Content uploaded by António Galrão Ramos
Author content
All content in this area was uploaded by António Galrão Ramos on Apr 07, 2016
Content may be subject to copyright.
Proceedings of 2100 Projects Association Join Conferences 1 (2014) 243-249
243
© 2014 by 2100 Projects Association. All rights reserved. www.2100projects.org
2183-3060/2014/0101-039
Risk Management
Perspectives to approach risk
Abstract
The risk management field has received a lot of attention over the last decade as a
result of the change in the way business is run and the occurrence of several
events with impact in the global economy such as the 2008 collapse of the credit
market and the housing market meltdown in the USA, the 2010 Gulf of Mexico oil
spill or the 2011 incident on the Japanese nuclear power plant of Fukushima-
Daiichi. As a result, risk management has become a main topic as it plays an
increasingly important role in the strategy of an organization. The purpose of this
paper is to present different perspectives on how risk management has been
addressed by organizations, the different types of risk and to propose a
classification for risk approaches.
Keywords
Risk, Risk Management, Process Management.
1. Introduction
In his book, Against the Gods: The Remarkable Story of Risk, Bernstein
(1998) considers that through the understanding, measuring and weighing
of risk, risk-taking has turned into one of the main drives of western
society as it introduces the idea of having the future in service of the
present. Bernstein traces the origins of the study of risk to the XVII
century, and to the solution of the Pacioli Puzzle by Blaise Pascal and
Pierre de Fermat. The solution of the puzzle allowed for the calculations
of the likelihood of occurrence of any event with even odds. Daniel
Bernoulli’s prospective gamble with coins can be considered to be the first
significant experimental study of risk and resulted in the introduction of
the notion of utility (usefulness). He suggested that utility is inversely
related with the quantity of goods previously owned (Bernstein, 1998).
Further developments occurred, but it was only in the 1950's that the risk
management field was named. With the purpose of improving the
management of cost control, Gallagher (1956) outlined principles for risk
management and established the figure and functions of the "risk
manager". Even thought there was an idea of managing all the risk of the
company in an integrated function, the risk management function was
mainly focused on reducing risk exposure through insurance (Gallagher,
1956).
Peter Drucker in his 1959 article Think Ahead highlights the importance of
risk in management and the effort to establish the basic assumptions and
postulates for management science development (Drucker, 1959).
In the insurance field, risks were either classified as pure risks or
speculative risks. Pure risks are a type of risk in which loss is the only
possible outcome and is beyond the management function control.
Speculative risks are a type of risk where the outcome could be a loss or a
gain (Gahin, 1967).
António Galrão Ramos
School of Engineering, Polytechnic of
Porto
Department of Mechanical
Engineering
4200-072, Porto
Portugal
agr@isep.ipp.pt
244
Proceedings of 2100 Projects Association Join Conferences 1 (2014) 243-249
Until the 1980's, risk management developed mainly in the field of insurance management and focused on
"pure risk". This was in direct result with not only the fact that most of the work developed in the field of risk
management was done by insurance scholars and practitioners (Gahin, 1967), but also because prior to the
1970's, interest rates and foreign exchange rates were fairly stable and inflation was not yet a concern to most
organizations.
The collapse, in the beginning of the 1970's, of the Bretton Woods system, which, in its essence, fixed the
relative value of major exchange rates to the U.S Dollar, contributed dramatically to the increase of exchange
rate volatility and the exposure of companies to an increasing number of risks of a financial nature. Financial
risk became a major concern for organizations (Lhabitant & Tinguely, 2001).
New risk areas continue to emerged, but instead of being incorporated within the field of action of risk
managers and treated as an enterprising wide function, there was a development of risk management silos
where different kinds of risks, like hazard risk, operational risk, credit risk, were addressed as separated
activities and leading to the development of specific terminology, methodology and focus (Lhabitant &
Tinguely, 2001).
As a result of these changes in business, in the beginning of the 1990's organizations start moving from the
fractionated approach to risk management, to an integrated approach. The increased dynamic of business, the
fragmentation of companies supply chain, the increasing use of outsourcing, led not only to an increase of risk
but also to an increase of the consequences of the failure of managing risk. As a result, there was a need to
have an overall view of the risk the organizations were exposed to. The different risks for the organization
needed to be managed in an aggregate, rather than in an independent form.
This paper starts by focusing in the definition of risk and risk management in section 2. In section 3 different
approaches and types of risks are identified. Finally in section 4 the description and conclusion are presented.
