Understanding Risk Management Paper
Understanding Risk Management
Liberty University
Understanding Risk Management Over the years, people have started relying on digital data, information, and technologies which affect every aspects of life like, education, professions, research and development. This has led to an increase level of responsibility to protect information from fraud, damage, or malicious. Risk management is the process by which you manage uncertainty that may affect outcomes that are important to you. By changing organizational practices risk management can facilitate and legitimize certain ways of organizing. It has the potential to change lines of responsibility and accountability in organizations, representing a particular way of …show more content…
governing individuals and activities (Soin 2013).The purpose of this paper is to provide a high-level overview on the subject of understanding risk management. This paper explores the risk management process, the three processes of risk management and risk acceptance. The paper examines the importance of risk management and its evaluations.
What is Risk Management? Risk is the possibility of something adverse happening to an organization (Vallabhaneni, 2013). Isaca (2012) defined risk management as, “is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization” (p.27). Risk management plans contribute to project success by establishing a list of internal and external risks. This plan typically includes the identified risks, probability of occurrence, potential impact and proposed actions (Duggan, 2014). Taylor and Sobel (2008), the concept of enterprise risk management has brought captives to the forefront of risk management practices. As a business owner, the first step is to take a look at the overall risk the business faces and examine risks that are typically insured by commercial property and casualty insurance (para. 3).
Snedaker (2013) found the following:
The objective of performing risk management is to enable the organization to accomplish its mission(s) s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.
The organizational factors identified that support and promote effective risk management. included the importance of high visibility for risk management, supportive leadership, and resources. The first step in having an effective risk management knows the company’s desire level of risk. Effective risk management will help improve performance against objectives by contributing to reduce fraud and waste, lower cost of capital, and better service delivery. According to Edmead (2007), “risk management plans have the following objectives: to eliminate negative risks, reduce risks to an "acceptable" level if risks cannot be eliminated. This means a risk level the organization can live with, making sure that proper controls are in place to keep risks within an acceptable range and, to transfer risks by means of insurance” (para. 5).
Importance of Risk Management: Risk management is important because every project of any magnitude is risky no matter how much planning is done. The importance of risk management cannot be exaggerated. This is an important part of doing business that must be addressed to the company to be affective. According to the Journal of Accounting and Public Policy Conference (2014), “Risk Management is best thought of as a process that consists of several phases, including identifying risks, determining methods for mitigating and transferring risks, and for controlling/responding to damages caused by risk not mitigated or transferred (para. 2). Risks are a part of doing business and by having risk management procedures in place helps eliminate the likelihood of negative outcomes, or loss. “It is therefore extremely important to know where to apply available resources to mitigate the highest priority risks in an efficient and cost-effective manner. It is also important to balance security with usability” (Bergsma & Mcabe, 2013).
Risk identification: The first step of risk management program is identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. Risk identification is defined as the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. The objective of risk identification is the early and continuous identification of events that, if they occur, will have negative impacts on the project 's ability to achieve performance or capability outcome goals (Pinto & Garvey, 2012.).
The Three Processes Risk management encompasses three processes: risk assessment, risk mitigation, and risk monitoring. When these processes are evaluated, strategies for managing risk can be set and responsibilities can be clarified. Risk management= Risk assessment + Risk mitigation + Risk monitoring
Risk Assessment: Risk Management is a distinctly different process from risk assessment. Risk Assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation. It is a large part of the overall risk management process; many of the steps described in this framework focus on the assessment process (Mcabe, 2013). In the risk management process, the results of the risk assessment are integrated with other considerations, such as economic or legal concerns, to reach decisions regarding the need for and practicability of implementing various risk reduction activities (United States Environmental Protection Agency, 2014). Risk assessment helps to identify appropriate controls for reducing eliminating risk during the risk mitigation process.
Risk Mitigation: Risk Mitigation is a systematic mechanism can be used to reduce in the extent of exposure to a risk and/or the likelihood of its occurrence (Bento & Aggarwal, 2013).
Which involves prioritizing, evaluation, and implementing the appropriate risk reducing control recommended from the risk assessment process (Saha, 2007).
