3.1 Risks-We-Face – Risk Analysis

We face risks in organizations by being exposed to uncertain risk events (or events for short) that can result in losses to the achievement of an organization’s objectives. This process, one half of ERM, consists of analyzing and managing risk events, where a risk event is an uncertain event that matters. A risk matters in that its occurrence entails a loss to one or more of an organization’s objectives. A risk may have causes or sources, hazards or threats which may also be uncertain but don’t, in and of themselves, entail a loss. As we will discuss below, it is important to distinguish between risk causes (sources, threats or hazards) that don’t entail a loss and risks (risk events or events), which, by definition, must entail a loss or losses.

Strategic risk analysis is performed by top level management – Board of Directors and C- Level management– and involves identifying strategic risks the organization faces and deciding what resources should be expended to reduce their risks to ‘acceptable’ levels. Operational Risk analysis involves analyzing and controlling risks to operational assets. Operational risk analysis is generally the responsibility of chief risk officers and risk compliance officers.

Risk tolerance is the amount of risk that an organization is willing to face or accept – applying necessary controls to reduce risk to the amount they are willing to tolerate.

Risk Tolerance: the degree, amount, or volume of risk that an organization or individual will withstand[1]

[1] Project Management Institute, Inc. (PMI). (2013). Guide to the Project Management Body of Knowledge (PMBOK® Guide) (5th Edition). Project Management Institute, Inc.