to achieve an effective risk management, within the organization it needs to create a culture of risk, namely developing a risk management philosophy specific to the organization and management, and awareness of risk’s negative effects at all levels of the organization. From the above it is found that the need for internal control/management is determined by the existence of threats or opportunities in carrying out planned activities or actions with negative consequences in the organization. This requires the establishment and implementation of certain internal control devices in order to prevent or limit the risks. Also, the need for risk management stems from the fact that risk is everywhere, in everything we want to achieve. It can not be removed; any action to eliminate risk can lead to the emergence of new risks, uncontrolled, which may affect to much greater extent the organization. In these conditions, the risk needs to be minimized, process that can be achieved by establishing and implementing adequate internal controls. 3.2. The role of integrated risk management systemRisk management process is considered to be a set of activities and actions carried out in a certain manner and order to prevent or reduce exposure to risk, resulting from an operation or several operations. In practice, most commonly applied concept of risk management is that managing risks should be carried out separately within departments independently organized in the organization’s functional structure. This method provides simplicity and efficiency form in making decisions on risk management, but leads to actions and multiple records of the same exposure to risk and does not address correlations between different exposures. There are other practices too, which considers that each employee must be responsible for the risk management, having the competence to identify risks and implement appropriate internal controls to mitigate the probability of their manifestations. This mean of managing risks does not lead to results and does not ensure the guarantee of conducting activities given that they were planned, because it does not ensure the requirements for exposure on the same activities, and the process is influenced by knowledge and understanding by employees of the risk management system implemented within the organization. These traditional risk management processes are usually fragmented, meaning they are found implemented at the operation or transaction level and are aimed at preventing losses. Managing risks in these cases “does not consider the fact that risks are a source of competitive advantage”. Recent research on models and risk management strategies focus on competitive advantages of risks if they are approached as a whole or at system level. In this case the system is considered to be composed of all processes and activities necessary to achieve the objectives. This approach requires that all relevant functions within the organization (personnel, finance and accounting, manufacturing, commercial, procurement, IT, legal, internal control, internal audit, strategic development, marketing etc.) to participate in risk management process. For implementing the integrated risk management is necessary that the organization to be viewed from the standpoint of system, both as the link of the industry in which it operates and as part of it, acting in accordance with certain principles, features being: the complexity, limitation of resources, factors that influence its activity, the nature of events, the possibilities for development. In this view, it is considered that the risks should be managed in an integrated way, to eliminate multiple records on the same risk exposure and to analyze correlations between different exposures. This risk management approach is complex; it requires a large volume of information necessary for decision making and higher costs of administration. At the same time, making wrong decision can have a high impact on the business, or even on the organization. The integrated risk management system, based on this concept, must be interdependent with the organization’s development needs and to include the processes of development and establishment of elements concerning assessment, monitoring and risk management. At the same time, integrated risk management must be also approached in correlation with all types of risk management for each functional structure of the organization. Integrated risk management system operates with broad categories of risk (personnel risk, financial risk, legal risk etc.), with different risks attached to various activities, risks associated with different operations or transactions, and also with external risks that may affect the development of the overall organization (risks related to legislative changes) or making one or more activities carried out within the organization. In these conditions, implementing the concept of integrated risk management within the organization is more than necessary because the risk management process should be approached by all types of risk that are found and affect all functional structures of the organization. The approach in this unitary manner, of the exposures, respectively as a righteous and coherent system of exposure to various risks, of connections and mutual conditioning between them, will enable effective management of risks that may affect achieving the objectives and will contribute to improve activities and performance growth within the organization. The integrated risk management system can identify all risks that affect the implementation of processes and activities attached to an organizational goal; it can assess the overall consequences and adopt measures depending on the level of uncertainty and the existing inherent risk that affects achieving objectives set. Also, integrated risk management allows the foundation and decision making to lower hierarchical levels of the organization and also at the top level and ensures co-ordination of activities in order to solve current problems between certain functional structures. It helps to increase efficiency within the organization also by others administrative or managerial ways, such as better allocation of resources. The implementation of integrated risk management within the organization will provide to shareholders and potential investors, more concrete and reliable information on the risks to which it is exposed, which will allow them to base their decisions in more optimal conditions. Once with the development of organization’s activities, the old risk management systems become inadequate and risk exposures, especially the risk of fraud and error increases significantly. Implementing the integrated risk management system involves the design of evaluation criteria capable of measuring all activities related risks, by considering the relationships and connections between them and thus, to determine the exposure to any organization’s risk factor or its functional structures at any time. This risk management process, characterized by the development of integrated risk management methodology, shall include as steps: establishing the organizational context and risk management, identifying, analyzing and assessing risk, risk treatment, risk control, communication and monitoring the risk management plan. The process should not be a linear, the risk management may impact on other risks, and measures identified as being effective in limiting a risk and keeping it within acceptable limits may prove beneficial in controlling other risks. 