Vallabhaneni found the following (2013)
Risk mitigation is a systematic methodology used by senior management to reduce mission organization risk. .Risk mitigation can be achieved through any of the following risk mitigation option: risk rejection, risk assumption, risk avoidance, risk reduction, risk transfer, risk contingency and risk compliance (p.45).
The goals and mission of an organization should be considered in selecting any of these risk mitigation options. It may not be practical to address all identified risks, so priority should be given to the threat and vulnerability pairs that have the potential to cause significant mission impact or harm (Sachs, 2011).
Risk Monitor: The purpose of this last phase of the risk management is to ensure that the assumption and estimates made by the risk management team are valid during the evolution of the project (Saha, …show more content…
2007).
Risk Management Process
Risk Management process involves the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, assessing (evaluating), managing (treating), monitoring and communicating risk (Isaca, 2013). The enterprise risk management process must be structured, disciplined, and correctly scaled to the organization’s size, complexity, and geographic reach, according to the paper (Journal of Accountancy, 2013). When establishing a risk management process, auditors should mention the best management practices area in the organization.
Risk Management Process Steps: The risk management process step begins with risk identification.
An organization most likely will have several risk categories to analyze and identify risks that are specific to the organization (Edmead, 2007). Once the risks are identified, the next step is to determine the risk likelihood level. “Several factors need to be considered, first, the auditor needs to consider the source of the threat, the motivation behind the threat, and the capability of the source. Next, auditors need to determine the nature of the vulnerability and, finally, the existence and effectiveness of current controls to deter or mitigate the vulnerability” (Edmead, 2007, para.7). The last is to identify the risk’s impact. “It is important for auditors to understand that not all threats will have the same impact. This is because each system in the organization most likely will have a different value” (Edmead, 2007, para.
8).
Risk Acceptance
Risk acceptances mean that an organization has decided that they can do day to day business with a particular risk. It is not possible to eliminate all risk activities. According to Investopedia accepting risk as, “A risk management method used in the business or investment field. Accepting risk occurs when the cost of managing a certain type of risk is accepted, because the risk involved is not adequate enough to warrant the added cost it will take to avoid that risk.” (para 1). Defining risk acceptance by referring only to what has not been rejected leaves two important issues open: what exactly is meant by the term risk, and the often made assumption that risks are merely potential losses that have to be avoided (Rbdiger & Bernhard, 2011). It is important and appropriate for an organization to monitor its risk acceptance. To determine whether or not an organization should accept risk, the organization, they may perform a cost benefit analysis. Accepting risk means sufficient control.
Conclusion and Future Study
In order to gain a complete understanding of risk management, it is necessary to research the background of risk management. This includes, but is not limited to, books, research papers, blogs, scholarly sources, and journal article. Risk management is the process by which you manage uncertainty that may affect outcomes that are important to you. Risks are a part of doing business and by having risk management procedures in place helps eliminate the likelihood of negative outcomes, or losses. Risk management encompasses three processes: risk assessment, risk mitigation, and risk monitoring. When establishing a risk management process, auditors should mention the best management practices area in the organization. “Companies with a strategic approach to risk management use more tools and have more structured and frequent reporting on risk management than do firms with other approaches “(Perez et al., 2011). This leads the companies in a better position to ensure that risk management provides relevant and applicable information that meets the needs of the organization and executive team.
References
Accepting Risk. (n.d.). Retrieved February 2, 2014 from Investopedia: http://www.investopedia.com/terms/a/accepting-risk.asp Bento, A. M. & Aggarwal, A. (2013). Cloud Computing Service and Deployment Models. Hershey, PA: IGI Global Snippet
Bergsma, K. & McCabe, J. (2013, May 8). Risk Management Framework. Retrieved February 2,
2014 from Higher Education Information Security Council: https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+Frameworkhttps://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+Framework
Duggan, T. (2014). Why Is Risk Management Important to Project Success? Retrieved February
1, 2014 from Chron: http://smallbusiness.chron.com/risk-management-important-project-success-56920.html
Edmead, M.T. (2007). Understanding the Risk Management Process. Internal Auditor. Retrieved from http://www.theiia.org/intAuditor/itaudit/archives/2007/may/understanding-the-risk- management-process/ Management Accounting (2013). Journal of Accountancy. Retrieved from http://www.journalofaccountancy.com/Issues/2013/Jan/Management-accounting.htm?action=print Pinto, C. A. & Garvey, P.R. (2012). Advanced Risk Analysis in Engineering Enterprise Systems. Boca Raton, FL: Taylor & Francis Group, LLC.
