26: Critical Risk Management

Critical Risk Management is important for a holistic, organization-wide risk management process. It includes identifying or framing, evaluating, analyzing, and monitoring potentially high impact risk. A high impact risk is best explained as the one which has a significant effect on business operations, objectives and overall well-being of the organization.

The purpose of critical risk assessment is to:

1. Identify threats to organization (operations, assets and individuals)
2. Internal and external vulnerabilities to an organization
3. The dangers (adverse impact) that may occur given the threats exploit the vulnerabilities
4. The probability of occurrence of the potential threats

Critical Risk Assessment is a continuous process that provides decision-makers with permanent and conclusive information to direct and inform responses to information security risks. Risk assessments are performed by organisations to identify hazards that are common to the organization’s core missions/ business functions, business processes, business segment or information systems. The Critical Risk Assessment addresses the potential adverse impacts to organisation operations and assets, individuals, other organizations and the economic interest.
The process of critical risk assessment consist of the following steps:

1. Identification of the risk

Risk identification step is focused to find, recognize and explain risks that might promote or hamper an organisation from achieving its objectives. Up to date information is of prime importance when it comes to identifying potential risks and hazards. Some of the risk factors that can be considered together or separately are:

• Tangible and intangible sources of risk
• Causes and event
• Threats and opportunities
• Indicators of emerging risks
• Biases or assumptions involved

Even if the organisation has control over the risks' origins, it should nevertheless identify them and take multiple possible outcomes into account, each of which could have a number of concrete or abstract effects.

2. Risk Analysis

Risk analysis is mainly understanding risk's existence and characteristics. When analysing risks, factors such as uncertainties, risk sources, repercussions, likelihood, occurrences, scenarios, controls, and their efficacy are all carefully taken into account. Depending on the purpose of the investigation, the availability and accuracy of the data and the resources at hand, risk analysis can be conducted to varied degrees of detail and complexity and the analysis techniques might be qualitative, quantitative, or a combination of these.

3. Risk Evaluation

Risk evaluation serves as a decision-support tool. In order to decide the area where more action is needed, risk evaluation involves comparing the outcomes of the risk analysis with the established risk criteria. The decision should be taken for risk mitigation or adaptation measures, further analysis to understand the risk and maintain existing controls.
The larger context and the actual and perceived effects to external and internal stakeholders should be considered while making decisions. The results of the risk assessment should be documented, shared, and then validated at the relevant organisational levels.

4. Risk Treatment

After evaluating various risks, treatment measures can be used including; avoidance (eliminating the risk altogether), reducing the risk (employing controls to reduce the impact associated with risks), transferring the risk (through contracts or insurance), risk acceptance (acknowledging and monitoring the risk without any intervention).
Risk treatment involves steps such as:

• Formulating and selecting risk treatment options
• Planning and implementing risk treatment
• Assessing the effectiveness of implemented actions
• Evaluating if remaining risk is acceptable or not
• If not then taking further action

5. Risk monitoring and review

Risk monitoring and review is a continuous process which aims to assure and improve the management of risk. Risk monitoring and review includes planning, gathering and analyzing information, recording results and providing feedback. The results from monitoring and review are to be implemented throughout the organization's performance review and reporting. Organisations may better identify and prioritise risks by using the critical risk assessment process and the right resources, which enables them to create efficient risk management plans and enhance overall decision-making.

Industry Best Practices

There are various best practices that can ensure thorough and efficient procedures while conducting important risk assessments. Key best practises for conducting a critical risk assessment are listed below:

1. Define clear objectives

This is an important and foremost practice, to identify the clear aim of the risk assessment to be conducted, including the scope, purpose and desired outcomes.

2. Engaging with most relevant stakeholders

Engage stakeholders from all organisational levels and departments. This guarantees a holistic viewpoint and retrieves a variety of insights and knowledge base.

3. Implementing a structured methodology

Identifying and streamlining a well defined methodology such as SWOT analysis, Failure mode method, Effects analysis (FMEA) or scenario based analysis are best suited for this purpose.

4. Examine and Assess Risks

Consider all risk sources, including operational, financial, strategic, and compliance risk as you carefully identify and evaluate hazards. Risks should be evaluated based on their probability to occur and their possible effect on organisational goals.

5. Accounting for interdependencies

It is important to realise that risk can coexist and have cumulative impacts. Therefore considering relationships between hazards and how they might reinforce or counterbalance one another becomes an important aspect of critical risk management.

6. Placing risk response first

Determine which risks are most important and create strategies for handling them. Few of the measures include risk acceptance with backup plans, risk avoidance, risk reduction through control measures, risk transfer through insurance, and a combination of these strategies.

7. Documentation and integration of risk assessment into decision making

Documenting the findings from risk assessment, communicating the findings and risk response to stakeholders is critical to manage the risk. Documenting is followed by integrating outcomes of the risk assessment into the strategic planning, resource allocation, and day to day decision making processes.

Case study

Tesla is a major automotive and energy enterprise that was established in 2003. According to GlobalData’s proprietary risk analysis of the automotive industry's vehicle manufacturing sector, Tesla Inc. (Tesla) ranks among the top fifty businesses and has a moderate risk profile. The company's total risk score was boosted by the country and industry risk pillars. A company's well-established market position is a strength, but low profitability and a large percentage of debt should raise questions. The risk assessment consists of four risk pillars discussed below.

Risk Pillars :

Country Risk

The company has manufacturing units in the US, Germany, China and other operation units in Europe and Pacific Asia. The majority of its revenue is from the US followed by China and other countries. Due to its presence in several nations, the business is protected from the risk posed by the economic and political conditions of a particular area, which resulted country risk of 4.18^[1]

Industry Risk

Majority of revenue is generated from the vehicle manufacturing sector and remaining from the consumer finance sector. The revenue growth in the vehicle manufacturing sector is high but profit margin is low, resulting average industry score of 3.33^[2]

Operational Risk

The company has small scale operations than other automakers in addition with low EBIT margin and low profile per vehicle which impacts scale, profitability and operational efficiency negatively. Resulting 2.43^[3] below sector average

Financial Risk

Though the company exhibits healthy liquidity and cash flow ratios, it has low leverage ratios and also low- interest coverage. Thus, it’s average financial risk score is 2.61^[4]

Proper risk analysis and development of management plan accordingly ensures that the company stays ahead not only in terms of competitiveness in the market and customers demands, but also for the smooth management and success of the company.