3.3. Integrated risk management system functionsThe effectiveness of implementing an integrated risk management system, compared with traditional risk management, is determined by the fact that it reflects the integration of all activities related to risk and risk management in a single system. This system is operated and controlled from a single management level, thus eliminating duplication and disruption of communication and action that can occur within a classical system. The functions that the integrated risk management system meet within the organization’s management system can be classified as follows:
The basic role of integrated risk management is to provide to the management and organization’s board a reasonable assurance regarding the achievement of objectives. In this respect, COSO8 states that in order to identify associated risks it should be established in advance the organization’s objectives, which shall be grouped into four categories as follows:
In order to define the objectives, the key is that, first, to define strategic objectives, and then, of these, to derive other types of goals: operational, reporting and compliance. Also, for each goal it is necessary to establish risk tolerance, accepted materiality concerning the degree of achievement of identified indicators attached to the objectives in order to be considered achieved.
The strategy on risk must be coherent, contain how to recover losses caused by an adverse event and to integrate risk response measures. Activities to be carried out if the risk materializes deal with the settlement of measures to address the consequences of risk, recover losses and identifying and implementing appropriate control devices to eliminate the causes that led to the risk occurrence. To apply vigorously decisions taken in order to ensure effective functioning of integrated risk management will ensure continued operations and obtaining the expected results. Monitoring risk at corporate level refers to observing the functioning of integrated risk management system, identifying and reporting existant weaknesses to adopt necessary remedial measures. Updating the strategy on risk is necessary to be made whenever the organization changes its development strategy or strategic objectives, and also when management’s risk policy changes. Also, periodic review of risks involves the redistribution and concentration of resources in areas of interest.
Risk management process aims to identify and assess risks that can affect the objectives’ achievement and to establish risk response measures. It should “become part of the organization’s functioning as the base of management approaches9”. Considering that the objectives concern all levels of the organization, strategic, general and operational, being defined at strategy level, functional departments and even individual level, in a post, it is required that risk management to be aware of all the relationships that occur or develops between them or within them. The incomplete determination of the relationship between risk management system and other subsystems of the organization, will lead to an inadequate identification and management of risks associated to the objectives with major negative consequences on the organization.
The consultation on the results aims to provide information on risk exposure, after their evaluation and the implementation of control measures. The role is to establish the effectiveness of control measures applied. Performance evaluation of risk aims to determine performance obtained due to the risk response compared to the costs involved for implementing control measures taken to reduce risk and maintain its level within the risk appetite.
In our opinion, we believe that the implementation and operation of an integrated risk management is neccesary, it can be done through ongoing monitoring of risk and integration risk response measures, based on risk strategies, which ensure the objectives achievement and deliver the expected results, in case of an event causing loss. The firm implementation of decision taken, as the effect of the effective operation of integrated risk management system, gives premises for further activities and obtaining performance across the organization. Knowing threats that affect the achievement of the goals will allow their classification according to the level of materialization, the extent of impact on the objectives and costs involved for the measures necessary in order to minimize risk effects. Establishing a hierarchy of threats will lead to establish an order of priorities in resource allocation. Advertisement 4. Integrating risk management into the management sistemThe conception, implementation and operation of an integrated risk management system must ensure ongoing monitoring of risk and the integration of the risk response measures in a coherent risk strategy. Risk strategy should contain clear objectives on risk policy promoted and applied within the organization, to define exposure levels and response to risk in all circumstances where it is analyzed and evaluated. Also it should be set the terms and conditions for recovery of losses whenever the risk is manifested and had or will have financial consequences. 4.1. Integrated risk management system - Part of the organization’s management systemImplementing an integrated risk management within the organization will allow the organization’s management to focus its resources on those risks that affect the objectives achievement, in order to protect assets, ensure continuity of organization’s activities and adopting the effective decisions. Risk management function must be a defining function within the organization and provide a complete and coherent set of activities and actions that define decision-making of the organization if the risk materializes and to guide staff in risk management. An effectively integrated risk management system must ensure the recovery of the organization in case of interruption in activity, by maintaining its essential functions, at least of minimal levels from event appearance until its remediation. The decisive part in the functioning of an integrated risk management system is the plannification in order to ensure business continuity, because it contains measures of recovery for activities under risk event. The approach, implementation and functioning of an integrated risk management system in the organization is achieved depending on the processes undertaken, the organization situation and leadership style. However, to ensure process efficiency it needs to be taken into account primarily the following:
The role of integrated risk management system is to ensure the implementation of risk management function within the organization’s management system. Its functions are activated while the organization’s management system signals the existence of threat in achieving its objectives and deliver the expected results because of their activities. Figure 1.The management system of an organization From the scheme presented above it can be seen that developing and implementing an integrated risk management enables entity’s management to focus efforts on the risks affecting the achievement of the objectives. Also, the integrated risk management system reflects the integration of all activities and actions related to risk and risk management in a single system so that it can act upon them at one level. By it, the parallelism and dysfunction of action and communication are eliminated, occuring within organized systems operating independently of each other. Implementing an integrated risk management system within the organization leads to the following:
Exercising risk management function, as defining function within an organization, involves making through integrated risk management system a coherent set of processes, activities and operations, by which it is ensured an effective risk management and defined the decision-making process if risk occurs. However, depending on the types of risks identified, on the response to risk determined according to risk appetite, on the costs involved and the levels at which risks may be maintained after their treatment, integrated risk management system can guide organization to improve work according to the benefits of good risk management. 4.2. Assessing and measuring risks – Component of integrated risk management systemIn the integrated risk management process, the component on risk assessment is a major step aiming to:
Risk assessment depends on the probability of occurrence and severity of the consequences if the risk materializes, meaning the impact of risk and uses as tools the risk assessment criteria. These criteria should cover the purpose, in which risk was identified, in terms of compliance and performance. By prioritizing are selected medium and large risks on which will conclude responses to the risk. The risk assessment process includes the assessment of inherent risks existing before the implementation of control measures and residual risks, resulted after implementing control measures and have two phases, namely:
Risk analysis criteria are represented by the probability assessment of risk occurrence and the impact level assessment if the risk would materialize, as follows:
Figure 2.The level of risk depending on the probability and impact Establishing the response to risk and pursuing if it falls into the risk appetite, agreed by the organization’s management, is carried out by multiplying probability and risk impact, obtained from the formula: PT= P x I, where: PT = total risk score P = probability I = impact Depending on the outcome of the risk measurement process, applied to all risks the organization faces and that affects achieving objectives employment shall be: high risk, medium risk and low risk as follows:
To assess the internal control are considered the risks associated with the objectives the organization faces and that were measured. Internal control assessment process involves the identification and analysis of internal controls expected and existing, implemented by the entity to manage risks and aims to establish areas where it does not work or work improperly. This can be expressed on a scale of three levels as follows: compliant internal control, internal control partially compliant and non-compliant internal control. Illustration:
Risk response involves establishing and implementing possible actions, selecting those appropriate to the risk appetite and the costs required to implement risk management measures, by considering the following:
Advertisement 5. The structure of integrated risk managementAchievement of the objectives of integrated risk management within an organization presupposes the meeting, in a logical sequence, of specific and required activities, as follows: setting the context, setting the objectives, risk identification, risk assessment, setting a risk response, implementation of control measures, information and communication and monitoring. 5.1. Integrated risk management processIntegrated risk management is structured on component elements of the COSO model, indicating that the control environment is defined by the internal environment and risk assessment consists of setting goals, identifying events, risk assessment and risk response. 5.1.1. The internal environmentIt represents the theoretical and conceptual stage of risk management process, which presupposes an organizational culture on risks and knowledge of risk management operating concepts, and whether they are implemented and known at all levels within the organization. This stage involves carrying out specific activities to implement risk management within the organization, as follows:
In relation to the means of establishing the context of implementation of risk management it is established and designed risk management policy, objectives and tasks of the implementation of risk management methods and methodologies for the identification, evaluation, treatment and control risk. At the same time, it is determined the structure responsible for risk management, the powers and responsibilities of it, taking into account the fact that “management activity it means to commonly achieve the necessary objectives for the final of the organization11”. The characteristic of this work is the tone given by the organization on risk management and methodology they use in risk management and how are communicated the concepts of risk and the response of staff on risk management philosophy. 5.1.2. Objectives establishmentImplementing an integrated risk management system involves identifying and assessing the risks that are threatening to accomplishment of objectives. This includes risks related to activities and actions of input and risks of actual processes undertaken within the organization, risks that prevent achieving the intended results and the risks about the impact of realized activities on organizational development. Identification of the events that may affect achieving the expected results is only possible if objectives are set in advance and under each one were defined activities necessary to ensure their implementation which, therefore ensures, the delivery of the expected results. If we consider the approach according to which performance is characterized as "achieving organizational objectives regardless of their nature and variety” 12, we believe that goals should be established to represent a challenge for management and employees. Management by objectives has a beneficial effect for the organization, it facilitates the exercise of effective control over all activities, motivates employees to participate in the objectives and it creates a coherent organizational framework which stimulates the collaboration between all structures within the institution. The control of meeting the objectives is considered necessary for the management of the organization and requires each manager to have established controls for each activity and objective for which he has responsibility. At the same time, it must be taken into account the impact of likely risks that may jeopardize the attainment of these objectives, so it is necessary to design and implement appropriate risk management systems. 5.1.3. Identification of eventsTo ensure achievement of activities as planned, it is necessary for the management to identify all events, internal and external, positively or negatively affect the objectives, and depending on the probability of event and type of consequences that can be produced in the organization they are divided into risks and opportunities. Risk identification, depending on the time in which the process takes place, involves the following stages:
An effective risk management involves identifying risks at any level, where there is a threat on the goals and taking specific measures to limit the problems caused by these risks. Risks can be identified and defined only in relation to those objectives that are affected by their materialization. Risk identification can be achieved in two ways:
or
Application of either of two ways to identify risks can have negative consequences for the entity because, first, each employee has a certain culture and training which leads to a different understanding of risk management, making monitoring, to identify risk differ from employee to employee. Also, some employees can be more involved in current tasks and pay less attention to their risk management. Second, establishing a specialized department, with responsibilities in risk identification ensures not always effective risk management. However, as much the staff of this department is prepared, it is very difficult to know in detail how to achieve the activities and therefore to identify all threats that may affect achievement of objectives. The practical and effective risk identification is the combination of the two forms presented. Thus, employees from all levels of the organization have responsibility for identifying and reporting threats to their achievement by the specialized compartment, and it has the responsibility to assess each reported event and if it finds that the event reported is a risk to do registration, evaluation and its treatment. In identifying and defining risks should be considered the following rules14:
On identifying opportunities, they are performed by employees within the organization regardless of where they are, and their recovery is the responsibility of management, to be used to increase efficiency and effectiveness of activities. 5.1.4. Risk assessmentAchieving this step involves assessing the likelihood of risks materializing and the impact of risk when it would occur, and classification of risk on 3 levels (high, medium or low) based on a risk analysis matrix. After the risk assessment process is done, priorities are established so that high risks are considered by management to treatment. The purpose of risk assessment is to establish a hierarchy of risks within the organization and to establish the most appropriate ways of dealing with risk. Risk assessment process involves consideration of the following:
The risk assessment is performed to identify the likelihood and impact of risk and thus to determine how it can be managed. Risk assessment must be the essential component and a constant concern of management organization, as the people change, regulations change, the objectives are reviewed or new ones established. All these contribute to the continuous changing of the map risks, namely the emergence of new risks, modification of existing risks and the level that the organization accepted the risks. 5.1.5. Reaction to riskInformation collected following the risk assessment is processed and measures to diminish risk exposure identified. To limit exposure the organization should identify opportunities to reduce risk, the probability of the event, or if this it is not possible, to establish measures to eliminate risk. Also, the organization should develop appropriate criteria for risk management to reduce the likelihood of risk and risk consequences. If risks are not well managed or costs are high relative to benefits of the activities, the criteria should be directed to transfer the risk or eliminate the risk. The management of the organization, based on the risk assessment, will determine the response to risk, as follows:
After acceptance, the risk becomes residual and will be monitored regularly, aiming as it does not change the level of acceptance. Setting the limit for the tolerance of risk is the responsibility of management and involves the establishment of the exposure that can be assumed, in conjunction with costs and control measures to be taken. If the risk exposure is a probabilistic measure on a sized scale (combination of probability and impact) then the risk tolerance must respect the same features.