Rbdiger, T. & Zimolong, B. M. (2011). Risk Acceptance. ILO Encyclopaedia of Occupational Health & Safety. Retrieved from http://www.ilo.org/oshenc/part-viii/safety-policy-and- leadership/item/987-risk-acceptace Sachs, I. (2011). Performance Driven IT Management: Five Practical Steps to Business Success. Lanham, MD: Government Institutes
Saha, P. (2007). Handbook of Enterprise Systems Architecture in Practice. Hershey, PA: Idea
Group Inc.
Snedaker, S. (2013). Business Continuity and Disaster Recovery Planning for IT Professionals. Waltham, MA. Syngress
Singh, M. (2011). Security Analysis with Investement and Portfolio Management. India
Soin, K. (2013). Risk and risk management in management accounting and control. Management
Accounting Research. 24(2). 82-87. Retrieved from http://www.sciencedirect.com/science/article/pii/S1044500513000267
Taylor, G., & Sobel, S. (2008). A Closer Look at Captive Insurance. The CPA Journal. Retrieved from http://www.nysscpa.org/cpajournal/2008/608/essentials/p48.htm
United States Environment Protection Agency. (n.d.). RCRA Risk Assessment: Risk
Management. Retrieved from http://www.epa.gov/swerrims/riskassessment/rcra_management.htm
University of Maryland’s Robert H. Smith School of Business. (2014). Accounting and Risk
Management. Journal of Accounting and Public Policy Conference. Retrieved from http://www.rhsmith.umd.edu/faculty-research/academic-departments/accounting-information-assurance/news-events/events/japp
Vallabhaneni, S. R. (2013). Wiley CIA Exam Review 2013, Internal Audit Knowledge Elements. Hoboken, New Jersey: John Wiley & Sons, Inc.
Liberty University
Understanding Risk Management Over the years, people have started relying on digital data, information, and technologies which affect every aspects of life like, education, professions, research and development. This has led to an increase level of responsibility to protect information from fraud, damage, or malicious. Risk management is the process by which you manage uncertainty that may affect outcomes that are important to you. By changing organizational practices risk management can facilitate and legitimize certain ways of organizing. It has the potential to change lines of responsibility and accountability in organizations, representing a particular way of …show more content…
governing individuals and activities (Soin 2013).The purpose of this paper is to provide a high-level overview on the subject of understanding risk management. This paper explores the risk management process, the three processes of risk management and risk acceptance. The paper examines the importance of risk management and its evaluations.
What is Risk Management? Risk is the possibility of something adverse happening to an organization (Vallabhaneni, 2013). Isaca (2012) defined risk management as, “is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization” (p.27). Risk management plans contribute to project success by establishing a list of internal and external risks. This plan typically includes the identified risks, probability of occurrence, potential impact and proposed actions (Duggan, 2014). Taylor and Sobel (2008), the concept of enterprise risk management has brought captives to the forefront of risk management practices. As a business owner, the first step is to take a look at the overall risk the business faces and examine risks that are typically insured by commercial property and casualty insurance (para. 3).
Snedaker (2013) found the following:
The objective of performing risk management is to enable the organization to accomplish its mission(s) s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.
The organizational factors identified that support and promote effective risk management. included the importance of high visibility for risk management, supportive leadership, and resources. The first step in having an effective risk management knows the company’s desire level of risk. Effective risk management will help improve performance against objectives by contributing to reduce fraud and waste, lower cost of capital, and better service delivery. According to Edmead (2007), “risk management plans have the following objectives: to eliminate negative risks, reduce risks to an "acceptable" level if risks cannot be eliminated. This means a risk level the organization can live with, making sure that proper controls are in place to keep risks within an acceptable range and, to transfer risks by means of insurance” (para. 5).