2. Risk
The study of risk management is widespread across a large number of areas providing theoretical and practical
studies with a wide variety of purposes. A search for articles published in leading academic journals done in the
Business Source Complete (EBSCO) database with the subject term "RISK management in business" revealed a
total of 11702 articles. The results included publications written between 1950 and 2013. A preliminary analysis
of the results revealed that risk management has developed within separate areas of study, despite the recent
acknowledgement of the need for an integrated approach.
In order to attempt to structure the different approaches to risk, different definitions of risk are presented. The
taxonomy of different risk management areas is also identified and presented to provide an overview of the
different way each field is exposed to risk.
The word “risk” in English derives from its Latin root word risicare, which means “to dare”, which implies the
possibility to choose a course of action (Bernstein, 1998). There are many definitions of the concept of risk in
the literature; some are related to some aspect of risk, others with some category of risk. Traditionally, risk
definitions only focus on the negative impact of events, discarding the beneficial effect that uncertainty can
have on achieving objectives. Table 1 presents some definitions found in the literature.
In the search for a general definition for risk, Holton (2004) implies that risk has two essential components:
exposure and uncertainty. He defines risk as the "exposure to a proposition of which one is uncertain". The
author also considers that the definition is flawed since exposure and uncertainty cannot be defined from an
operational perspective, because operational definitions can only be applied to that which can be perceived.
However, Holton considers that it is possible to define our perception of risk, operationally.
We can conclude, from the above definitions, that risk has three dimensions that must be considered:
• existence of future results;
• probability of results occurring;
• consequences of each result.
Proceedings of 2100 Projects Association Join Conferences 1 (2014) 243-249
245
Table 1. Risk definitions
Definitions Perspective Source
Effect of uncertainty on objectives Enterprise Risk
Management
(ISO, 2009)
The frequency and magnitude of loss that arises from a threat Information Security (The Open Group, 2009)
Risk is a combination of the likelihood of an occurrence of a
hazardous event or exposure(s) and the severity of injury or ill
health that can be caused by the event or exposure(s)
Occupational Health &
Safety Assessment
(OHSAS, 2007)
The exposure to uncertainty Financial (Lhabitant & Tinguely, 2001)
Variance of return Financial (Markowitz, 1952)
Project risk is an uncertain event or condition that, if it occurs,
has a positive or a negative effect on a project objective
Project management (PMI, 2000)
Possibility that an event will occur and adversely affect the
achievement of objectives.
Enterprise Risk
Management
(COSO, 2004)
Possibility of process objectives not being met Business Process
Management
(Cope et al. , 2010)
The potential variation of outcomes that influence the
decrease of value added at any activity cell in a chain, in which
the outcome is described by the volume and quality of goods
in any location and time in the supply chain flow
Supply Chain
Management
(Bogataj & Bogataj, 2007)
Adverse event which is uncertain, either
randomly or
epistemologically
Project Management (Williams, 1995)
3. Risk Management
Risk management usually refers to the culture, processes, and structures by which an organization conducts an
effective management of risk. The different definitions of risk also reflect on the view organizations have of risk
management. The taxonomy used to classify the types of risks varies according to the perspective and purpose
of the different approaches of each field to risk. Without having the purpose of doing an exhaustive analysis,
some examples of different classifications of risk will be presented.
3.1. Insurance risk management
The Insurance Risk Management Institute (IRMI) defines insurance risk management as "the practice of
identifying and analyzing loss exposure and taking steps to minimize the financial impact of the risk they
impose". Insurance risk management focuses primarily on pure risks, i.e., those risks that only involve potential
loss (Gahin, 1967; IRMI, 2011). This term is frequently used to distinguish between the traditional risk
management concept and the more recent approaches to risk management.
The types of risks that are associated with pure risks by companies are (Rejda, 2006):
• Property risks: related to the damage of physical property, loss or theft resulting from various hazards;
• Liability risks: risk of hurting a third party and being held liable for bodily injury or other damages;
• Loss of potential income risk: potential income loss by a company whose operations have been
interrupted;
• Other risks: Additional risks include crime exposure, human resources exposure, foreign loss exposure,
intangible property exposure and government exposure.
The risk management and insurance approach focused traditionally on the transference of risk, i.e., share its
risks with another party, such as an insurance provider. Insurance risk management focused on protecting
companies from natural disasters and exposures, such as fire, theft or employee injuries (Gallagher, 1956).