In practice, for risk treatment the following categories of controls instruments are used:
If the risks materialize, the cause is represented by the internal control that either has not been implemented or was implemented but they not functioned properly.
Diversity of internal control is considerable for all aspects of activities and can be classified as: objectives, resources, information systems, organization, procedures and supervision15. Objectives- grouping tools/internal control devices implemented through measures aimed at: their clear defining, their decomposition into a pyramid up to the job, convergence, measurability, association of measurable outcome indicators and monitoring information system. Means- is the group of devices/tools of internal control implemented through measures of adequacy of resources against objectives. Information system– it groups devices/an internal control instrument operationalized and aims to achieve a complete information system and steering, reliable, comprehensive and appropriate. Organization- grouping devices/internal controls instruments resulting from application of measures aimed at correcting anomalies detected in the procedural and structural organization and that are circumstances favored for the manifestation of risk. Procedures- are tools / internal control mechanisms which control the risks arising from lack of processes and rules to be observed while activities are taking place. Supervision- grouping instruments/devices of internal controls designed to control risks arising from abnormal exercise hierarchical control. Such internal control tools are aimed at the management style of the makers of different levels. 5.1.6. Risk controlRepresents policies, procedures, controls and other management practices established by the organization to make a prudent management of risks, and ensure the implementation of activities as intended. Also, to control risks is to ensure that objectives are met and significant risks are properly managed. To prevent conflicts it is recommended to ensure independence of risk control to functional structures of the organization that runs the identified risk. Any measure taken to control risks should be placed in the famous “internal control system”, which is responsible for directing the implementation. Risk control requires that the functional structure where there is a risk, carry out continuous monitoring of risks and appropriate mitigation of the manifestation probability or risk impact. Otherwise, the risks are uncontrollable and there are no means of intervention to limit the probability and risk impact. 5.1.7. Information and communication in the supervision of riskActivities are initiated by the management entity for transmission to employees of their responsibilities regarding the identification and monitoring of risks. At the same time for employees to ensure proper risk monitoring in accordance with the requirements of established risk management process within the organization, it is necessary for the management to provide appropriate and timely information for them to accomplish the tasks set. 5.1.8. Risk monitoring and supervisionRisk monitoring involves reviewing and monitoring whether their risk profile changes following the implementation of internal controls. Review processes are implemented to assess whether: risks persist, new risks have emerged, the impact and likelihood of risks have changed, internal controls are effectively put into practice or risks should be redefined. Risk monitoring involves tracking the knowledge of strategies applied to risk management, of their implementation and the evaluation of performance after implementation. Risk-sensitive areas are monitored continuously, and the results are sent in the initial stage for reconsideration, identification and implementation of adequate internal control tools or application of other ways to reduce exposure to risk. The management of risk register, which contains summary information and decisions in risk analysis, attests that the organization has introduced a risk management system and that it works. The process of identification, assessment and risk treatment must ensure that risk analysis is carried out periodically and are established mechanisms for information management on new or emerging risks of changes in already identified risks so that these changes to be addressed properly. Risk monitoringis necessary to monitor progress of risk profiles and to ensure that risk management is appropriate and is obtained by revision of the risks. Risk monitoring is done through internal control, which must be flexible, and develop appropriate control tools in areas where the risk is not sufficiently controlled or reduce those instruments where excessive risks are controlled. Risk management must consider internal control system implemented in the organization, and the expected internal controls and internal controls existing, and considering their sufficiency identifies the risks, makes them subject to the evaluation and based on results establishes the internal control necessary to be implemented in order to limit exposure. 5.2. Internal and external environment and its influence over the integrated risk managementThe implementation of a risk management system within the organization should impose establishing relationships both within the organization and beyond. Also, the ones responsible for implementing integrated risk management have relationships with the entity's management and staff of the entity's functional structures. The management of the entity shall decide on the risk management strategy adopted in the organization and approve any measure relating to the risks. In this regard, is regularly informed of the results of risk management and carry out in order to establish ways in which the risk management is done. The ones responsible for risk management in the organization are communicating and realizing the risk strategy and policy promoted to all the employees, and any decision taken by management on risks. Receive from the structures any information on the risks, analyst, process, and make proposals for the management on appropriate measures to be taken depending on the nature of managerial implement these measures. Risk communication and how they are required to be managed is based starting on the management level to the level of execution and shall ensure that:
The nature of relationships established in risk management process is a functional one, respectively; the ones responsible with the risks have the authority to charge risk of transmitting to the functional structures of the entity information on risk strategy and information related to risk management process implemented. At the same time, they require the information about the identification and management of risks. The increase of confidence in the risk management system promoted and implemented at the organizational level is achieved by:
Entity’s activities are influenced by several external factors, the nature of threats that affect achievement. Integrated risk management system must identify the nature of the risks these threats, to analyze, evaluate and determine the response to risk. In some cases, establishing a risk response does not ensure acceptable risk appetite as risk reduction measures are dependent on the activities and objectives of the organization. To ensure acceptable levels of risk there should be a system of relationships established with various external factors, which, put in place, to ensure reduction of exposure. Building and implementing an integrated risk management system helps to direct resources to risk which particularly affect the activities and support the organization in achieving its objectives. Advertisement 6. Impact of integrated risk management on the organizationTo ensure good risk management it is important to provide assurance that each employee understands properly the risk management process within the organization and knows his role and responsibilities in this process. Risk management process does not require identification and elimination of negative events that may affect the carrying out, if the risk occurs, but also aims to analyze and evaluate risk and risk appetite according to design and implement control devices to limit the probability of risk. It provides the management with a “framework approach to effective risk management and its possibilities”. Risk management objective is to identify risks, causes that generated them and establish appropriate control device to reduce its level, but using the lowest cost. By implementing an integrated risk management system shall ensure:
Integrated risk management model has some limitations due to errors, avoiding checks, and human judgment in making decisions that can sometimes be wrong. These limitations make it impossible to issue an insurance of the need to achieve objectives. At the same time, responsibility for designing and implementing appropriate risk management is the organization's management and other staff to support risk management philosophy and apply established rules on risk management, each in their area of responsibility. The classic risk management process, which was joined and implemented by most of organizations, is a fragmented on, in the sense that functional structures within an organization manages its own risks independently. Thus, each compartment, according to the procedures and methodologies developed, shall identify and manage risks associated to objectives independently, without a coordinated approach and without taking into account the interdependencies of risk within the entity. Advertisement 7. The advantages of implementing integrated risk managementIntegrated risk management has mechanisms to help the recovery of the organization in the situation of work stoppage, major incident or disaster, by maintaining minimum levels of business critical functions. The main feature of integrated risk management system is that it integrates risk monitoring mechanisms of the functional departments of the organization and its culture, with a focus on the risks associated with strategic objectives. Also, the emphasis is on monitoring and controlling risk, and minimizing it. Advantages of an integrated risk management can result as follows:
Between components of integrated risk management and objectives of the organization must be a direct relationship. The analysis and risk assessment by following the eight components of integrated risk management, namely internal environment, identification, analysis and risk assessment, risk treatment, risk control, information and communication and monitoring of risks is done for each structure and functional organization for each objective. By applying this method it is showed that risks are assessed and treated for all purposes of the organization, regardless of their definition (strategic, operational, reporting and compliance) and regardless of the compartment or structure that are defined. Meanwhile, the integrated risk management process represents an instrument that allows a coordinated approach across the organization to identify and analyze the mechanisms of risk whose initial starting point is the strategic dimension. Integrated risk management is a powerful tool that enables the management of the organization to have a picture of the risks affecting the achievement of strategic and operational objectives, and provides at the same time, leverage for the foundation and management decision making. The process of identification, analysis and assessment takes into account the events of the organization, which can take negative shape and are associated with risks or positive shape and are associated with opportunities. References
Written By Emilia Vasile and Ion Croitoru Submitted: November 30th, 2011 Published: September 12th, 2012 © 2012 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. What are the 4 types of organizational structure?The four types of organizational structures are functional, multi-divisional, flat, and matrix structures.
What are the 3 types of organizational structure?There are three main types of organizational structure: functional structure, divisional structure and a blend of the two, called matrix structure.
Is a collection of people who work together and coordinate?An organization is a collection of people who work together to achieve a wide variety of goals, both goals of the various individuals in the organization and goals of the organization as a whole. Organizations exist to provide goods and services that people want.
What are the 5 types of organizational structures?Each of these five types of organizational structures have advantages and disadvantages, so it's important to consider which one may be right for your business.. Functional reporting structure. ... . Divisional or product reporting structure. ... . Process-based structure. ... . Matrix structure. ... . Flat structure.. |