Importance of Risk Management: Risk management is important because every project of any magnitude is risky no matter how much planning is done. The importance of risk management cannot be exaggerated. This is an important part of doing business that must be addressed to the company to be affective. According to the Journal of Accounting and Public Policy Conference (2014), “Risk Management is best thought of as a process that consists of several phases, including identifying risks, determining methods for mitigating and transferring risks, and for controlling/responding to damages caused by risk not mitigated or transferred (para. 2). Risks are a part of doing business and by having risk management procedures in place helps eliminate the likelihood of negative outcomes, or loss. “It is therefore extremely important to know where to apply available resources to mitigate the highest priority risks in an efficient and cost-effective manner. It is also important to balance security with usability” (Bergsma & Mcabe, 2013).
Risk identification: The first step of risk management program is identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. Risk identification is defined as the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. The objective of risk identification is the early and continuous identification of events that, if they occur, will have negative impacts on the project 's ability to achieve performance or capability outcome goals (Pinto & Garvey, 2012.).
The Three Processes Risk management encompasses three processes: risk assessment, risk mitigation, and risk monitoring. When these processes are evaluated, strategies for managing risk can be set and responsibilities can be clarified. Risk management= Risk assessment + Risk mitigation + Risk monitoring
Risk Assessment: Risk Management is a distinctly different process from risk assessment. Risk Assessment is the part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation. It is a large part of the overall risk management process; many of the steps described in this framework focus on the assessment process (Mcabe, 2013). In the risk management process, the results of the risk assessment are integrated with other considerations, such as economic or legal concerns, to reach decisions regarding the need for and practicability of implementing various risk reduction activities (United States Environmental Protection Agency, 2014). Risk assessment helps to identify appropriate controls for reducing eliminating risk during the risk mitigation process.
Risk Mitigation: Risk Mitigation is a systematic mechanism can be used to reduce in the extent of exposure to a risk and/or the likelihood of its occurrence (Bento & Aggarwal, 2013).
Which involves prioritizing, evaluation, and implementing the appropriate risk reducing control recommended from the risk assessment process (Saha, 2007).
Vallabhaneni found the following (2013)
Risk mitigation is a systematic methodology used by senior management to reduce mission organization risk. .Risk mitigation can be achieved through any of the following risk mitigation option: risk rejection, risk assumption, risk avoidance, risk reduction, risk transfer, risk contingency and risk compliance (p.45).
The goals and mission of an organization should be considered in selecting any of these risk mitigation options. It may not be practical to address all identified risks, so priority should be given to the threat and vulnerability pairs that have the potential to cause significant mission impact or harm (Sachs, 2011).
Risk Monitor: The purpose of this last phase of the risk management is to ensure that the assumption and estimates made by the risk management team are valid during the evolution of the project (Saha, …show more content…
2007).
Risk Management Process
Risk Management process involves the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, assessing (evaluating), managing (treating), monitoring and communicating risk (Isaca, 2013). The enterprise risk management process must be structured, disciplined, and correctly scaled to the organization’s size, complexity, and geographic reach, according to the paper (Journal of Accountancy, 2013). When establishing a risk management process, auditors should mention the best management practices area in the organization.
Risk Management Process Steps: The risk management process step begins with risk identification.
An organization most likely will have several risk categories to analyze and identify risks that are specific to the organization (Edmead, 2007). Once the risks are identified, the next step is to determine the risk likelihood level. “Several factors need to be considered, first, the auditor needs to consider the source of the threat, the motivation behind the threat, and the capability of the source. Next, auditors need to determine the nature of the vulnerability and, finally, the existence and effectiveness of current controls to deter or mitigate the vulnerability” (Edmead, 2007, para.7). The last is to identify the risk’s impact. “It is important for auditors to understand that not all threats will have the same impact. This is because each system in the organization most likely will have a different value” (Edmead, 2007, para.
8).
Risk Acceptance
Risk acceptances mean that an organization has decided that they can do day to day business with a particular risk. It is not possible to eliminate all risk activities. According to Investopedia accepting risk as, “A risk management method used in the business or investment field. Accepting risk occurs when the cost of managing a certain type of risk is accepted, because the risk involved is not adequate enough to warrant the added cost it will take to avoid that risk.” (para 1). Defining risk acceptance by referring only to what has not been rejected leaves two important issues open: what exactly is meant by the term risk, and the often made assumption that risks are merely potential losses that have to be avoided (Rbdiger & Bernhard, 2011). It is important and appropriate for an organization to monitor its risk acceptance. To determine whether or not an organization should accept risk, the organization, they may perform a cost benefit analysis. Accepting risk means sufficient control.