3.2. Financial risk management
Financial risk management is the "optimization of risk exposure by becoming aware of the risks, measuring the
risks, using accounting information, future cash flow projections, and levels of contingent or economical
exposure, and adjusting the risk" (Lhabitant & Tinguely, 2001).
In financial risk management, according to Lhabitant & Tinguely (2001) risks can be classified into:
246
Proceedings of 2100 Projects Association Join Conferences 1 (2014) 243-249
• Market Risk: risks that potentiate loss due to adverse changes in some financial market variables;
• Credit Risk: risks that potentiate loss due to a counterpart failing to make payment;
• Operational Risk: risks that potentiate loss originated by human errors, system failures or inadequate
procedures or controls;
• Liquidity risk: risks related with the ease with which a corporation can convert an asset into a cash
amount equal to its current market value.
Through the use of financial instruments, financial risk management deals with the time and form of hedging
risk exposures. As a financial instrument, derivates play an important role in financial risk management. The
main types of derivates are forward contracts, future contracts, options and swaps (Holzer & Millo, 2005;
Lhabitant & Tinguely, 2001; Millo & MacKenzie, 2009).
3.3. Supply chain risk management
Supply chain risk management can be defined as "the process of risk mitigation achieved through the
collaboration, coordination, and application of risk management tools among the partners to ensure continuity,
coupled with long term profitability of the supply chain" (Faisal, Banwet, & Shankar, 2007).
In supply risk management the network perspective inherent to the supply chain concept is very present.
Cucchiella and Gastaldi (2006) propose a classification of risks based on the nature of the uncertainty source in
relation to the network. There are two types of uncertainty sources:
• internal sources
o Available capacity - relates to the networks financial, productive and structural availability for
a project;
o Customs regulations - reflects the risk of exposure to regulations;
o Information delays - reflects the risk of not having the information available in the moment in
time that it is needed;
o Internal organization - risk of non cooperation in the supply chain or inability to adopt new
technology.
• external sources
o Competitor action - risks that derive from the loss of competitive advantage;
o Manufacturing yield - risk of demand not meeting the product consumption forecasts;
o Political environment - risk that results from contextual change and unforeseeable regulatory
action;
o Price fluctuations - risk of not being able to cover the networks costs due to price fluctuations;
o Stochastic cost - risk that results from the product becoming obsolete;
o Supplier quality - risk of inability to supply specific skills.
Supply Chain Risk Management has been recognized as an important source of competitive advantage and is
becoming an integral part of Supply Chain Management as an effective method of avoiding or containing
vulnerability in a supply chain (Juttner et. al. 2003).
3.4. Project management risk
According to the Project Management Institute (PMI) risk management is "the systematic process of
identifying, analyzing, and responding to project risk. Project management risks can be divided into four
categories (PMI, 2000):
• Technical, Quality or Performance risk - risk related to the choice of technology, the technological
reliance and the setting of unrealistic performance goals;
• Project management risk - risk that results from poor use of project management tools and variables;
• Organizational risk - related to the allocation of the project by the organization, with the necessary
conditions to succeed;
• External risk - risks that have external origins to the project in which are included natural hazards,
regulatory changes or labor issues.
The achievement of defined and specified objectives is the purpose of project management. Risk management
plays an important role in project management since it is essential for decision making. The temporal aspect of
projects is the most studied area in project risks (Williams, 1995).
Proceedings of 2100 Projects Association Join Conferences 1 (2014) 243-249
247
3.5. Information systems risk management
The information systems risk management view of risk is more recent and results from the information and
technological evolution as well as the importance that IT holds today in most businesses. According to Elky
(2006) the information systems risk management is "the process of understanding and responding to factors
that may lead to a failure in the confidentiality, integrity or availability of an information system".
The Symantec Group (2008) classifies the risks as:
• Security risks: risks that result from internal or external unauthorized access to information;
• Availability risks: risks that information might not be accessible due to unplanned system failures;
• Performance risks: risks related to inaccessible information as result of scalability limitations or
throughput bottlenecks;
• Compliance risks: risks of failure to meet regulatory requirements or failure to meet internal policy
requirements.
Information systems risk management is not just a technical issue. Enterprises must understand the growing
number of IT risks in an environment that results from the combination of users, new technologies and the
spread of sensitive data.
3.6. Business process risk management
Karduck et al. (2007) refer to risk management as a support process for process management. Risk
management of business processes focus on the integration of risk management within business process
management. It has a strong focus on IT branch of Business Process Management which is associated with
workflow and modeling languages (Tjoa et al., 2008).
From a business process risk management perspective, the error type and the consequence do not have a
direct one-to-one relation. zur Muehlen and Ho (2006) propose the following classification of risks which is
supported by the business process life cycle:
• Build time risks: related with the design phase of a business process;
o Goal risks: risk that threatens the possibility of the business process achieving the expected
objectives;
o Structural risks: related with the design phase of a business process structure;
• Run time risks: related to process disruption, these risks threaten internal components of the business
process structure preventing them from performing as designed.
The business process life cycle plays an important role on the integration of a business process with risk
management, since the different stages of the business process lifecycle pose different challenges for risk
integration (zur Muehlen & Ho, 2006).
3.7. Enterprise risk management
According to the ISO 31000 standards, risk management refers to the "coordinated activities to direct and
control an organization with regards to risk". The enterprise risk management intends to give an enterprise-
wide approach to risk in order to have risk management integrated within the practices and policies of the
organization, becoming an effective support tool for management (ISO, 2009).
Enterprise risk management approach also provides a taxonomy for different risks. Considering the various
nature of risks companies are exposed to, Grey and Shi (2005) consider that there are two main types of
enterprise risks:
• core business risks: risks that impact into the company's core business activities;
o Operational risk: Related with the way a company operates the business. It includes factors as
human error, fraud or technical failures;
o Value chain risk: Related with the goods and services delivered to the costumers. It is caused
by key business drivers like fluctuations of the price of goods or quantity changes.
• Non-core business risks: risks that affect the support activities of the company, depending on the
frequency of the risk event. Can be divided into:
o Event risks: include legal risk, natural hazard, political risk, regulatory risk, economic and
reputational risk;
248
Proceedings of 2100 Projects Association Join Conferences 1 (2014) 243-249
o Recurring risks:
o Market risk: is originated by market prices fluctuation;
o Credit risk: is the uncertainty caused by debtors failing to fulfill their obligations;
o Tax risk: Is originated from the tax position of a company.
4. Discussion
Several other approaches to risk management can be found in literature such as, Procurement Risk
Management or Quality Risk Management. From the analysis of the different risk management perspectives,
two majorly different approaches to risk can be distinguished (Table 2). On one hand we have a functional
approach that translates a "silo" way of managing risk. Financial risk, insurance risk and information technology
risk management, for example, are functional approaches. On the opposite side we have a process oriented
approach to risk management, were the cross functional view of the management of the organization risk is
present. Supply chain risk management, business process risk management, enterprise risk management are
some of these approaches.
Table 2. Risk perspectives
Functional Perspective Process Oriented Perspective
Financial risk
Insurance risk
Information technology risk
Supply chain risk
Business process risk
Enterprise risk
The risk factors mentioned previously, highlight the fact that there are many sources of risk to the company.
The focus of an integrated approach to risk, considering all the interactions between the different types of risk,
allows the company to not underestimate its risk exposure. This was a frequent situation when the approach to
risk, was mainly a financial issue.
Another aspect should be present when identifying the different risks, which is the endogenous or exogenous
nature of risk. Exogenous risks are the risks that simultaneously are not affected by our actions, and over which
event occurrence we have no control. Endogenous risks are the risks that are dependent on our actions
(Aubert, Patry, & Rivard, 2005). This dual nature of risk has a great influence on the different strategies used by
organizations to manage risks.
5. Conclusions
The risk definitions and taxonomic categories mentioned in the paper permitted to highlight some of the
different perspectives organizations have on risk management, providing a global view of risk management, its
areas of application and the different types of risks faced by businesses.
Based on the different risk management perspectives, a classification was proposed that differentiates
between functional-oriented and process-oriented approaches to risk.
References
Aubert, B. A., Patry, M., & Rivard, S. (2005). for Information Technology Outsourcing Risk Management. Data Base For
Advances In Information Systems, 36(4), 9–28.
Bernstein, P. (1998). Against the Gods: The Remarkable Story of Risk (p. 400). Wiley.
Bogataj, D., & Bogataj, M. (2007). Measuring the supply chain risk and vulnerability in frequency space. International
Journal of Production Economics, 108(1-2), 291–301. doi:10.1016/j.ijpe.2006.12.017
Cope, E., Kuster, J., Etzweiler, D., Deleris, L., & Ray, B. (2010). Incorporating risk into business process models. IBM Journal
of Research and Development, 54(3), 4–1. Retrieved from
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5464399
COSO. (2004). Enterprise Risk Management — Integrated Framework. New York. COSO.