Conclusion and Future Study
In order to gain a complete understanding of risk management, it is necessary to research the background of risk management. This includes, but is not limited to, books, research papers, blogs, scholarly sources, and journal article. Risk management is the process by which you manage uncertainty that may affect outcomes that are important to you. Risks are a part of doing business and by having risk management procedures in place helps eliminate the likelihood of negative outcomes, or losses. Risk management encompasses three processes: risk assessment, risk mitigation, and risk monitoring. When establishing a risk management process, auditors should mention the best management practices area in the organization. “Companies with a strategic approach to risk management use more tools and have more structured and frequent reporting on risk management than do firms with other approaches “(Perez et al., 2011). This leads the companies in a better position to ensure that risk management provides relevant and applicable information that meets the needs of the organization and executive team.
References
Accepting Risk. (n.d.). Retrieved February 2, 2014 from Investopedia: http://www.investopedia.com/terms/a/accepting-risk.asp Bento, A. M. & Aggarwal, A. (2013). Cloud Computing Service and Deployment Models. Hershey, PA: IGI Global Snippet
Bergsma, K. & McCabe, J. (2013, May 8). Risk Management Framework. Retrieved February 2,
2014 from Higher Education Information Security Council: https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+Frameworkhttps://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+Framework
Duggan, T. (2014). Why Is Risk Management Important to Project Success? Retrieved February
1, 2014 from Chron: http://smallbusiness.chron.com/risk-management-important-project-success-56920.html
Edmead, M.T. (2007). Understanding the Risk Management Process. Internal Auditor. Retrieved from http://www.theiia.org/intAuditor/itaudit/archives/2007/may/understanding-the-risk- management-process/ Management Accounting (2013). Journal of Accountancy. Retrieved from http://www.journalofaccountancy.com/Issues/2013/Jan/Management-accounting.htm?action=print Pinto, C. A. & Garvey, P.R. (2012). Advanced Risk Analysis in Engineering Enterprise Systems. Boca Raton, FL: Taylor & Francis Group, LLC.
Rbdiger, T. & Zimolong, B. M. (2011). Risk Acceptance. ILO Encyclopaedia of Occupational Health & Safety. Retrieved from http://www.ilo.org/oshenc/part-viii/safety-policy-and- leadership/item/987-risk-acceptace Sachs, I. (2011). Performance Driven IT Management: Five Practical Steps to Business Success. Lanham, MD: Government Institutes
Saha, P. (2007). Handbook of Enterprise Systems Architecture in Practice. Hershey, PA: Idea
Group Inc.
Snedaker, S. (2013). Business Continuity and Disaster Recovery Planning for IT Professionals. Waltham, MA. Syngress
Singh, M. (2011). Security Analysis with Investement and Portfolio Management. India
Soin, K. (2013). Risk and risk management in management accounting and control. Management
Accounting Research. 24(2). 82-87. Retrieved from http://www.sciencedirect.com/science/article/pii/S1044500513000267
Taylor, G., & Sobel, S. (2008). A Closer Look at Captive Insurance. The CPA Journal. Retrieved from http://www.nysscpa.org/cpajournal/2008/608/essentials/p48.htm
United States Environment Protection Agency. (n.d.). RCRA Risk Assessment: Risk
Management. Retrieved from http://www.epa.gov/swerrims/riskassessment/rcra_management.htm
University of Maryland’s Robert H. Smith School of Business. (2014). Accounting and Risk
Management. Journal of Accounting and Public Policy Conference. Retrieved from http://www.rhsmith.umd.edu/faculty-research/academic-departments/accounting-information-assurance/news-events/events/japp
Vallabhaneni, S. R. (2013). Wiley CIA Exam Review 2013, Internal Audit Knowledge Elements. Hoboken, New Jersey: John Wiley & Sons, Inc.