Cucchiella, F., & Gastaldi, M. (2006). Risk management in supply chain: a real option approach. Journal of Manufacturing
Technology Management, 17(6), 700–720. doi:10.1108/17410380610678756
Drucker, P. (1959). Thinking ahead. Harvard Business Review, (January February).
Elky, S. (2006). An Introduction to Information System Risk Management. SANS Institute.
Proceedings of 2100 Projects Association Join Conferences 1 (2014) 243-249
249
Faisal, M. N., Banwet, D. K., & Shankar, R. (2007). Management of Risk in Supply Chains : SCOR Approach and Analytic
Network Process. Supply Chain Forum, 8(2), 66–80.
Gahin, F. S. (1967). A Theory of Pure Risk Management in the Business Firm. The Journal of Risk and Insurance, 34(1), 121.
doi:10.2307/251020
Gallagher, R. B. (1956). Risk Management : New Phase of Cost Control. Harvard Business Review, 34, 34–39.
Grey, W., & Shi, D. (2005). Enterprise Risk Management: A value Chain Prespective. In A. Labbi (Ed.), Handbook of
Integrated Risk Management for E-Business (pp. 1–32). J. Ross Publisshing.
Holton, G. a. (2004). Defining Risk. Financial Analysts Journal, 60(6), 19–25. doi:10.2469/faj.v60.n6.2669
Holzer, B., & Millo, Y. (2005). From risks to second-order dangers in financial markets: Unintended consequences of risk
management systems. New Political Economy, 10(2), 223–245. doi:10.1080/13563460500144777
IRMI. (2011). Insurance and Risk Management Terms. Retrieved September 11, 2011, from
http://www.irmi.com/online/insurance-glossary/default.aspx
ISO. (2009). ISO 31000:2009 Risk Management - Priciples and Guidelines. Genéve: ISO.
Juttner, U., Peck, H., & Christopher, M. (2003). Supply chain risk management: outlining an agenda for future research.
International Journal of Logistics Research and Applications, 6(4), 197–210. doi:10.1080/13675560310001627016
Karduck, A. P., Sienou, A., Lamine, E., & Pingaud, H. (2007). Collaborative Process Driven Risk Management for Enterprise
Agility. In 2007 Inaugural IEEE-IES Digital EcoSystems and Technologies Conference (pp. 535–540). Ieee.
doi:10.1109/DEST.2007.372034
Lhabitant, F.-S., & Tinguely, O. (2001). Financial Risk Management: An Introduction. Thunderbird International Business
Review, 43(3), 343–363. doi:10.1002/tie.1001
Markowitz, H. (1952). Portfolio selection. The Journal of Finance, 7(1), 77–91.
Millo, Y., & MacKenzie, D. (2009). The usefulness of inaccurate models: Towards an understanding of the emergence of
financial risk management. Accounting, Organizations and Society, 34(5), 638–653. doi:10.1016/j.aos.2008.10.002
OHSAS. (2007). OHSAS 18001:2007, Sistemas de gestão da segurança e da saúde do trabalho - Requisitos.
PMI. (2000). A Guide to the Project Management Body of Knowledge Knowledge. Management. Project Management
Institute.
Rejda, G. E. (2006). Principles of Risk Management and Insurance, International Edition. Pearson Education.
Symantec Group. (2008). IT Risk Management Report 2: Myths and Realities.
The Open Group. (2009). Risk Taxonomy (p. 35). The Open Group.
Tjoa, S., Jakoubi, S., Goluch, G., & Quirchmayr, G. (2008). Extension of a Methodology for Risk-Aware Business Process
Modeling and Simulation Enabling Process-Oriented Incident Handling Support. 22nd International Conference on
Advanced Information Networking and Applications (aina 2008), 48–55. doi:10.1109/AINA.2008.81
Williams, T. (1995). A classified bibliography of recent research relating to project risk management. European Journal of
Operational Research, 85(1), 18–38. doi:10.1016/0377-2217(93)E0363-3
Zur Muehlen, M., & Ho, D. T. (2006). Risk Management in the BPM Lifecycle. In C. J. Bussler & A. Haller (Eds.), Business
Process Management Workshops (pp. 454 – 466). Springer Berlin / Heidelberg.
